We live in a data-driven world. Almost every transaction and interaction you have with most organizations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email.
We live in a data-driven world. Almost every transaction and interaction you have with most organisations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email. Sharing data helps makes life easier, more convenient and connected. But your data is your data. It belongs to you so it's important your data is used only in ways you would reasonably expect, and that it stays safe. Data protection law makes sure everyone’s data is used properly and legally.
By having regular update and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient?
Security has always been a major topic for the state of WordPress. It is clearly seen that the WordPress community as a whole has steadily moved towards proactive measures. By maintain security updates more often and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient? This has been a question for the majority of bloggers out there. Today, above 30% of all websites are made with WordPress (a staggering amount indeed). More and more individuals are adopting WordPress and the number keeps on growing. The more it grows, the harder it is to ensure each website with the maximum level of protection.
Whatever the Content Management System (CMS) is being used, no one can guarantee absolute 100% website security. WordPress being at the pinnacle of them, it is obvious that it is most prone of attacks. There’s no denying that it has its fair share of security flaws.
Basically, any large CMS is going to intermittently contain bugs that lead to security loopholes. WordPress has an open source system for themes and plugins development, so the majority of those holes occur due to faulty themes and external used services rather than the core
It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin
I have my own share of the story. But let’s drop it and read the minds of other WordPress users. I asked them how they protect their blogs without necessarily installing a plugin.
WordPress (WP) is the most popular blogging platform. Latest updates have made it one of the most used tools for eCommerce shops, news and business websites. This brings about a serious security issue that must be handled at various ends to keep the project alive. One of the things used to close up loopholes and enforce security on the CMS are plugins. Unfortunately, this comes with a plethora of other issues.
I have been very curious about this. I wanted to know how WordPress bloggers handle the protection aspect of their WP site without the use of Plugins.
WordPress Security Vox pop!
I went about talking with some WordPress experts and users on a couple of issues related to the platform. One of the things I found easy is setting up a WordPress site. If you have issues at this point, you may want to check out this WordPress Installation guide by Freddy Muriuki.
A lot of people find it quite easy to setup and manage WordPress sites. The interface is super user-friendly with absolutely no tech knowledge required to move forward.
However, some beginners I spoke with remain puzzled by the simple mentioning of the word. Susan Valez, an avid WordPress user, and blogger wrote this comprehensive
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care
Heather explains what HTTPS and SSL is, plus what the changes to Chrome are that are coming in July. It covers why that change is important for all website owners, if they have even a basic contact or comment form on their site.
In February 2018, Google made an announcement regarding SSL certificates, also known as https. This announcement said: For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
What Does This Mean?
Basically, Google is saying that because a connection to a website via HTTPS encryption is more secure, they’ve been gradually marking pages where visitors information is transmitted, as “not secure.” This could be anything from a ecommerce checkout page to just a simple contact form. Starting in July, any form that accepts a user’s data will be marked as “not secure” on Chrome, if it’s not using HTTPS.
The bottom line is that if you have a website with any kind of form on it where visitors submit information (this includes a simple contact form), you’ll need to have an SSL certificate
In the second volume of our GDPT article we are moving from theory to practice. Check the article to learn new facts about GDPR and cookies!
WordPress website has quite a wide variety of plugins. They allow you to customize the style and options for GDPR notification according to your requirements and site theme. Some of them allow users to enable and disable cookies on your site. The option “Reject” or “Block” cookie files deserves special attention, because permission to use them is one of the main requirements of GDPR.
How does this function work and does it work at all?
In fact, depend on the user’s choice to give permission for using cookie files or not, cookies should be saved or blocked.
Some cookies are necessary for the functioning of the website: for browsing and using its functions. Without their loading, it is impossible to provide services such as shopping cart and Internet payment. Another category of cookies collect an information about your browsing of websites, for example, the most frequently visited pages. Such data can be used for websites optimizing. Collected information is intended for statistical purposes. Some cookies allow websites to remember the choices
VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro
This seems like something that needs attention. Sites with multiple user accounts would be affected by this potential vulnerability.
WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public. Who is affected
At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.
For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.
