Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

Security | thehackernews.com | Jan. 30, 2018

Nearly 2000 WordPress Websites Infected with a Keylogger

Security researchers discovered a malicious keylogger campaign targeting WordPress websites and delivering an in-browser cryptocurrency miner from CoinHive.

Nearly 2000 WordPress Websites Infected with a Keylogger

Security | thehackernews.com | Jan. 30, 2018

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke. Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.
Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.
Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.
Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.
The malware was updated in November to include a keylogger.

3 min read Eric Karkovack
Security | wordpress.org | Sep. 25, 2017

SI CAPTCHA Anti-Spam Plugin Removed from Repository

And, here we have yet another plugin pulled because of malicious code. Is this considered a crisis yet?

SI CAPTCHA Anti-Spam Plugin Removed from Repository

Security | wordpress.org | Sep. 25, 2017

I am the original author of SI CAPTCHA for WordPress. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.
I am sorry for any inconvenience this has caused. I never expected that this would happen. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted

18 min read Donna Cavalier
Security | blog.cloudflare.com | Feb. 24, 2017

Memory leak caused by Cloudflare parser bug was big security Whoopsy!

Yikes, this was a pretty significant bug. Glad it got fixed quickly.

Memory leak caused by Cloudflare parser bug was big security Whoopsy!

Security | blog.cloudflare.com | Feb. 24, 2017

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.
Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations

Security | didgit.com | 16 days ago

VestaCP hit by 0-day exploit

VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.

VestaCP hit by 0-day exploit

Security | didgit.com | 16 days ago

Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro

10 min read Juriy Polovec
Security | wpsuperstars.net | Jan. 4, 2018

8 Quick Ways To Secure Your WordPress Website

There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.

8 Quick Ways To Secure Your WordPress Website

Security | wpsuperstars.net | Jan. 4, 2018

There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.
Probably more than just once, right?
It is natural for us to forget about managing risky situations and put them on the back burner.
Human nature encourages us to feel positive wherever possible, and we like to think that most people and circumstances are to be trusted and that nothing untoward will happen.
Although that is true in most cases, there are times when the odds aren’t in our favor, and when that occurs, it will be too late to do anything about it.
If your home or car is broken into due to lapse security, you will be left picking up the pieces knowing that you could have prevented a very unfortunate situation.
With regards to WordPress, the same logic applies, and hoping that your site won’t get hacked is most definitely not the best course of action.
Obviously, nobody wants their site attacked, and if that happens, there are likely to be serious consequences; your website could get blacklisted from

13 min read Tom Zsomborgi
Security | charlesfloate.co.uk | Dec. 29, 2017

Backdoored Plugins By SEO Community Members

An interesting case on backdooring plugins and hacked links, written by famous blogger Charles Floate.

Backdoored Plugins By SEO Community Members

Security | charlesfloate.co.uk | Dec. 29, 2017

This subject was extremely difficult for me to find an opening to approach with. It’s something I wish I didn’t have to blog about in the first place, but it’s something that has not slowed down, even with the likes of WordFence revealing details surrounding it. I have actually been speaking with Dan who wrote the post on WF over the past few days, he’s been extremely helpful with this post. Backdooring Plugins
Most people blindly trust updates to plugins and will update it to defend against Cyberattacks. This weakness has been exploited by the 3 people mentioned in this article, to gain backdoors to people’s websites and use them as their own personal link network – Though it actually goes greatly beyond that.
Essentially, what these SEOs would do, is do an outreach email to plugin owners that haven’t updated in a while or have a smaller size of sites that have the plugin currently installed. They’d then offer to buy the plugin and proceed to run an update which included a backdoor to the sites, so they could inserts links onto the sites that installed them – All through a dashboard they had setup on a server that we actually located,

Security | ithemes.com | Oct. 14, 2016

How to Secure WordPress Quickly and Easily

Simple steps that anyone can do to secure a WordPress site.

How to Secure WordPress Quickly and Easily

Security | ithemes.com | Oct. 14, 2016

Knowing how to secure WordPress is one of the most important components of keeping your site safe and protected from hacks. In this post, we cover five quick and easy tips you can use today to secure your WordPress site. How to Secure WordPress: 5 WordPress Security Tips
1. Delete your “admin” user.
The username “admin” is just a generic name created by WordPress. The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.
To remove the admin user, follow these steps:
Create a new user for yourself.It is important to come up with a username that is unique to make it more difficult for someone to figure out. (When coming up with your new username, you might also consider how you want your name displayed on the frontend of your site. For instance, if your name is John and that’s how it will be displayed on your posts, using John as your username would not be the best idea.)
Make sure you create a strong password for this user and set the role to admin.
Once you’ve

7 min read robert Abela
Security | godaddy.com | Jan. 10, 2018

How to decode your security logs to improve WordPress security - The Garage

Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.

