Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

16 min read robert Abela
Security | webarxsecurity.com | 13 days ago

The Definitive Guide to Logs for WordPress Administrators

Logs are like unsung heroes; they store a wealth of information, have an important role in any type of software, yet they are often ignored. This article highlights all the different type of logs WordPress administrators have available.

The Definitive Guide to Logs for WordPress Administrators

Security | webarxsecurity.com | 13 days ago

Logs for WordPress administrators – the definitive guide to all the logs WordPress site administrators can use. Logs are like unsung heroes; they store a wealth of information, have an important role in any type of software, yet they are often ignored.
October is a national cyber awareness month and therefore we have prepared this article together with WP Security Audit Logs, a company known as the “king of logs” in the WordPress ecosystem. Use WebARX20 to get a 20% discount form any WP Security Audit Logs plans here.
This quote from the PCI DSS compliance regulations highlights how important logs are for the security of websites:
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.
In this article, we will explain what logs are, what information you can find in them and how you can use this information to better manage and improve the security of your WordPress websites. Let’s dive right in.
Introduction To Logs
Logs are records of events related to a given software, application, or service. Most modern software products keep logs of some kind. This means everything

9 min read robert Abela
Security | wpwhitesecurity.com | Aug. 7, 2019

Prevention is better than cure in WordPress security

Prevention is better than cure, even in WordPress security. It is like an insurance, may you never need it, but it is always good to have it.

Prevention is better than cure in WordPress security

Security | wpwhitesecurity.com | Aug. 7, 2019

A common misconception is that malicious hackers only target websites with large income, or those that store valuable sensitive information. However, WordPress websites generally get a lot of unwanted attention, which is why it’s important to take preventive measures from the get-go. The good news is that (on top of basic measures such as having a robust updating strategy) WordPress offers you a lot of options to protect your website against hack attacks. Even simple implementations, such as enabling Two-Factor Authentication (2FA) can drastically improve the security of your website or eCommerce store.
In this article, we’ll talk about why preemptive WordPress security is the way to go. We will also highlight five preventive WordPress security measures, so you won’t have to deal with messy cleanups afterward. Let’s get to work!
Why prevention is essential in WordPress security
Spending time on preemptive security is a lot like getting travel insurance before heading to a safe and well-known country. It’s a step that’s usually forgotten about by many travelers – until your hotel room is ransacked. From then on, travel insurance is always a top

9 min read robert Abela
Security | wpwhitesecurity.com | Sep. 12, 2019

WordPress HTTS, SSL & TLS - An introductory guide

WordPress HTTPS, SSL and TLS for #WordPress administrators - in this article you will find everything you need to know about these protocols and how to configure HTTPS on your #website.

WordPress HTTS, SSL & TLS - An introductory guide

Security | wpwhitesecurity.com | Sep. 12, 2019

When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling. If an attacker is on the same network as you they can intercept and read your HTTP traffic. They may also modify both your requests to the server, as well as the server’s responses back to you. This is known as a Man-in-the-Middle (MitM) attack. This can easily happen on public WiFi’s, such as the ones in hotel lobbies and public spaces.
That is why a website should be on HTTPS – so traffic cannot be intercepted. This article explains what HTTPS, SSL and TLS are. It also explains how you can configure your WordPress website to work on HTTPS.
What is SSL/TLS?
Once the internet started to grow in use, it became obvious that we needed a mechanism to securely transfer information between a client and server without anyone being able to eavesdrop or modify traffic — enter SSL, or Secure Socket Layer. SSL is an Internet security protocol, first developed

9 min read Tevya
Security | starfish.reviews | 11 days ago

Rich Reviews Plugin is Now Secure & Part of the Starfish Family

Rich Reviews was the subject of lots of press recently as a known-vulnerability was being actively exploited to infect WordPress sites with malware. Starfish Reviews decided to adopt the plugin and issue a security update, as the original developers had ended all development over a year prior and had not fixed the known vulnerabilities.