Impact - What can an attacker do
One of the least fun things is to clean up hacked WordPress. Much of these points goes without saying but there are some useful tips.
One of the least fun things is to clean up customer’s hacked legacy WordPress sites. Much of these points goes with out saying. Today I don’t use FTP and expose PHP-files above the site root. Change password for FTP-account
Beware the big lists of passwords is circulating around the Internet. A quick check at Pwned can reveal this.
Change username for your FTP-account
Don’t use the same username as your domain, make this hard to guess or brute force.
Keep an eye on index.php and .htaccess
The most common hack nowadays seems to be to alter the index.php or .htaccess. The site owner or visitor does not see anything special, but the Google bot does.
Keeping an eye on changes on index.php or .htaccess can give you an quick alert if anything suddenly changes.
echo md5_file('index.php') . '-' . md5_file('.htaccess');
Then put an site monitor to check for the output of this script. If the keyword changes you know something fishy has happend.
Keep an eye on Google Index
Add Google Webmaster Tools and keep an eye of how many index pages your site has. A sudden raise of pages indicates that your site is hacked. For sure.
Clean up an hacked
Good news - WP Security Bloggers, an aggregate of WordPress security news is now manually curated.
Finally, WP Security Bloggers got some TLC! I started this project back in 2014, so I can have a central repository for all the WordPress security news instead of following all the blogs. Over the years the idea developed into creating a WordPress security news aggregator. Though because the number of blogs from which WP Security Bloggers aggregates the news is now over twenty, it is almost impossible to automatically curate the news.
The good news is that from today onward all the news will be curated manually. This means the value and quality for you subscribers will be much higher – you will no longer see duplicate posts and posts that are not about WordPress security.
Today we have also done several minor but significant changes on the website, such as:
We removed sources that no longer are working,
Deleted some of the latest posts that made it through the automated curation,
Added an About page etc.
Subscribe to WP Security Bloggers
To keep yourself up to date with WordPress security, subscribe to the WP Security Bloggers roundup emails, or follow us on Twitter and Facebook.
Just by following these simple tips, you can have a more secure WordPress website
Since it was first introduced in more than two decades ago, WordPress has grown (and grown) now safely be named as the world’s most popular content management system. Today, more than a quarter of the websites that exist are run on WordPress. Yet since time immemorial, the more popular something is, the more people want to leverage on it for nefarious means. Just look at Microsoft Windows and the massive number of malware, viruses and other exploits designed to target just this one specific operating system.
Why your WordPress blog is a valuable target?
In case you’re wondering why on earth a hacker would want to control your WordPress blog, there are several reasons including;
Using it to secretly send spam emails
Steal your data such as a mailing list or credit card information
Adding your site to a botnet that they can use later
Fortunately, WordPress is a platform that offers you a multitude of opportunity to defend yourself. Having helped setup and administer several websites and blogs myself, I’d like to share with you some of the more basic things you can do to help secure your WordPress site.
Here are 10 actionable security tips you can make use of.
There's no security beach on WordPress.com. but if your individual account is compromised, it could mean your self-hosted sites are as well, if you've connected them via JetPack.
A few good reasons why you should never share WordPress logins with contributors - instead create a unique login for every contributor.
A WordPress security best practice that is easy to implement is having a unique WordPress login (username and password) for every person who accesses your website or multisite network. Sharing the same WordPress login details with groups of people can lead to a number of security issues and increases the maintenance of the website, as this post explains. Use of Weak Passwords
As a WordPress website administrator you know very well how important it is to use strong and complex passwords. In fact, most probably you use a password manager so you can use very long passwords which are impossible to remember. Though if you have a common WordPress login for a group of people, since many still do not use password managers, and because you do not want to hassle with support, you use an easy password for the shared WordPress users.
Easy to guess passwords were and still are the most common source of WordPress websites hacks. So avoid using shared WordPress logins and always encourage your contributors to use a password manager to reduce the use of weak and easy to guess passwords.
More Complex operations & high maintenance websites
Managing shared WordPress logins is more complex and requires
The risk of cyberattack is always there. Here’s how you can ensure your WordPress website remains secured against hacking incidents.