How to decode your security logs to improve WordPress security - The Garage

Security | godaddy.com | Jan. 10, 2018

Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,

15 min read Alex Denning
Security | wpshout.com | Oct. 19, 2017

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Security | wpshout.com | Oct. 19, 2017

When it comes to making your WordPress site secure as a developer, probably the most impactful thing you can do is make sure you always clean up data they get from users. That means, generally, two things, validating or sanitizing it on the way into your system, and escaping it on the way out. In a recent survey of disclosed vulnerabilities in WordPress core, plugins, and themes, I did for WordPress Security with Confidence (my new course on WordPress security, launching next month), the most common type of vulnerability (about 33%) was cross-site scripting. Cross-site scripting vulnerabilities (often abbreviated XSS) are one where you make it possible for an attacker to execute unauthorized JavaScript to be run on your pages, because you failed to escape or sanitize something in your application’s data flow.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against

6 min read Lizzie Kardon
Security | robojuice.com | Jan. 24, 2018

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Security | robojuice.com | Jan. 24, 2018

Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Brad

4 min read Joe Casabona
Security | wpinonemonth.com | Sep. 21, 2017

Explaining WordPress Security Issues to Your Clients

Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?

Explaining WordPress Security Issues to Your Clients

Security | wpinonemonth.com | Sep. 21, 2017

Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
The

3 min read Donna Cavalier
Security | wordpress.org | Sep. 22, 2017

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Security | wordpress.org | Sep. 22, 2017

I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version

Security | wordfence.com | Dec. 19, 2017

Backdoor in Captcha Plugin Affects 300K WordPress Sites

Same scum running similar scammy backdoor code in more newly purchased plugin(s).

Security | wordfence.com | Nov. 9, 2017

WordPress Plugin Banned for Crypto Mining

Now we find a plugin that is using visitor's CPU cycles for profit.

3 min read Ana Segota
Security | sucuri.net | Nov. 19, 2017

Sucuri Security

A very useful and comprehensive guide about the WordPress security, step by step guide :)

Sucuri Security

Security | sucuri.net | Nov. 19, 2017

The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats. By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches.
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your WordPress installation, we recommend that you audit your plugins and themes on a regular basis.
Assess Your Plugin Security
You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:
Does the plugin or theme have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their plugin and pushing frequent updates or security patches?
Does the vendor list terms of service or a privacy policy?
Does the vendor include a physical contact address in the ToS or from a contact page?
Carefully read the Terms of Service - it may include unwanted extras that the authors didn’t

7 min read robert Abela
Security | wpwhitesecurity.com | Jan. 9, 2018

Best Two-Factor Authentication (2FA) WordPress Plugins

There are quite a few good & free Two-Factor Authentication plugins available out there, so there should not be any more excuses to implement2FA on your WordPress.

Best Two-Factor Authentication (2FA) WordPress Plugins

Security | wpwhitesecurity.com | Jan. 9, 2018

Two-Factor Authentication, (aka Two-Step Verification, 2FA) is an additional layer of security you can add to your WordPress login page. With 2FA it is virtually impossible for attackers to login to your WordPress, even if they guess your user’s password. Two-factor authentication is also good to help mitigate WordPress brute force attacks. Read our article An Introduction to Two-Factor Authentication in WordPress for a detailed explanation of what it is and how it works. WordPress does not have 2FA by default, so you need a plugin to enable it. Below is a compilation of some of the best Two-Factor Authentication WordPress plugins currently available. At the end of the article I also explain why some of the popular 2FA plugins were not included in this compilation.
Google Authenticator
Google Authenticator is the first Two-Factor Authentication WordPress plugin I have used. It is available for free and is the most simple, easy to setup plugin. It is also the most basic one. Setting up 2FA for your WordPress cannot be easier. Once you install the plugin visit your profile page, enable the Google Authenticator Settings and scan the QR code with the Google Authenticator app on your

16 min read Ana Segota
Security | wpshout.com | Oct. 26, 2017

What I Learned Interviewing 10 WordPress Security Experts

All about WordPress security - from interviews with different WordPress security experts.