Rich Reviews Plugin is Now Secure & Part of the Starfish Family

Security | starfish.reviews | 11 days ago

Starfish Reviews has adopted the Rich Reviews plugin and released version 1.8 with security fixes. This article will cover the timeline of events as to how that all unfolded and the current state of Rich Reviews. It is not intended as a comprehensive security explanation. The articles linked to cover that in detail. Highlights: Security Vulnerabilities were originally discovered and disclosed in 2017. Some minor ones were resolved at the time. A Major vulnerability remained.
Remaining major vulnerabilities were actively exploited to infect WordPress websites with malware, Sept 2019.
Starfish Reviews adopted the plugin 2 weeks ago.
Today Rich Reviews 1.8 was released! It is fully patched, partially re-written, and secured. Security is the #1 focus of this release.
All sites with Rich Reviews installed should update to version 1.8 or above.
Conception & Early Days
The Rich Reviews plugin was originally released in January 2013. It was conceived by Nuanced Media but developed by the seemingly now defunct Foxy Technology. They actively developed and maintained the plugin over the years, including adding new features. At some point Foxy stopped being involved in development of the plugin.

11 min read robert Abela
Security | wpwhitesecurity.com | 11 days ago

Understanding & preventing DDoS on WordPress websites

This guide explains the different types of DDoS attacks and how they work. It also explains what WordPress website admins can do to prevent them, and also block them.

Understanding & preventing DDoS on WordPress websites

Security | wpwhitesecurity.com | 11 days ago

A Distributed Denial of Service (DDoS) is a type of Denial of Service (DoS) attack in which the attack comes from multiple hosts as opposed to one, making them very difficult to block. As with any DoS attack, the objective is to make a target unavailable by overloading it in some way. Generally, a DDoS attack entails a number of computers, or bots. During the attack each computer maliciously sends requests to overload the target. Typical targets are web servers and websites, including WordPress websites. As a result, users are unable to access the website or service. This happens because the server is forced to use its resources to handle these requests exclusively.
It is important for WordPress admins to understand and be prepared for DDoS attacks. They can occur at any time. In this article we’ll explore DDoS in-depth and provide you with some tips to help keep your WordPress site protected.
DDoS is an attack aimed at disruption and not a hack
It’s important to understand that a DDoS attack isn’t a malicious WordPress hack in the traditional sense. Hacking implies an unauthorized user gaining access to a server or website that they shouldn’t have.
An example

4 min read Jonas Lejon
Security | blog.hostdns.com | 10 days ago

How to Stay Safe Against DNS-Based Attacks - HostDNS Blog

DNS is an very important impart of the internet infrastructure and something that "just works". But when it does not work many people finds out. DNS data is also important regarding internal threat intelligence.

How to Stay Safe Against DNS-Based Attacks - HostDNS Blog

Security | blog.hostdns.com | 10 days ago

The Domain Name System (DNS) plays an essential role in resolving IP addresses and hostnames. For organizations, it ensures that users reach their desired sites, servers, and applications. While it is a fundamental base for a functioning Web, this system is open to abuse. Attackers prey on DNS weaknesses, to direct site visitors to malicious pages, instead of the sites they want. Companies need to adopt countermeasures if they wish to ensure the safety of site visitors.
Larger enterprises have begun protecting their DNS infrastructure by gathering relevant threat intelligence, enforcing security policies, and automating redundant tasks. But smaller ones have yet to follow.
This post highlights the growth of DNS-based attacks over time, and how organizations can protect stakeholders against them.
DNS-Based Attacks: Volume Increases Annually
A 2019 DNS threat report from Cisco shows an increase in both the number of DNS attacks and the damage they cause in the past year.
Here are a few statistics:
More than 80% of organizations surveyed said they suffered a DNS attack.
Costs incurred due to these breaches rose by 49%; with an average cost per attack above US$1M.
The most targeted sector

6 min read Eric Karkovack
Security | 1stwebdesigner.com | 19 days ago

Defend Your WordPress Website Against Brute-Force Attacks

Brute force attacks are an ever-present threat to a WordPress site. Here are some ways to fight back.

