WordPress security is super important. But, as times change, knowing which classic WordPress security advice to follow and not to follow isn't easy. David Hayes of WPShout fame shares advice on what not to worry about.
Following last week’s post about WordPress security, in this post, I’ll start with advice I see commonly in other places that I don’t see much point in doing. Most of this advice is nearly harmless to slightly beneficial if it’s done. But the reason I don’t recommend it is that its benefits (where they exist) are so small. And the possibility that spending time on them makes you ignore more-valuable security practices is big. You’re free to do these, but I just don’t think they’re worth the time invested because the gains they give are very small. Don’t Bother: Hide WordPress Version
We’re starting with the most useless piece of common security advice—that you should hide your WordPress version number, or that you’re using WordPress. The second is very hard to do in a serious way, and the first is basically valueless.
Hiding that you’re running WordPress is hard, and most people are trying to do it merely by changing or eliminating a <meta> tag in their site. No reasonably intelligent botnet builder is going to be relying on that, and many webmasters of non-WordPress sites report that they see people
A look at how adapting our behaviors can result in a more secure website.
Web security has grown into one of the most important issues we face – right up there with design and development. And those of us who use an open source content management system such as WordPress are under even more pressure to tighten up security. The unfortunate fact is that, as time goes on, the task is only going to become more difficult. WordPress itself is the target of an array of automated attacks. Bots are attempting brute-force logins, script and database injections, along with a multitude of other malicious activities. But, while preventing bot attacks is vital, they’re far from the only threat that needs dealt with.
Indeed, there are other bases we need to cover. Beyond automated threats, changing human behavior may be an even more important step in securing a WordPress site. With that in mind, here are 5 things we can do right now to improve security.
1. Train Users in Best Practices
Part of a designer’s job description often includes training clients. But while we tend to focus on the basics of managing content, this is also a prime opportunity to talk about security. I know, it sounds like a potentially complicated discussion – but it doesn’t
WordPress powers 31% of all websites which makes it a tempting target for hackers. Here are the 8 common ways WordPress is hacked and what to do about it.
Hacking is a bigger problem now than it has ever been. As the sophistication of our technology and software has grown so have the techniques employed by hackers. By the same token we have better security for websites now than ever before. You can never make your WordPress site 100% safe from hackers, but there are certain proactive steps you can take to make it harder for them.
***Check out my post on 10 important things do after installing WordPress***
If Hackers Are Targeting WordPress Should I Use Another Platform?
Let me be clear, ALL websites are vulnerable to hacking, not just WordPress. The most secure websites on earth such as Google, The Department of Defense and the National Security Agency (NSA) have all been hacked.
The reason WordPress is a common target of Hackers is because of it’s widespread use. WordPress is the most popular website platform in the world. It powers a staggering 31% of all websites on the Internet. Therefore, it’s not surprising it would be a popular target for those with bad intentions.
To its credit, WordPress takes security very serious. Even right out of the box WordPress it’s pretty secure.
What I want to share with you today are
Interesting to see that this bad actor got caught up in a big net.
Researchers say the PHP security flaw could leave countless WordPress websites open to exploit.
A severe WordPress vulnerability which has been left a year without being patched has the potential to disrupt countless websites running the CMS, researchers claim. At the BSides technical cybersecurity conference in Manchester on Thursday, Secarma researcher Sam Thomas said the bug permits attackers to exploit the WordPress PHP framework, resulting in a full system compromise.
If the domain permits the upload of files, such as image formats, attackers can upload a crafted thumbnail file in order to trigger a file operation through the "phar://" stream wrapper.
In turn, the exploit triggers eXternal Entity (XXE -- XML) and Server Side Request Forgery (SSRF) flaws which cause unserialization in the platform's code. While these flaws may only originally result in information disclosure and may be low risk, they can act as a pathway to a more serious remote code execution attack.
The security researcher says the core vulnerability, which is yet to receive a CVE number, is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the "file_exists" call," the bug can be triggered.
Log files contain a wealth of information and give you the information you need as long as you know where to look for it. This article lists some of the log files typically found on a WordPress web server and highlights what information you can find in them.
Every service running on the web server on which your WordPress website is hosted has a log file. Log files are used to keep a record of what a service or software has done or what errors it encountered while running. Hence why logs are a vital tool for administrators, webmasters, developers, testers and anyone who works with software (including WordPress) or maintains an IT system. Typically, we focus on the WordPress activity logs because that is WP Security Audit Log does – it keeps a record of everything that happens on your WordPress website and multisite network in an audit log.
Though in this article we introduce you to some useful log files you can find on a typical WordPress web server. Logs give you all the information you need as long as you know what you are looking for and where to look for it, hence why we have written this article. So when managing a WordPress website you might need to refer to some of the below log files to troubleshoot a technical or user problem, learn about possible malicious attacks, and do forensic work.
Web server logs
Starting with the most obvious, the web server log files. WordPress is written in PHP so it is typically hosted on either
Everyone talks about website security. Although it's pretty much obvious, did you know all the details about how to protect your site from malicious code & attacks?
