Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

Security | hostinger.com | 4 hours ago

How to Create Reliable WordPress Backups: The Ultimate Guide

Check out this ultimate guide on how to backup your WordPress site and make file-loss a thing of the past!

3 min read Jonas Lejon
Security | blog.wpscans.com | Oct. 13, 2017

WordPress Vulnerability Testing WordPress with Nmap

How to use Nmap to scan for WordPress plugins and themes. Nmap can also try to bruteforce logins with common usernames and passwords

WordPress Vulnerability Testing WordPress with Nmap

Security | blog.wpscans.com | Oct. 13, 2017

Nmap is one our favorite tool when it comes to security testing (except for WPScans.com). Nmap was created in 1997 by Gordon Lyon aka Fyodor. The current version 7.60 contains about 580 different NSE-scripts (Nmap Scripting Engine) used for different security checks or information gathering and about six of them are related to WordPress. Our first test is to just use the default options in nmap and see which ports that are open:
Btw, we are using the amazing penetration testing Kali Linux distro. The above screenshot shows that there is a webserver, ssh server and MySQL listening on the network. Exposing MySQL to the network is not really safe, it’s not the target this time.
The following Nmap NSE scripts are directly related to WordPress:
http-wordpress-users.nse
http-wordpress-enum.nse
http-wordpress-brute.nse
http-vuln-cve2017-1001000.nse
http-vuln-cve2014-8877.nse
When we are running our second test we focus on the webserver and using the -A argument to Nmap to enable script scanning:
From the above screenshot we notice that the http-generator script displays the WordPress version, and in this case 4.8.2.
Now it’s time for the heavy lifting stuff: Running the WordPress

3 min read Jan Östlund
Security | eastwest.se | Aug. 2, 2017

WordPress security myths

I have tried compiling a list of stuff that, in my opinion, does not bring more security to your WordPress installation. https://eastwest.se/blog/wordpress-security-myths What do you think, am I wrong? Is there something important I have forgotten?

WordPress security myths

Security | eastwest.se | Aug. 2, 2017

Hide or move wp-admin to prevent brute force attacks If you search on WordPress security, moving or hiding the wp-admin is one common tip, and there are many plugins that can do this for you. Bots and scanners are activity looking for WordPress-installations and attempting a brute password attack on /wp-admin
This is method is what's called "security by obscurity". Relying on this is not real security and cannot see as a good solution.
A big downside of this method is that many plugins depend on the exact location of /wp-admin. You are risking of breaking plugins.
Besides this, the most of the attacks are using vulnerabilities in XML-RPC, and hiding wp-admin are useless.
However, I highly recommend a password attempt plugin to prevent a brute-force attack.
Changing wp-prefix of all tables
Another common tip is to change the wp_ -prefix of the WordPress-tables. The theory is that this will make an SQL-injection harder. In reality, this does not matter; it is just a waste of time.
If an attacker can query against information_schema.tables, he or she will get all info about tables, whatever fancy prefix you put in front of the names, again "security by obscurity".
For

5 min read Joshua Strebel
Security | learntemail.sam.today | Feb. 28, 2017

Local Politicians Meet InfoSec - a Wordpress Disaster

What happens when a curious developer scans political sites for low hanging vulnerabilities.

Local Politicians Meet InfoSec - a Wordpress Disaster

Security | learntemail.sam.today | Feb. 28, 2017

Last year will be characterized by hacking and interference in the American political system. It was a huge wake up call for everybody involved in politics; InfoSec was an important priority. I don't live in America. I live in the tiny Australian Capital Territory, a territory comprising of a Canberra; a city of 300,000 people. Like many places, we have a local government full of politicians. I analyzed the websites of the 25 MLAs (members of the legislative assembly) and their parties sites.
Spolier: too many local politicians have SQL injection vulnerable sites, and don't even care.
Methodology
I'm not an InfoSec industry professional; just a developer who is interested in this stuff. This is not a blog post about novel vulnerabilities - is is a story about bad higyine.
First, I compiled a list of all the sites. In total, there are 17 MLA sites (not all MLAs have their own site) and 3 party sites. There is even a helpful list maintained by the government.
Then I used used the http headers to do l33t hax0r discovery of the server software they used. It was as follows:
Software Package
# of Users
Wordpress
7
NationBuilder (SaaS)
4
Wix (SaaS)
2
Unknown/Bespoke
2
Static
1
Wordpress.COM

18 min read Donna Cavalier
Security | blog.cloudflare.com | Feb. 24, 2017

Memory leak caused by Cloudflare parser bug was big security Whoopsy!

Yikes, this was a pretty significant bug. Glad it got fixed quickly.