Defend Your WordPress Website Against Brute-Force Attacks

Security | 1stwebdesigner.com | 19 days ago

Whether you’re fairly new to WordPress or an experienced developer, you might be surprised at just how often your websites are under attack. You might also be wondering who, or what, is carrying out this type of activity – not to mention why they’d target you. The answers are simple. In most cases, the bad actor is an automated bot. And you’re being targeted simply because you happen to be running WordPress. As the most popular Content Management System (CMS) out there, it is directly in the crosshairs of malicious actors.
While there are all sorts of different attacks floating around out there, the brute-force variety are among the most popular. And that happens to be our subject for today.
Let’s take a look at what brute-force attacks are and some ways you can better protect your WordPress website.
What Is a “Brute-Force” Attack?
A brute-force attack, according to Wikipedia:
“…consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly.”
In the real world, this means that a malicious script runs repeatedly, entering usernames and passwords into the WordPress login page.

6 min read Jonas Lejon
Security | blog.wpsec.com | Aug. 16, 2019

Cracking Wordpress Passwords with Hashcat

Hashcat is a free tool to crack passwords (hashes) using GPU power

Cracking Wordpress Passwords with Hashcat

Security | blog.wpsec.com | Aug. 16, 2019

When it comes to complex password cracking, hashcat is the tool which comes into role as it is the well-known password cracking tool freely available on the internet. The passwords can be any form or hashes like SHA, MD5, WHIRLPOOL etc. Hashes does not allow a user to decrypt data with a specific key as other encryption techniques allow a user to decrypt the passwords. Hashcat uses certain techniques like rainbow tables, dictionary attack or rather it can be the brute-force technique as well. This article gives an example of usage of hashcat that how it can be used to crack complex passwords of WordPress. Hashcat in an inbuilt tool in Kali Linux which can be used for this purpose.
USAGE
If a user wants to look that what hashcat facilitates, by running hashcat –help as shown below:
Some pictures are given below as example:
- [ Outfile Formats ] -

# | Format
===+========
1 | hash[:salt]
2 | plain
3 | hash[:salt]:plain
4 | hex_plain
5 | hash[:salt]:hex_plain
6 | plain:hex_plain
7 | hash[:salt]:plain:hex_plain
8 | crackpos
9 | hash[:salt]:crack_pos
10 | plain:crack_pos
11 | hash[:salt]:plain:crack_pos
12 | hex_plain:crack_pos
13 | hash[:salt]:hex_plain:crack_pos

Security | pagely.com | Apr. 3, 2019

For Safety, the P3 Plugin Has Been Banned • Pagely®

User trust once violated is very hard to regain. Be mindful to protect the trust you have earned.

5 min read Eric Karkovack
Security | zdnet.com | Jun. 18, 2019

Disgruntled security firm discloses zero-days in Facebook's WordPress plugins

Here we go again. There's a company out there making security flaws public, without talking the the plugin authors.

Disgruntled security firm discloses zero-days in Facebook's WordPress plugins

Security | zdnet.com | Jun. 18, 2019

A US-based cyber-security firm has published details about two zero-days that impact two of Facebook's official WordPress plugins. The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins.
Impacted plugins
The two zero-days impact "Messenger Customer Chat," a WordPress plugin that shows a custom Messenger chat window on WordPress sites, and "Facebook for WooCommerce," a WordPress plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.
The first plugin is installed by over 20,000 sites, while the second has a userbase of 200,000 -- with its statistics exploding since mid-April when the WordPress team decided to start shipping the Facebook for WooCommerce plugin as part of the official WooCommerce online store plugin itself.
Since then, the plugin has garnered a collective rating of 1.5 stars, with the vast majority of reviewers complaining about errors and a lack of updates.
The grudge
Nevertheless, despite the bad reputation, today, the security of all users who installed these extensions was put at risk because of a stupid grudge

12 min read John Locke
Security | joeyoungblood.com | Jul. 12, 2019

How Yoast Can Become an Attack Vector for Hackers, and How to Stop It - Joe Youngblood

Consultant Joe Youngblood talks about a default setting in Yoast that makes it easier for hacker to harvest usernames, which means hackers have one-half of the combination for automated brute force attacks.

