Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

Security | wpsecurityninja.com | 11 days ago

How VPNs Can Help Secure Your Blog

It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.

How VPNs Can Help Secure Your Blog

Security | wpsecurityninja.com | 11 days ago

As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin

5 min read Jonas Lejon
Security | opnsec.com | Oct. 13, 2017

New unpatched XSF vulnerability in WordPress

Unpatched new Cross-domain Flash injection (XSF) in flashmediaelement.swf. Technical details about this will be released on Oct 19th 2017

New unpatched XSF vulnerability in WordPress

Security | opnsec.com | Oct. 13, 2017

What is the vulnerability ? There is an unpatched vulnerability in latest and older WordPress releases. The vulnerability is a cross-domain Flash injection (XSF), which impact is similar to a Reflected XSS (or Same-Origin policy bypass).
The vulnerable file is located at /wp-includes/js/mediaelement/flashmediaelement.swf.
Who is affected ?
Any up-to-date or older (for at least 2 years) version of WordPress is vulnerable by default. Every WordPress website is vulnerable to this as well as any other website hosted on the same subdomain as a WordPress website.
The only WordPress websites that are not affected are those where the vulnerable file, flashmediaelement.swf, is hosted on a sandboxed domain. This is the case for sites hosted on wordpress.com for example.
What is the impact ?
The impact is similar to an (authenticated) Reflected XSS, except you can’t manipulate the DOM and read some values like header responses. The attacker can send a malicious link that would execute arbitrary Flash code on the WordPress security sandbox. When a victim opens the malicious link, the attacker can perform “xhr style” requests with Flash to any URL in the WordPress domain, using

29 min read Alex Denning
Security | wpshout.com | Feb. 7, 2018

The Complete Guide to WordPress Security

To the extent any guide to WordPress security can be "complete", this is pretty good: thorough look at security basics most sites need to follow that avoids the cliched poor quality advice often found on the topic.

The Complete Guide to WordPress Security

Security | wpshout.com | Feb. 7, 2018

WordPress sites are one of the most common targets for attack on the internet. They’re hacked more than any other type of site. If you, your friends, or someone you know has never had an experience of a WordPress site getting “hacked”, you’ve either been extremely lucky or have abnormally careful people surrounding you in your life. Security matters because WordPress sites are online, are running literally hundreds-of-thousands of lines of code, and WordPress is a common-enough platform that it’s going to be targeted by attackers. When Microsoft Windows was a relatively new and dominant platform with regular headlines about security issues, its defenders pointed out that the number of attacks was a big reason. While there were security mistakes being made by Microsoft, it was also the case that many security errors which were commonly exploited first on the Windows platform.
So too with WordPress. WordPress powers about 27% of the internet. That’s great, but it also means that if someone finds a fundamental security flaw that’s common on all WordPress sites, or even a big percentage, they can easily have thousands of servers mustered in a matter

3 min read Roger Pharr
Security | wpsecure.us | Aug. 14, 2017

Comparing WordPress Security Advice from the Codex to OWASP Recommendations

A summary of where the advice is the same, and where it is different. In general, OWASP locks you down tighter than the WordPress recommendations.

Comparing WordPress Security Advice from the Codex to OWASP Recommendations

Security | wpsecure.us | Aug. 14, 2017

We show you how to implement advice from the gold standards of WordPress Security: The WordPress Codex and OWASP. These best practices are the cornerstone of our tutorials and the service we give to our customers. The WordPress Codex is the online user manual published by the makers of WordPress. It really doesn’t get any more fundamental than this. The section on WordPress Security is here. OWASP – the Open Web Application Security Project – is similarly regarded for standards of internet security. They provide best practices for all types of web applications (including WordPress), as well as advice and training for security professionals. Their specific WordPress recommendations are here.
Besides being well-respected experts, these sources are trustworthy for another reason: they aren’t selling anything. It’s hard to trust people with advice that are also selling solutions. Their product does all the right things, the other products don’t, etc. That’s why we base our practice on independent advice.
Reading through those two pages can be a bit overwhelming. They have a lot of recommendations. What is not obvious is that most recommendations

5 min read David Bisset
Security | blog.sucuri.net | Feb. 27, 2017

SQL Injection Vulnerability in NextGEN Gallery for WordPress

Recently discovered: a severe SQL Injection vulnerability allowing an unauthenticated user to grab data from the victim’s website database. If you use NextGen or have a client who does, you might want to read this.