Memory leak caused by Cloudflare parser bug was big security Whoopsy!

Security | blog.cloudflare.com | Feb. 24, 2017

Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.
For the avoidance of doubt, Cloudflare customer SSL private keys were not leaked. Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug.
We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response.
Because of the seriousness of such a bug, a cross-functional team from software engineering, infosec and operations

Security | didgit.com | 18 hours ago

The 3 Key Elements of a Secure WordPress Website

In this article, we’re going to introduce you to a number of security solutions you can implement on your WordPress website. Before that, we’ll talk about why safeguarding your site is so crucial. Let’s get started!

The 3 Key Elements of a Secure WordPress Website

Security | didgit.com | 18 hours ago

One easy way to get started is to look at what security features other sites

29 min read Alex Denning
Security | wpshout.com | 12 days ago

The Complete Guide to WordPress Security

To the extent any guide to WordPress security can be "complete", this is pretty good: thorough look at security basics most sites need to follow that avoids the cliched poor quality advice often found on the topic.

The Complete Guide to WordPress Security

Security | wpshout.com | 12 days ago

WordPress sites are one of the most common targets for attack on the internet. They’re hacked more than any other type of site. If you, your friends, or someone you know has never had an experience of a WordPress site getting “hacked”, you’ve either been extremely lucky or have abnormally careful people surrounding you in your life. Security matters because WordPress sites are online, are running literally hundreds-of-thousands of lines of code, and WordPress is a common-enough platform that it’s going to be targeted by attackers. When Microsoft Windows was a relatively new and dominant platform with regular headlines about security issues, its defenders pointed out that the number of attacks was a big reason. While there were security mistakes being made by Microsoft, it was also the case that many security errors which were commonly exploited first on the Windows platform.
So too with WordPress. WordPress powers about 27% of the internet. That’s great, but it also means that if someone finds a fundamental security flaw that’s common on all WordPress sites, or even a big percentage, they can easily have thousands of servers mustered in a matter

10 min read Vova Feldman
Security | freemius.com | 5 days ago

“WordPress Security Solutions Are Still Inaccessible” - French “Mister Security”

In this interview with Julio Potier (known in France as "Mister Security") he shares his views on the WordPress security & business spheres and explains his success with his WP products.

“WordPress Security Solutions Are Still Inaccessible” - French “Mister Security”

Security | freemius.com | 5 days ago

Julio Potier is a prominent figure in the WordPress security scene. Based in France, he developed SecuPress, a plugin that makes securing WordPress websites easy. He also co-founded WP Media, the company behind popular Plugins such as WP Rocket and Imagify. Julio, thank you for agreeing to do this interview. Let’s start by getting to know a little bit about you. Tell us about your educational and professional background?
Thank you, Kobe, for the invitation! Well, I have been involved in computer science since I was a kid. I did my first courses in computer network and hardware maintenance back in 1999. Then, I started developing my first HTML pages in 2000, got started with PHP in 2001, did my first web security oriented stuff in 2002 and finally Delphi programs, in 2004. In 2008, I was recruited by a company selling the worldwide number one retail store software, where I worked until 2011. In 2010 I started my own business as a freelancer, creating, selling and securing existing websites and plugins, only on WordPress of course.
How did you become interested in web security?
Back in 2001, when I got started building PHP pages at the age of 22, my first pages were not secure,

10 min read Juriy Polovec
Security | wpsuperstars.net | Jan. 4, 2018

8 Quick Ways To Secure Your WordPress Website

There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.

8 Quick Ways To Secure Your WordPress Website

Security | wpsuperstars.net | Jan. 4, 2018

There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.
Probably more than just once, right?
It is natural for us to forget about managing risky situations and put them on the back burner.
Human nature encourages us to feel positive wherever possible, and we like to think that most people and circumstances are to be trusted and that nothing untoward will happen.
Although that is true in most cases, there are times when the odds aren’t in our favor, and when that occurs, it will be too late to do anything about it.
If your home or car is broken into due to lapse security, you will be left picking up the pieces knowing that you could have prevented a very unfortunate situation.
With regards to WordPress, the same logic applies, and hoping that your site won’t get hacked is most definitely not the best course of action.
Obviously, nobody wants their site attacked, and if that happens, there are likely to be serious consequences; your website could get blacklisted from

6 min read Lizzie Kardon
Security | robojuice.com | 26 days ago

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Security | robojuice.com | 26 days ago

Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Brad

7 min read robert Abela
Security | godaddy.com | Jan. 10, 2018

How to decode your security logs to improve WordPress security - The Garage

Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.