How Yoast Can Become an Attack Vector for Hackers, and How to Stop It - Joe Youngblood

Security | joeyoungblood.com | Jul. 12, 2019

TL;DR WordPress creates Author Archives pages for anyone who publishes content on a website sometimes keeping that page live even if that content is transferred to another user.
By default WordPress uses the ‘username’ a user logins in with for the Author Archive page URL and offers no way of changing this.
When Yoast is installed sitemaps are activated by default creating an Author Archive sitemap which contains all the Author URLs complete with usernames.
Hackers can use this file to gain important usernames for a website, making hacking easier by only needing to guess passwords.
This attack vector can be patched by turning off Author Archives in Yoast or if Author Archives are required by editing the URL of author archives in the WordPress code.
Update: Yoast was notified of my concerns earlier this week, has fully reviewed them, and responded. Essentially in their response they stated this wasn’t much of a concern to them though they had discussed it and offered tips. I’ve placed their entire response at the bottom of this article, you can get there by clicking here.
Yoast is a wildly popular WordPress plugin that helps websites become more SEO friendly.

4 min read Jan Östlund
Security | jemjabella.co.uk | Apr. 1, 2019

Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin

Pipdig Power Pack versions up to 4.7.3 contain the backdoor code, which has been removed as of version 4.8.0

Peculiar PHP Present In Popular Pipdig Power Pack (P3) Plugin

Security | jemjabella.co.uk | Apr. 1, 2019

Karl is off work this week (due to working in a school, lots of holidays, lucky bastard, bla bla bla). I asked him this morning to try and purchase the replacement keyboard for my laptop, as linked from my “OMG DISASTER” entry update, now that we’ve transferred money to the “Internet account”. He spent all afternoon trying to get them to accept the payment details/address etc with no luck. I returned from work (due to not working in a school and having crap normal holidays, bla bla bla) and we decided to resort to e-Gay e-Bay. I, of course, am terribly negatively biased against them since they allowed some tit up the road to sell stolen cameras using Karl’s mum’s address, causing the coppers to come and take away my laptop. Long story short, we registered there anyway and proceeded to “Click to Buy” a replacement VAIO keyboard/case that we found: £30.00 for the item, £8.00 post and packaging.
We went through, entered the details into PayPal, reviewed everything and clicked “Pay”. We received an error telling us that the seller did not accept payment through this method (despite the preferred method being paypal?)

19 min read ScaleMath
Security | bragdeal.com | Mar. 23, 2019

Top 16 Tips on Website Maintenance and Security (2019)

Website maintenance and security are vital. You put time, effort and money into your business so why not make sure everything is always up and running the way it should be?

Top 16 Tips on Website Maintenance and Security (2019)

Security | bragdeal.com | Mar. 23, 2019

Website maintenance and security are a crucial element of your business. You put a lot of time and money into your online image as it represents your business, so why not ensure it stays up, runs smooth, and never has downtime. Even if your website is only used to provide informational content about your products or services, your website can be compromised if you don’t perform website maintenance and management on a regular basis. The last thing you want to deal with is hackers. They can bring down your website and create a problem for your business and your customers. So, what can you do? We’ll tackle each important task one at a time, but here is what you’ll learn:
The Main Website Maintenance and Security Master List
It’s actually pretty simple. Let’s take a look at 16 tips to maintain your website’s security so you won’t fall victim to hackers or other online threats. When you follow this master list, you’ll see that your website stays in tip top shape at all times. And, that’s what you want for the face of your business!
1. How Often Should You Backup Your Website
I’m sure the idea of backups is nothing new to you. Backups

10 min read Joshua Strebel
Security | pagely.com | Jun. 21, 2019

Can WordPress Developers and Security Researchers get along?

Vulnerability reporters are going rogue which is affecting site owners - why?

Can WordPress Developers and Security Researchers get along?