What I Learned Interviewing 10 WordPress Security Experts

Security | wpshout.com | Oct. 26, 2017

I’ve spent the last three months deep in the weeds of WordPress security. As regular readers will know, this is because I’m working on a new course: WordPress Security With Confidence (it’s coming out in two weeks). Part of this research has involved talking to a lot of WordPress security experts. Some of these experts focus on the big picture, whilst some focus on extremely specific aspects. As a whole they offer an incredible depth of knowledge about how WordPress security works, what’s important, and what we should all be focusing on.
Hopefully you’ll find something interesting in this diverse mix of perspectives. I talked to people from S-brands like Sucuri, SiteGround, SiteLock, and SecuPress. (I prefer brands whose first letters are in the second half of the alphabet. ;p) To give you a quick sense of topics: these cover everything from convincing clients to think about security, why your WordPress site shouldn’t have a username and password, and how WordPress itself deals with security fixes.
WordPress Security With Confidence will includes hours of screencasts of me talking about security concepts, and showing you how to implement them in WordPress

29 min read Alex Denning
Security | wpshout.com | Feb. 7, 2018

The Complete Guide to WordPress Security

To the extent any guide to WordPress security can be "complete", this is pretty good: thorough look at security basics most sites need to follow that avoids the cliched poor quality advice often found on the topic.

The Complete Guide to WordPress Security

Security | wpshout.com | Feb. 7, 2018

WordPress sites are one of the most common targets for attack on the internet. They’re hacked more than any other type of site. If you, your friends, or someone you know has never had an experience of a WordPress site getting “hacked”, you’ve either been extremely lucky or have abnormally careful people surrounding you in your life. Security matters because WordPress sites are online, are running literally hundreds-of-thousands of lines of code, and WordPress is a common-enough platform that it’s going to be targeted by attackers. When Microsoft Windows was a relatively new and dominant platform with regular headlines about security issues, its defenders pointed out that the number of attacks was a big reason. While there were security mistakes being made by Microsoft, it was also the case that many security errors which were commonly exploited first on the Windows platform.
So too with WordPress. WordPress powers about 27% of the internet. That’s great, but it also means that if someone finds a fundamental security flaw that’s common on all WordPress sites, or even a big percentage, they can easily have thousands of servers mustered in a matter

6 min read Eric Karkovack
Security | speckyboy.com | Sep. 28, 2017

Malicious Code in Previously Trusted WordPress Plugins: A New Reality

My take on the recent issues with malicious code in plugins and the importance of getting the word out to users.

Malicious Code in Previously Trusted WordPress Plugins: A New Reality

Security | speckyboy.com | Sep. 28, 2017

In case you missed it, three widely-used WordPress plugins were recently found to have malicious code included with recent updates. Display Widgets, Fast Secure Contact Form and SI CAPTCHA Anti-Spam were each removed from the official WordPress Plugin Repository due to SEO spam discovered by users. One thing each plugin has in common was that they were all previously trusted and generally considered secure. More recently, they were sold by their original authors to a new developer, who used these popular plugins to spread payday loan spam posts. In fact, security plugin company Wordfence recently reported that up to 9 plugins have been found with malicious code added through various means.
While many web designers and developers have become more proactive in securing their sites against typical threats like brute force attacks, etc. – malicious plugins appear to be a whole new ballgame. We’re used to defending against security holes, but not authors who are intentionally trying to propagate malware. And in the case of the plugins mentioned above, immediately updating to the latest version was the worst thing we could have done since that was how the code was installed.
The

3 min read Donna Cavalier
Security | highedwebtech.com | Sep. 20, 2017

Trust But Verify WordPress Plugin Updates

I watch changelogs like a hawk. Nuggets of gold to be found in there. Or sharp knives.