How to decode your security logs to improve WordPress security - The Garage

Security | godaddy.com | Jan. 10, 2018

Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,

13 min read Tom Zsomborgi
Security | charlesfloate.co.uk | Dec. 29, 2017

Backdoored Plugins By SEO Community Members

An interesting case on backdooring plugins and hacked links, written by famous blogger Charles Floate.

Backdoored Plugins By SEO Community Members

Security | charlesfloate.co.uk | Dec. 29, 2017

This subject was extremely difficult for me to find an opening to approach with. It’s something I wish I didn’t have to blog about in the first place, but it’s something that has not slowed down, even with the likes of WordFence revealing details surrounding it. I have actually been speaking with Dan who wrote the post on WF over the past few days, he’s been extremely helpful with this post. Backdooring Plugins
Most people blindly trust updates to plugins and will update it to defend against Cyberattacks. This weakness has been exploited by the 3 people mentioned in this article, to gain backdoors to people’s websites and use them as their own personal link network – Though it actually goes greatly beyond that.
Essentially, what these SEOs would do, is do an outreach email to plugin owners that haven’t updated in a while or have a smaller size of sites that have the plugin currently installed. They’d then offer to buy the plugin and proceed to run an update which included a backdoor to the sites, so they could inserts links onto the sites that installed them – All through a dashboard they had setup on a server that we actually located,

Security | didgit.com | 14 days ago

7 simple tricks to prevent your WordPress website from being hacked

Google blacklists over 30,000 hacked websites every day, and, while WordPress is a perfectly secure platform, there are still plenty of steps you can take to bolster the security of your website. In this blog post, we’re going to look at seven ways you can do just that.

7 simple tricks to prevent your WordPress website from being hacked

Security | didgit.com | 14 days ago

Many hacks go by without notice and with the problem rectified before any serious harm is done, while some security breaches hit the world’s largest corporations, creating PR disasters and lengthy periods of downtime.

6 min read Jan Östlund
Security | smashingmagazine.com | 22 days ago

Be Watchful: PHP And WordPress Functions That Can Make Your Site Insecure

Good read for people that are new to WordPress development, but maten know PHP

Be Watchful: PHP And WordPress Functions That Can Make Your Site Insecure

Security | smashingmagazine.com | 22 days ago

For validating a URL, WordPress’s function will have a similar impact, but only lets through allowed protocols. is not in the default list, so it would keep you safe. However, unlike filter_var, it’ll return an empty string (not a false) for a disallowed protocol that is passed to it. WordPress-specific Functions To Keep An Eye On
In addition to core-PHP potentially-vulnerable functions, there are some WordPress-specific functions that can be a bit of a gotcha. Some of these are very similar to the variety of dangerous functions listed above, some a little different.
WordPress Unserializes With maybe_unserialize
This one’s probably obvious if you read the above. In WordPress there’s a function called maybe_unserialize and, as you’d guess, it unserializes what’s passed to it if need be.
There’s not any new vulnerability that this introduces, the issue is simply that just like the core unserialize function, this one can cause a vulnerable object to be exploited when it’s unserialized.
is_admin Doesn’t Answer If A User Is An Administrator!
This one’s pretty simple, but the function is ambiguous in name, and so it’s prone

Security | thehackernews.com | 20 days ago

Nearly 2000 WordPress Websites Infected with a Keylogger

Security researchers discovered a malicious keylogger campaign targeting WordPress websites and delivering an in-browser cryptocurrency miner from CoinHive.

Nearly 2000 WordPress Websites Infected with a Keylogger

Security | thehackernews.com | 20 days ago

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke. Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.
Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.
Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.
Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.
The malware was updated in November to include a keylogger.

7 min read robert Abela
Security | wpwhitesecurity.com | Jan. 9, 2018

Best Two-Factor Authentication (2FA) WordPress Plugins

There are quite a few good & free Two-Factor Authentication plugins available out there, so there should not be any more excuses to implement2FA on your WordPress.

Best Two-Factor Authentication (2FA) WordPress Plugins

Security | wpwhitesecurity.com | Jan. 9, 2018

Two-Factor Authentication, (aka Two-Step Verification, 2FA) is an additional layer of security you can add to your WordPress login page. With 2FA it is virtually impossible for attackers to login to your WordPress, even if they guess your user’s password. Two-factor authentication is also good to help mitigate WordPress brute force attacks. Read our article An Introduction to Two-Factor Authentication in WordPress for a detailed explanation of what it is and how it works. WordPress does not have 2FA by default, so you need a plugin to enable it. Below is a compilation of some of the best Two-Factor Authentication WordPress plugins currently available. At the end of the article I also explain why some of the popular 2FA plugins were not included in this compilation.
Google Authenticator
Google Authenticator is the first Two-Factor Authentication WordPress plugin I have used. It is available for free and is the most simple, easy to setup plugin. It is also the most basic one. Setting up 2FA for your WordPress cannot be easier. Once you install the plugin visit your profile page, enable the Google Authenticator Settings and scan the QR code with the Google Authenticator app on your

Security | wordfence.com | Dec. 19, 2017

Backdoor in Captcha Plugin Affects 300K WordPress Sites

Same scum running similar scammy backdoor code in more newly purchased plugin(s).