Security | pagely.com | Jun. 21, 2019

The relationship between WordPress developers and security researchers has been strained for some time now. Recently it is so bad that vulnerability reporters are going rogue which is affecting site owners. In the past months we’ve seen multiple researchers drop 0-day information (vulnerability details with no current patch available) which has resulted in our security staff being in emergency mode to ensure plugins are getting updated quickly, before sites get hacked. In some rare occasions where sites get hacked before we can patch, we’re putting in even more time handling incident response and cleanup for every affected site. This is not a healthy scenario for anyone involved. Developers are being rushed to produce patches, sites are getting hacked due to no fault of the site owners, security teams are putting in more time than normal towards remediation of hacks, and researchers are getting [bad] press over their actions.
Here are two articles from this week alone that show that security researchers are choosing to go full disclosure and their reasons why:
This scenario the WordPress and Security communities have got themselves in is a net loss for everyone involved

7 min read Joshua Strebel
Security | pagely.com | Dec. 4, 2018

Pagely Security Research, and Disclosure Policy

An update to our vulnerability disclosure policy. 30 days - no exception.

Pagely Security Research, and Disclosure Policy

Security | pagely.com | Dec. 4, 2018

This post is about the realities both good and bad that come with the responsibility of reporting vulnerabilities. The long days of summer are gone, fall has faded away and winter is upon us… reflecting back over the past months the Pagely security team spent some of those days uncovering and reporting a number of unreleased exploits (or 0days) being used against our customers’ sites. It’s just part of the job. When securing sites we see what vulnerabilities attackers are using and how they work, and as an extension of that task, we make sure plugin authors are notified about the vulnerability so they can apply a patch.
It’s a fantastic feeling when we see an actively targeted vulnerable plugin getting patched and secured, but that feeling only comes after the patch gets applied. Just like the feeling of the first fall colors coming in, summer must heed to fall, to allow the shorter, cooler days to prevail. If we had 365 days of summer, then the world would be a barren wasteland. Much like the seasons, vulnerability reports need to be handled swiftly, before the users of the software get burned by attackers.
The time spent waiting for the patch can be stressful,

4 min read WebDevStudios
Security | webdevstudios.com | Dec. 13, 2018

WDS Single Sign-On

Learn how we implement SSO using WordPress and Google accounts.

WDS Single Sign-On

Security | webdevstudios.com | Dec. 13, 2018

Single Sign-On (SSO) is one of those features every pointy-haired boss in the world wants on their websites. Managing user accounts and passwords across dozens of work-related sites gets very old, very quickly. The longer time went on, the greater the need for an SSO solution at WebDevStudios (WDS) became. I’ll tell you a little about our implementation of Single Sign-On using WordPress and Google accounts, and how it helps both WDS and our clients simultaneously. What is it?
In the simplest terms, Single Sign-On is a way for someone to access multiple websites using one set of username and password credentials.
The WDS-specific implementation uses Google authentication, primarily because we use the Google apps suite for our work tools. But WDS-SSO can easily support any standard OAuth service. Here’s a list of features we built into our SSO solution:
Google Auth support (including Two-Factor Authentication)
Client/Proxy configuration makes setup a one-time task
Enforces all sites involved to use HTTPS
Uses industry standard JavaScript Web Tokens (JWT)
Multisite support
Selective role maps (including Super Admin) for individuals and/or sites
Support for selective (multiple)

7 min read Josh Pollock
Security | calderaforms.com | Sep. 17, 2018

Don't Waste Your Time On These 4 Common Security Tips

WordPress security is super important. But, as times change, knowing which classic WordPress security advice to follow and not to follow isn't easy. David Hayes of WPShout fame shares advice on what not to worry about.