No doubt WordPress is the world’s most popular CMS that powering 31.1% of websites and still going on. In fact, it is one the fastest growing content management system. …the growing popularity of WordPress put it on the hackers’ radar.
According to a study, more than 73.2% of WordPress websites are vulnerable to hacker attacks.
To be honest, no website is 100% secure from hackers. But, anyone who has a WordPress website can harden the security of their WordPress websites.
Why Website Security in Important?
“Your website has been hacked?” is the website owners’ worst nightmare that no one would dare to dream. A hacked website can cause you lots of trouble including data loss, time, money, and website traffic.
A hacker can steal user’s personal information, important data, passwords, install malicious software, and much more.
Moreover, they can even you blackmail to pay them to regain access to your website.
A study found that Google blacklists around 20 thousand websites for malware and over 50,000 for phishing each week. When your website is making money for you, then it becomes important to take every single step to protect your website from
There are loads of indicators telling you that you are/might be affected by something suspicious that needs additional observation. Start with these 7 and make sure your site is secure
Sure, WordPress might be one of the best and well-liked CMS (content management system), especially when it comes to bloggers. It is super easy to use, and even utter newbies can build a professional website using a WordPress theme. Unfortunately, WordPress sites are still very poorly protected if not using any 3rd party software. In fact, you better not even dare to use a page without any, even if free, protection plugins. And if you invest in a premium tool, well, that’s even better.
Of course, there are loads of other indicators telling you that you are/might be affected by something suspicious that needs additional observation.
If you are serious about your online project, you better be serious about protection even more. What’s the point in doing all the hard work if later all gets lost?
Overnight website traffic decrease
When the time comes to check your Google analytics to see how your page is doing and you spot something questionable, like a big drop in traffic, it is worth to investigate the situation further. This could be a sign that your WordPress site is under attack.
Some hackers attack your page to redirect your traffic to their content and ads for one main
It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin
How to protect your WP blog with Security Ninja? The plugin is free and will help you by doing a lot of tests that will let you know what & how can be fixed.
If you worry about your WordPress-based website security, rest assured you’re not the only one! Everybody admires WordPress for being the largest content management system with 60% of market share, but most webmasters are also afraid because over 70% of installations are vulnerable to hacker attacks. Luckily enough, there are dozens of plugins that can help you keep your website safe and sound. The most difficult task is actually to choose the best option and find a tool that suits your preferences. We decided to give you a hand here and narrow down the options.
In this post, we will present you one of the most efficient WordPress plugins called Security Ninja.
Let’s check it out!
Security Ninja: General Information
Security Ninja was developed in 2011 with one goal in mind – to ensure easy and seamless website protection. It already serves more than 20 thousand WordPress sites using more or less complex safety procedures.
Jake Alison, a WordPress specialist at Best Dissertation, says it’s important that you don’t need to invest a lot of time or effort to operate Security Ninja: “It runs most of the operations automatically, while your only job is
We live in a data-driven world. Almost every transaction and interaction you have with most organizations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email.
We live in a data-driven world. Almost every transaction and interaction you have with most organisations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email. Sharing data helps makes life easier, more convenient and connected. But your data is your data. It belongs to you so it's important your data is used only in ways you would reasonably expect, and that it stays safe. Data protection law makes sure everyone’s data is used properly and legally.
By having regular update and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient?
Security has always been a major topic for the state of WordPress. It is clearly seen that the WordPress community as a whole has steadily moved towards proactive measures. By maintain security updates more often and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient? This has been a question for the majority of bloggers out there. Today, above 30% of all websites are made with WordPress (a staggering amount indeed). More and more individuals are adopting WordPress and the number keeps on growing. The more it grows, the harder it is to ensure each website with the maximum level of protection.
Whatever the Content Management System (CMS) is being used, no one can guarantee absolute 100% website security. WordPress being at the pinnacle of them, it is obvious that it is most prone of attacks. There’s no denying that it has its fair share of security flaws.
Basically, any large CMS is going to intermittently contain bugs that lead to security loopholes. WordPress has an open source system for themes and plugins development, so the majority of those holes occur due to faulty themes and external used services rather than the core
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care
VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro
I have my own share of the story. But let’s drop it and read the minds of other WordPress users. I asked them how they protect their blogs without necessarily installing a plugin.
WordPress (WP) is the most popular blogging platform. Latest updates have made it one of the most used tools for eCommerce shops, news and business websites. This brings about a serious security issue that must be handled at various ends to keep the project alive. One of the things used to close up loopholes and enforce security on the CMS are plugins. Unfortunately, this comes with a plethora of other issues.
I have been very curious about this. I wanted to know how WordPress bloggers handle the protection aspect of their WP site without the use of Plugins.
WordPress Security Vox pop!
I went about talking with some WordPress experts and users on a couple of issues related to the platform. One of the things I found easy is setting up a WordPress site. If you have issues at this point, you may want to check out this WordPress Installation guide by Freddy Muriuki.