Trust But Verify WordPress Plugin Updates

Security | highedwebtech.com | Sep. 20, 2017

There have been several high profile plugins lately that have been found to be posting spam and deceptive links on user’s blogs lately. One such is the “Display Widgets” plugin. You can read Wordfence’s detailed breakdown of the spam. It turns out the original developer of the plugin sold it, and the new owner started to place spammy backlinks and other bad code into the plugin. This gave this “developer” access to tens of thousands of blogs and the site owner’s never knew it was happening.
I was checking the WordPress that runs this blog today to see if there were any plugin or system updates for me to do, as is good practice. I noticed one today had an update, a no-follow plugin I’ve been using for a few years. Today, I saw that plugin had an update, and I looked at the changelog to see what was new, which is also a good thing to look at instead of blindly trusting plugins.
I saw this, which set off my Spidey sense.
No offense to this new maintainer person, but seeing a plugin go to a new person, one that has no other active plugins in the WP repository, has no mention of this plugin on his blog, and whose Twitter feed is mostly links

6 min read Eric Karkovack
Security | wordpress.org | Sep. 10, 2017

Security Issue with Display Widgets Plugin

If you use the Display Widgets plugin, it has been removed from the plugin repository due to potentially malicious code.

Security Issue with Display Widgets Plugin

Security | wordpress.org | Sep. 10, 2017

This is the latest version of the plugin code (version 2.6.3.1) : https://plugins.trac.wordpress.org/browser/display-widgets/trunk/geolocation.php Look at the function on line 186 (pasted below).
Note the name of the function dynamic_page, what do you think a function with name Dynamic Page does?
It creates a DYNAMIC PAGE (a Dynamic WordPress Post) on Display Widget users sites and is loaded using line 299:
299 add_filter( 'the_posts', array( 'dw_geolocation_connector', 'dynamic_page' ) );
The above hooks into the_posts function, this line basically intercepts your Posts before they are output to the browser so the Dynamic Post can be added to the Posts.
Why would a plugin to determine where widgets are loaded create Dynamic Posts?
Line 187, this checks if a user is logged in, a logged in user is probably the site owner, when a user is logged in (the site owner) the Dynamic Page function does nothing (outputs the Posts normally). So if you are logged into your site and you look at your site in a browser everything looks normal.
Why would a legitimate plugin feature be hidden from the site owner and other logged in users?
If a user is logged out: that would be your sites visitors and

16 min read Iain Poulson
Security | deliciousbrains.com | Oct. 24, 2017

WordPress Security Fundamentals: How to Not Get Hacked

In Evan's latest article, he digs into WordPress security. What makes a site more or less secure and what you can do to protect your site without being a PhD in information security. If you're not already offering security auditing as a service for your clients, you should!

WordPress Security Fundamentals: How to Not Get Hacked

Security | deliciousbrains.com | Oct. 24, 2017

WordPress has made great strides in its effort to democratize publishing, making the ability to publish content on the web accessible to a very large number of people all over the world. Today, it powers roughly 28% of the websites on the web making it the most widely used platform in the world by far in terms of market share. However, with the status of being number one comes the attention of those who wish to exploit it. In this article, we’ll look at what you can do to make your site more secure to weather the eternal storm of bad guys.
Isn’t WordPress Secure Already?
Just as it is not possible to secure your home 100%, no site is 100% secure. Every lock has a key which is possible to open by anyone who has something that fits the same way. That is not to say that WordPress is not secure though. As an open-source project with literally thousands of developers working on it, in it, and around it all the time, the collective effort of so many people makes it very strong because it only takes one person to find a vulnerability and report it. WordPress also has a dedicated security team responsible for making sure WordPress core is as secure as possible.
The WordPress Security

13 min read Alex Denning
Security | wpshout.com | Oct. 11, 2017

Security Through Obscurity is Not Security At All

Hiding that you're running WordPress (security through obscurity) is pretty terrible security advice... most of the time.

Security Through Obscurity is Not Security At All

Security | wpshout.com | Oct. 11, 2017

What counts as security, and how you make sure that you’re secure are both big and complicated topics. But, the complication of them is worsened when people mistake useless task-creation for actual benefit. “Security theater” has been an ever more common term used to characterize practices that look like they improve security but don’t really do much of anything at all. There’s a specific class of common WordPress security advice that just isn’t really worth all the time and energy that people spend on it: hiding the fact that you’re running WordPress. I think that while some of the often-recommended “security through obscurity” features have value for an average WordPress site, they aren’t worth the hassle.
In this article, we’ll start with a brief overview of how to think about security with WordPress, cover what “security through obscurity” is, which practice it entails, and then what modest benefit it does have.
Oh, and if you want some guidance on some actually helpful WordPress security advice, you should sign up for my free course below. It’s a brief, valuable, and fun mini-series ahead of the