Don't Waste Your Time On These 4 Common Security Tips

Security | calderaforms.com | Sep. 17, 2018

Following last week’s post about WordPress security, in this post, I’ll start with advice I see commonly in other places that I don’t see much point in doing. Most of this advice is nearly harmless to slightly beneficial if it’s done. But the reason I don’t recommend it is that its benefits (where they exist) are so small. And the possibility that spending time on them makes you ignore more-valuable security practices is big. You’re free to do these, but I just don’t think they’re worth the time invested because the gains they give are very small. Don’t Bother: Hide WordPress Version
We’re starting with the most useless piece of common security advice—that you should hide your WordPress version number, or that you’re using WordPress. The second is very hard to do in a serious way, and the first is basically valueless.
Hiding that you’re running WordPress is hard, and most people are trying to do it merely by changing or eliminating a <meta> tag in their site. No reasonably intelligent botnet builder is going to be relying on that, and many webmasters of non-WordPress sites report that they see people

6 min read Eric Karkovack
Security | speckyboy.com | Sep. 7, 2018

5 Tips for a More Secure WordPress Website

A look at how adapting our behaviors can result in a more secure website.

5 Tips for a More Secure WordPress Website

Security | speckyboy.com | Sep. 7, 2018

Web security has grown into one of the most important issues we face – right up there with design and development. And those of us who use an open source content management system such as WordPress are under even more pressure to tighten up security. The unfortunate fact is that, as time goes on, the task is only going to become more difficult. WordPress itself is the target of an array of automated attacks. Bots are attempting brute-force logins, script and database injections, along with a multitude of other malicious activities. But, while preventing bot attacks is vital, they’re far from the only threat that needs dealt with.
Indeed, there are other bases we need to cover. Beyond automated threats, changing human behavior may be an even more important step in securing a WordPress site. With that in mind, here are 5 things we can do right now to improve security.
1. Train Users in Best Practices
Part of a designer’s job description often includes training clients. But while we tend to focus on the basics of managing content, this is also a prime opportunity to talk about security. I know, it sounds like a potentially complicated discussion – but it doesn’t

11 min read robert Abela
Security | blog.ripstech.com | Feb. 20, 2019

Remote code execution in WordPress 5.0

This vulnerability allows an attacker who gains access to an account with author privileges to execute arbitrary PHP code on the server, leading to a full remote takeover.

Remote code execution in WordPress 5.0

Security | blog.ripstech.com | Feb. 20, 2019

This blog post details how a combination of a Path Traversal and Local File Inclusion vulnerability lead to Remote Code Execution in the WordPress core. The vulnerability remained uncovered in the WordPress core for over 6 years. Impact
Your browser does not support the video tag.
An attacker who gains access to an account with at least author privileges on a target WordPress site can execute arbitrary PHP code on the underlying server, leading to a full remote takeover. We sent the WordPress security team details about another vulnerability in the WordPress core that can give attackers exactly such access to any WordPress site, which is currently unfixed.
Who is affected?
The vulnerability explained in this post was rendered non-exploitable by another security patch in versions 4.9.9 and 5.0.1. However, the Path Traversal is still possible and currently unpatched. Any WordPress site with a plugin installed that incorrectly handles Post Meta entries can make exploitation still possible. We have seen plugins with millions of active installations do this mistake in the past during the preparations for our WordPress security month.
According to the download page of WordPress, the software

14 min read Maddy Osman
Security | the-blogsmith.com | Nov. 23, 2018

An 8 Step WordPress Security Checklist for WordPress Security Issues

Don't wait for the worst to happen — use this WordPress security checklist to protect your website from the worst WordPress security issues.

An 8 Step WordPress Security Checklist for WordPress Security Issues

Security | the-blogsmith.com | Nov. 23, 2018

Updated 11/9/18. Please note: this article contains affiliate links for businesses I use and love. Powering 30% of all websites in the world (and growing!) and capturing almost 60% market share of all open source content management systems, there is no doubt about WordPress’ popularity.
But when it comes to popularity on the internet, there are often consequences. Because of its widespread use, WordPress has become a favorite target for hackers and attackers.
Did you know:
There are roughly 91,000 attacks on WordPress every minute.
During the worst WordPress security breach, over 18 million users were compromised.
73% of the 40,000 most popular websites that use WordPress are vulnerable to attack.
Many of these hackers use bots to automate the process of sniffing out vulnerabilities from your site. With this in mind, an attack isn’t necessarily personal, which is why even the smallest, under-the-radar websites get hacked. Once their bots find a viable entry point, hackers jump in and take advantage.
Before going through the comprehensive WordPress security checklist I’ve put together to help you safeguard your website from the worst possibilities, let’s take

5 min read Tang Rufus
Security | itineris.co.uk | Mar. 24, 2019

Announcing disallow pwned passwords

People using pwned passwords can pose a serious risk to your cybersecurity. When hackers undertake a brute force attack – using passwords to take personal information or spend users’ hard earned money through your site – it’s usually the site owner/developer who gets the blame.