A lot of people find it quite easy to setup and manage WordPress sites. The interface is super user-friendly with absolutely no tech knowledge required to move forward.
However, some beginners I spoke with remain puzzled by the simple mentioning of the word. Susan Valez, an avid WordPress user, and blogger wrote this comprehensive
Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against
One of the least fun things is to clean up hacked WordPress. Much of these points goes without saying but there are some useful tips.
One of the least fun things is to clean up customer’s hacked legacy WordPress sites. Much of these points goes with out saying. Today I don’t use FTP and expose PHP-files above the site root. Change password for FTP-account
Beware the big lists of passwords is circulating around the Internet. A quick check at Pwned can reveal this.
Change username for your FTP-account
Don’t use the same username as your domain, make this hard to guess or brute force.
Keep an eye on index.php and .htaccess
The most common hack nowadays seems to be to alter the index.php or .htaccess. The site owner or visitor does not see anything special, but the Google bot does.
Keeping an eye on changes on index.php or .htaccess can give you an quick alert if anything suddenly changes.
echo md5_file('index.php') . '-' . md5_file('.htaccess');
Then put an site monitor to check for the output of this script. If the keyword changes you know something fishy has happend.
Keep an eye on Google Index
Add Google Webmaster Tools and keep an eye of how many index pages your site has. A sudden raise of pages indicates that your site is hacked. For sure.
Clean up an hacked
Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.
Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Good news - WP Security Bloggers, an aggregate of WordPress security news is now manually curated.
Finally, WP Security Bloggers got some TLC! I started this project back in 2014, so I can have a central repository for all the WordPress security news instead of following all the blogs. Over the years the idea developed into creating a WordPress security news aggregator. Though because the number of blogs from which WP Security Bloggers aggregates the news is now over twenty, it is almost impossible to automatically curate the news.
The good news is that from today onward all the news will be curated manually. This means the value and quality for you subscribers will be much higher – you will no longer see duplicate posts and posts that are not about WordPress security.
Today we have also done several minor but significant changes on the website, such as:
We removed sources that no longer are working,
Deleted some of the latest posts that made it through the automated curation,
Added an About page etc.
Subscribe to WP Security Bloggers
To keep yourself up to date with WordPress security, subscribe to the WP Security Bloggers roundup emails, or follow us on Twitter and Facebook.
Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.
Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,
In the second volume of our GDPT article we are moving from theory to practice. Check the article to learn new facts about GDPR and cookies!
WordPress website has quite a wide variety of plugins. They allow you to customize the style and options for GDPR notification according to your requirements and site theme. Some of them allow users to enable and disable cookies on your site. The option “Reject” or “Block” cookie files deserves special attention, because permission to use them is one of the main requirements of GDPR.
How does this function work and does it work at all?
In fact, depend on the user’s choice to give permission for using cookie files or not, cookies should be saved or blocked.
Some cookies are necessary for the functioning of the website: for browsing and using its functions. Without their loading, it is impossible to provide services such as shopping cart and Internet payment. Another category of cookies collect an information about your browsing of websites, for example, the most frequently visited pages. Such data can be used for websites optimizing. Collected information is intended for statistical purposes. Some cookies allow websites to remember the choices
Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?
Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
Heather explains what HTTPS and SSL is, plus what the changes to Chrome are that are coming in July. It covers why that change is important for all website owners, if they have even a basic contact or comment form on their site.
In February 2018, Google made an announcement regarding SSL certificates, also known as https. This announcement said: For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
What Does This Mean?
Basically, Google is saying that because a connection to a website via HTTPS encryption is more secure, they’ve been gradually marking pages where visitors information is transmitted, as “not secure.” This could be anything from a ecommerce checkout page to just a simple contact form. Starting in July, any form that accepts a user’s data will be marked as “not secure” on Chrome, if it’s not using HTTPS.
The bottom line is that if you have a website with any kind of form on it where visitors submit information (this includes a simple contact form), you’ll need to have an SSL certificate
My take on the recent issues with malicious code in plugins and the importance of getting the word out to users.
In case you missed it, three widely-used WordPress plugins were recently found to have malicious code included with recent updates. Display Widgets, Fast Secure Contact Form and SI CAPTCHA Anti-Spam were each removed from the official WordPress Plugin Repository due to SEO spam discovered by users. One thing each plugin has in common was that they were all previously trusted and generally considered secure. More recently, they were sold by their original authors to a new developer, who used these popular plugins to spread payday loan spam posts. In fact, security plugin company Wordfence recently reported that up to 9 plugins have been found with malicious code added through various means.
While many web designers and developers have become more proactive in securing their sites against typical threats like brute force attacks, etc. – malicious plugins appear to be a whole new ballgame. We’re used to defending against security holes, but not authors who are intentionally trying to propagate malware. And in the case of the plugins mentioned above, immediately updating to the latest version was the worst thing we could have done since that was how the code was installed.