SQL Injection Vulnerability in NextGEN Gallery for WordPress

Security | blog.sucuri.net | Feb. 27, 2017

Security Risk: Critical Exploitation Level: Easy/Remote
DREAD Score: 9
Vulnerability: SQL Injection
Patched Version: 2.1.79
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
Are You at Risk?
This vulnerability can be exploited by attackers in at least two different scenarios:
If you use a NextGEN Basic TagCloud gallery on your site, or
If you allow your users to submit posts to be reviewed (contributors). If you fit any of these two cases, you’re definitely at risk.
This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query, which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys, in certain configurations.
Technical Details
Never trust the input – that is the

7 min read Donna Cavalier
Security | wordfence.com | Mar. 17, 2017

Support End-to-End Encryption on the Web

TIL: This is something I didn't know (or even think about) until now, and I can see how this might be important.

Support End-to-End Encryption on the Web

Security | wordfence.com | Mar. 17, 2017

The Wordfence Team would like to encourage website owners and Internet users to support end-to-end encryption on the Web. Today we are announcing that our official position is the following: Wordfence is a strong supporter of end-to-end encryption for the online community.
We suggest that you avoid services that break end-to-end encryption by intercepting and decrypting traffic.
We encourage website owners to implement HTTPS on their websites in a way that provides end-to-end encryption for their site visitors and customers.
We encourage corporate network owners and CISOs to avoid products that perform HTTPS interception and break end-to-end encryption.
We encourage site owners to avoid Cloud products that perform HTTPS interception and decryption, like Cloud WAFs.
What is end-to-end encryption?
When your web browser connects directly to a website using HTTPS, your connection is end-to-end encrypted. If the website is using a Cloud WAF or similar service that decrypts traffic to inspect it, your connection is not end-to-end encrypted because your traffic is decrypted at the cloud WAF, not at the website you are visiting.
Similarly if you are on an office network and the company is using

5 min read robert Abela
Security | wpwhitesecurity.com | Oct. 28, 2016

Store WordPress Backup Files Offsite & Delete Old Files

Onsite WordPress backup files and old revision files can be pose a big security risk to your WordPress websites or blogs. Read on how easy it is for attackers to gain access to such files and use the information they contain to craft an attack against your website.

Store WordPress Backup Files Offsite & Delete Old Files

Security | wpwhitesecurity.com | Oct. 28, 2016

One common problem that we notice on the majority of WordPress websites that we audit are the number backup and old revision files stored on the website. This is a security problem because typically such files can be downloaded by anyone, and the information stored in them could aid malicious hackers craft a successful hack attack as explained in this article. What are Old Revision and WordPress Backup Files?
Old Revision Files
Not everyone has the commodity of a staging website. In such cases designers and administrators do troubleshooting and test changes on the live website. During such process it is of common practice to make a copy of files before editing them and renaming them with an old extension. For example before modifying wp-config.php, you make a copy of the file and rename it to wp-config.php.old, or wp-config.old, or wp-config.bak.
WordPress Backup Files
By default, the majority of the hosting providers store and WordPress plugins store the WordPress backup files on the website itself. Typically these backups are zip files and are stored in the /wp-content/uploads/ directory, or the plugin’s directory. Also, the filenames of these backup files are easy to guess

Security | fixmywp.com | Jun. 26, 2017

How Find Out If Your Website Is Hacked

If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. This article lists some of the strongest indicators of a hacked website(WordPress or not).

How Find Out If Your Website Is Hacked

Security | fixmywp.com | Jun. 26, 2017

If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. Indicators of compromise
Some hacks are quite apparent since they deface your page, while others are more subtle. Here are some common signs that your website has been compromised:
Your home page has changed. If you visit your website, and instead of seeing the page you have created you see something entirely different it's likely that your page has been "defaced." Normally, these types of hackers will have a "hacked by..." message displaying to take credit for the hack.
Your access to admin pages no longer exists. If you cannot access your admin section of your website, it's possible the hacker has gained access to the adminsitrator account or cpanel and altered the passwords.
Your computer's anti-virus software warns you when you visit your website. This is a typical situation where your website is trying to install a trojan or another type of virus on your local computer.
A page will not load but it used to. If you haven't changed

12 min read Web News Insider
Security | deliciousthemes.com | 3 days ago

The Site Ahead Contains Malware! Here’s How to Fix It!

Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.

The Site Ahead Contains Malware! Here’s How to Fix It!