WordPress is an established authority in the content management universe—powering almost a third of all websites on the internet. The size, however, comes at a certain cost. According to research, more than 70 percent of all websites are vulnerable to hacker attacks.
Most people would now ask the logical question: With so many safety threats, how come WordPress is not losing supremacy among content management systems?
The answer is very simple. The problem lies not in WordPress but rather in webmasters who don’t protect their sites regularly.
For instance, as much as 8 percent of WordPress security breaches happen as the result of a weak password. Although improving a password is the easiest thing in the world, some people still find it too boring to deal with it, which is exactly the kind of mistake hackers are hoping for.
If you want your website protected, then you need to learn several methods of securing your websites against hackers. In this post, we will show you 20 ways to secure a WordPress site.
Let’s hop right in.
1. Limit login attempts
The first tip on our list is one of the golden rules of WordPress security. You should limit the number of login attempts
Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against
Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.
Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,
Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?
Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.
Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
My take on the recent issues with malicious code in plugins and the importance of getting the word out to users.
In case you missed it, three widely-used WordPress plugins were recently found to have malicious code included with recent updates. Display Widgets, Fast Secure Contact Form and SI CAPTCHA Anti-Spam were each removed from the official WordPress Plugin Repository due to SEO spam discovered by users. One thing each plugin has in common was that they were all previously trusted and generally considered secure. More recently, they were sold by their original authors to a new developer, who used these popular plugins to spread payday loan spam posts. In fact, security plugin company Wordfence recently reported that up to 9 plugins have been found with malicious code added through various means.
While many web designers and developers have become more proactive in securing their sites against typical threats like brute force attacks, etc. – malicious plugins appear to be a whole new ballgame. We’re used to defending against security holes, but not authors who are intentionally trying to propagate malware. And in the case of the plugins mentioned above, immediately updating to the latest version was the worst thing we could have done since that was how the code was installed.
Same scum running similar scammy backdoor code in more newly purchased plugin(s).
Good read for people that are new to WordPress development, but maten know PHP
For validating a URL, WordPress’s function will have a similar impact, but only lets through allowed protocols. is not in the default list, so it would keep you safe. However, unlike filter_var, it’ll return an empty string (not a false) for a disallowed protocol that is passed to it. WordPress-specific Functions To Keep An Eye On
In addition to core-PHP potentially-vulnerable functions, there are some WordPress-specific functions that can be a bit of a gotcha. Some of these are very similar to the variety of dangerous functions listed above, some a little different.
WordPress Unserializes With maybe_unserialize
This one’s probably obvious if you read the above. In WordPress there’s a function called maybe_unserialize and, as you’d guess, it unserializes what’s passed to it if need be.
There’s not any new vulnerability that this introduces, the issue is simply that just like the core unserialize function, this one can cause a vulnerable object to be exploited when it’s unserialized.
is_admin Doesn’t Answer If A User Is An Administrator!
This one’s pretty simple, but the function is ambiguous in name, and so it’s prone
WordPress sites are popular targets for hackers and script-kiddies. Here are some of the reasons a hacker wants to compromise a WP site.
Well, even though WordPress is built on clean and solid code, the truth is any website, no matter how well prote
To the extent any guide to WordPress security can be "complete", this is pretty good: thorough look at security basics most sites need to follow that avoids the cliched poor quality advice often found on the topic.
WordPress sites are one of the most common targets for attack on the internet. They’re hacked more than any other type of site. If you, your friends, or someone you know has never had an experience of a WordPress site getting “hacked”, you’ve either been extremely lucky or have abnormally careful people surrounding you in your life. Security matters because WordPress sites are online, are running literally hundreds-of-thousands of lines of code, and WordPress is a common-enough platform that it’s going to be targeted by attackers. When Microsoft Windows was a relatively new and dominant platform with regular headlines about security issues, its defenders pointed out that the number of attacks was a big reason. While there were security mistakes being made by Microsoft, it was also the case that many security errors which were commonly exploited first on the Windows platform.
So too with WordPress. WordPress powers about 27% of the internet. That’s great, but it also means that if someone finds a fundamental security flaw that’s common on all WordPress sites, or even a big percentage, they can easily have thousands of servers mustered in a matter