Announcing disallow pwned passwords

Security | itineris.co.uk | Mar. 24, 2019

Admins know it’s key that WordPress users have secure passwords to keep web security watertight. But do you know if your WordPress users are accessing your CMS with insecure ‘pwned’ passwords? And do you know the risk? What is a pwned password?
Pwned passwords are over seven billion real-world passwords that have been exposed in data breaches. This exposure makes them unsuitable for use as they’re at much greater risk of being used to take over other accounts. They’re searchable online at the Have I Been Pwned database.
What’s the risk?
People using pwned passwords can pose a serious risk to your cybersecurity. When hackers undertake a brute force attack – using passwords to take personal information or spend users’ hard earned money through your site – it’s usually the site owner/developer who gets the blame.
The National Institute of Standards and Technology has issued guidelines for federal agencies implementing digital identity services, which state:
When processing requests to establish and change memorised secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used,

8 min read Iain Poulson
Security | deliciousbrains.com | Nov. 20, 2018

An Introduction to WordPress Penetration Testing

Recently I saw a talk on site security at a WordPress meetup that explained how vulnerabilities in sites are found and then exploited. It got me thinking that perhaps I should really look deeper into site security.

An Introduction to WordPress Penetration Testing

Security | deliciousbrains.com | Nov. 20, 2018

Recently I had Tim Nash, the WordPress platform lead at 34SP.com, speak at the local WordPress meetup I help run. It’s the third time Tim has spoken at the meetup, and in the past he has spoken about site security and performance but this time he spoke about a handful of case studies of hackings; how the sites were exploited and what could be done to mitigate the vulnerability. Tim’s talk was essentially a scaryhelpful introduction to penetration testing (or pentesting) with a WordPress flavor. It got me thinking just how secure the sites I manage are and perhaps I should really look deeper into site security further than just the fundamentals of WordPress security.
What is Penetration Testing
The deeper you get into site security, the darker it gets. Penetration testing is the practice of simulating an attack on a system, network, app or website to identify vulnerabilities that might be exploited.
In simple terms, you become the hacker to protect your site. But that means any testing you perform needs to be authorized by the site or system owner (read: your boss or client needs to give the thumbs up), and to avoid arrest and criminal charges (keep in mind I’m not

9 min read robert Abela
Security | a2hosting.com | Aug. 15, 2019

5 Myths About WordPress Activity Logs Explained

A good write up that explains how even a small WordPress website with a handful of users can benefit from an audit trail (activity log).

5 Myths About WordPress Activity Logs Explained

Security | a2hosting.com | Aug. 15, 2019

It’s easy to assume that activity logs are something only a few websites can benefit from, or that they include far too much data to sort through. However, these assumptions are incorrect. Any type of website can benefit from having an activity log, from the smallest to the most complex. Understanding how activity logs work is the first step to using one successfully. With the right WordPress activity log plugin, you’ll never miss anything that happens on your website again. Plus, you can cut through the noise by disabling the events you don’t want the plugin to track.
In this article, we’re going to break down what activity logs are and why you can benefit from them. Then we’ll dismantle five common myths about WordPress activity logs, so you’ll know what to expect. Let’s get to it!
What Are WordPress Activity Logs (And Why You Need One)
Maintaining an activity log enables you to track specific kinds of events on your website. When it comes to WordPress, that can include any or all of the following:
User logins, and any changes made through the dashboard
Plugin and theme updates, installs, and removals
Changes to specific posts, pages, or custom