Security | deliciousthemes.com | 3 days ago

Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care

Security | didgit.com | Apr. 8, 2018

VestaCP hit by 0-day exploit

VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.

VestaCP hit by 0-day exploit

Security | didgit.com | Apr. 8, 2018

Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro

10 min read Juriy Polovec
Security | wpsuperstars.net | Jan. 4, 2018

8 Quick Ways To Secure Your WordPress Website

There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.

8 Quick Ways To Secure Your WordPress Website

Security | wpsuperstars.net | Jan. 4, 2018

There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.
Probably more than just once, right?
It is natural for us to forget about managing risky situations and put them on the back burner.
Human nature encourages us to feel positive wherever possible, and we like to think that most people and circumstances are to be trusted and that nothing untoward will happen.
Although that is true in most cases, there are times when the odds aren’t in our favor, and when that occurs, it will be too late to do anything about it.
If your home or car is broken into due to lapse security, you will be left picking up the pieces knowing that you could have prevented a very unfortunate situation.
With regards to WordPress, the same logic applies, and hoping that your site won’t get hacked is most definitely not the best course of action.
Obviously, nobody wants their site attacked, and if that happens, there are likely to be serious consequences; your website could get blacklisted from

Security | wordfence.com | 24 days ago

Hijacked WordPress.com Accounts Being Used To Infect Sites

There's no security beach on WordPress.com. but if your individual account is compromised, it could mean your self-hosted sites are as well, if you've connected them via JetPack.

15 min read Alex Denning
Security | wpshout.com | Oct. 19, 2017

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Security | wpshout.com | Oct. 19, 2017

When it comes to making your WordPress site secure as a developer, probably the most impactful thing you can do is make sure you always clean up data they get from users. That means, generally, two things, validating or sanitizing it on the way into your system, and escaping it on the way out. In a recent survey of disclosed vulnerabilities in WordPress core, plugins, and themes, I did for WordPress Security with Confidence (my new course on WordPress security, launching next month), the most common type of vulnerability (about 33%) was cross-site scripting. Cross-site scripting vulnerabilities (often abbreviated XSS) are one where you make it possible for an attacker to execute unauthorized JavaScript to be run on your pages, because you failed to escape or sanitize something in your application’s data flow.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against

2 min read robert Abela
Security | wpsecuritybloggers.com | May. 3, 2018

WP Security Bloggers is now Manually Curated

Good news - WP Security Bloggers, an aggregate of WordPress security news is now manually curated.

WP Security Bloggers is now Manually Curated

Security | wpsecuritybloggers.com | May. 3, 2018

Finally, WP Security Bloggers got some TLC! I started this project back in 2014, so I can have a central repository for all the WordPress security news instead of following all the blogs. Over the years the idea developed into creating a WordPress security news aggregator. Though because the number of blogs from which WP Security Bloggers aggregates the news is now over twenty, it is almost impossible to automatically curate the news.
The good news is that from today onward all the news will be curated manually. This means the value and quality for you subscribers will be much higher – you will no longer see duplicate posts and posts that are not about WordPress security.
Other Updates
Today we have also done several minor but significant changes on the website, such as:
We removed sources that no longer are working,
Deleted some of the latest posts that made it through the automated curation,
Added an About page etc.
Subscribe to WP Security Bloggers
To keep yourself up to date with WordPress security, subscribe to the WP Security Bloggers roundup emails, or follow us on Twitter and Facebook.

13 min read Tom Zsomborgi
Security | charlesfloate.co.uk | Dec. 29, 2017

Backdoored Plugins By SEO Community Members

An interesting case on backdooring plugins and hacked links, written by famous blogger Charles Floate.

Backdoored Plugins By SEO Community Members

Security | charlesfloate.co.uk | Dec. 29, 2017

This subject was extremely difficult for me to find an opening to approach with. It’s something I wish I didn’t have to blog about in the first place, but it’s something that has not slowed down, even with the likes of WordFence revealing details surrounding it. I have actually been speaking with Dan who wrote the post on WF over the past few days, he’s been extremely helpful with this post. Backdooring Plugins
Most people blindly trust updates to plugins and will update it to defend against Cyberattacks. This weakness has been exploited by the 3 people mentioned in this article, to gain backdoors to people’s websites and use them as their own personal link network – Though it actually goes greatly beyond that.
Essentially, what these SEOs would do, is do an outreach email to plugin owners that haven’t updated in a while or have a smaller size of sites that have the plugin currently installed. They’d then offer to buy the plugin and proceed to run an update which included a backdoor to the sites, so they could inserts links onto the sites that installed them – All through a dashboard they had setup on a server that we actually located,

4 min read Joe Casabona
Security | wpinonemonth.com | Sep. 21, 2017

Explaining WordPress Security Issues to Your Clients

Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?