15 min read Alex Denning
Security | wpshout.com | Oct. 19, 2017

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Security | wpshout.com | Oct. 19, 2017

When it comes to making your WordPress site secure as a developer, probably the most impactful thing you can do is make sure you always clean up data they get from users. That means, generally, two things, validating or sanitizing it on the way into your system, and escaping it on the way out. In a recent survey of disclosed vulnerabilities in WordPress core, plugins, and themes, I did for WordPress Security with Confidence (my new course on WordPress security, launching next month), the most common type of vulnerability (about 33%) was cross-site scripting. Cross-site scripting vulnerabilities (often abbreviated XSS) are one where you make it possible for an attacker to execute unauthorized JavaScript to be run on your pages, because you failed to escape or sanitize something in your application’s data flow.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against

Security | wordfence.com | Nov. 9, 2017

WordPress Plugin Banned for Crypto Mining

Now we find a plugin that is using visitor's CPU cycles for profit.

3 min read Ana Segota
Security | sucuri.net | Nov. 19, 2017

Sucuri Security

A very useful and comprehensive guide about the WordPress security, step by step guide :)

Sucuri Security

Security | sucuri.net | Nov. 19, 2017

The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats. By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches.
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your WordPress installation, we recommend that you audit your plugins and themes on a regular basis.
Assess Your Plugin Security
You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:
Does the plugin or theme have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their plugin and pushing frequent updates or security patches?
Does the vendor list terms of service or a privacy policy?
Does the vendor include a physical contact address in the ToS or from a contact page?
Carefully read the Terms of Service - it may include unwanted extras that the authors didn’t

4 min read Joe Casabona
Security | wpinonemonth.com | Sep. 21, 2017

Explaining WordPress Security Issues to Your Clients

Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?

Explaining WordPress Security Issues to Your Clients

Security | wpinonemonth.com | Sep. 21, 2017

Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
The

3 min read Donna Cavalier
Security | wordpress.org | Sep. 22, 2017

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Security | wordpress.org | Sep. 22, 2017

I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version

Security | ithemes.com | Oct. 14, 2016

How to Secure WordPress Quickly and Easily

Simple steps that anyone can do to secure a WordPress site.

How to Secure WordPress Quickly and Easily

Security | ithemes.com | Oct. 14, 2016

Knowing how to secure WordPress is one of the most important components of keeping your site safe and protected from hacks. In this post, we cover five quick and easy tips you can use today to secure your WordPress site. How to Secure WordPress: 5 WordPress Security Tips
1. Delete your “admin” user.
The username “admin” is just a generic name created by WordPress. The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.
To remove the admin user, follow these steps:
Create a new user for yourself.It is important to come up with a username that is unique to make it more difficult for someone to figure out. (When coming up with your new username, you might also consider how you want your name displayed on the frontend of your site. For instance, if your name is John and that’s how it will be displayed on your posts, using John as your username would not be the best idea.)
Make sure you create a strong password for this user and set the role to admin.
Once you’ve

16 min read Ana Segota
Security | wpshout.com | Oct. 26, 2017

What I Learned Interviewing 10 WordPress Security Experts

All about WordPress security - from interviews with different WordPress security experts.

What I Learned Interviewing 10 WordPress Security Experts

Security | wpshout.com | Oct. 26, 2017

I’ve spent the last three months deep in the weeds of WordPress security. As regular readers will know, this is because I’m working on a new course: WordPress Security With Confidence (it’s coming out in two weeks). Part of this research has involved talking to a lot of WordPress security experts. Some of these experts focus on the big picture, whilst some focus on extremely specific aspects. As a whole they offer an incredible depth of knowledge about how WordPress security works, what’s important, and what we should all be focusing on.
Hopefully you’ll find something interesting in this diverse mix of perspectives. I talked to people from S-brands like Sucuri, SiteGround, SiteLock, and SecuPress. (I prefer brands whose first letters are in the second half of the alphabet. ;p) To give you a quick sense of topics: these cover everything from convincing clients to think about security, why your WordPress site shouldn’t have a username and password, and how WordPress itself deals with security fixes.
WordPress Security With Confidence will includes hours of screencasts of me talking about security concepts, and showing you how to implement them in WordPress