Explaining WordPress Security Issues to Your Clients

Security | wpinonemonth.com | Sep. 21, 2017

Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
The

7 min read robert Abela
Security | godaddy.com | Jan. 10, 2018

How to decode your security logs to improve WordPress security - The Garage

Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.

How to decode your security logs to improve WordPress security - The Garage

Security | godaddy.com | Jan. 10, 2018

Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,

3 min read Donna Cavalier
Security | wordpress.org | Sep. 22, 2017

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Security | wordpress.org | Sep. 22, 2017

I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version

6 min read Lizzie Kardon
Security | robojuice.com | Jan. 24, 2018

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Security | robojuice.com | Jan. 24, 2018

Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Brad

Security | wordfence.com | Dec. 19, 2017

Backdoor in Captcha Plugin Affects 300K WordPress Sites

Same scum running similar scammy backdoor code in more newly purchased plugin(s).

5 min read robert Abela
Security | wpwhitesecurity.com | May. 3, 2018

The Importance of Using a Unique WordPress User per Person

A few good reasons why you should never share WordPress logins with contributors - instead create a unique login for every contributor.

The Importance of Using a Unique WordPress User per Person

Security | wpwhitesecurity.com | May. 3, 2018

A WordPress security best practice that is easy to implement is having a unique WordPress login (username and password) for every person who accesses your website or multisite network. Sharing the same WordPress login details with groups of people can lead to a number of security issues and increases the maintenance of the website, as this post explains. Use of Weak Passwords
As a WordPress website administrator you know very well how important it is to use strong and complex passwords. In fact, most probably you use a password manager so you can use very long passwords which are impossible to remember. Though if you have a common WordPress login for a group of people, since many still do not use password managers, and because you do not want to hassle with support, you use an easy password for the shared WordPress users.
Easy to guess passwords were and still are the most common source of WordPress websites hacks. So avoid using shared WordPress logins and always encourage your contributors to use a password manager to reduce the use of weak and easy to guess passwords.
More Complex operations & high maintenance websites
Managing shared WordPress logins is more complex and requires

Security | wordfence.com | Nov. 9, 2017

WordPress Plugin Banned for Crypto Mining

Now we find a plugin that is using visitor's CPU cycles for profit.

16 min read Ana Segota
Security | wpshout.com | Oct. 26, 2017

What I Learned Interviewing 10 WordPress Security Experts

All about WordPress security - from interviews with different WordPress security experts.

What I Learned Interviewing 10 WordPress Security Experts

Security | wpshout.com | Oct. 26, 2017

I’ve spent the last three months deep in the weeds of WordPress security. As regular readers will know, this is because I’m working on a new course: WordPress Security With Confidence (it’s coming out in two weeks). Part of this research has involved talking to a lot of WordPress security experts. Some of these experts focus on the big picture, whilst some focus on extremely specific aspects. As a whole they offer an incredible depth of knowledge about how WordPress security works, what’s important, and what we should all be focusing on.
Hopefully you’ll find something interesting in this diverse mix of perspectives. I talked to people from S-brands like Sucuri, SiteGround, SiteLock, and SecuPress. (I prefer brands whose first letters are in the second half of the alphabet. ;p) To give you a quick sense of topics: these cover everything from convincing clients to think about security, why your WordPress site shouldn’t have a username and password, and how WordPress itself deals with security fixes.
WordPress Security With Confidence will includes hours of screencasts of me talking about security concepts, and showing you how to implement them in WordPress

3 min read Ana Segota
Security | sucuri.net | Nov. 19, 2017

Sucuri Security

A very useful and comprehensive guide about the WordPress security, step by step guide :)

Sucuri Security

Security | sucuri.net | Nov. 19, 2017

The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats. By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches.
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your WordPress installation, we recommend that you audit your plugins and themes on a regular basis.
Assess Your Plugin Security
You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:
Does the plugin or theme have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their plugin and pushing frequent updates or security patches?
Does the vendor list terms of service or a privacy policy?
Does the vendor include a physical contact address in the ToS or from a contact page?
Carefully read the Terms of Service - it may include unwanted extras that the authors didn’t