With 30 posts in this WP Security category, you can focus on one each day of the month.
Submit a comment with your observations and discoveries for each one.
Plugin issues account for most of the vulnerabilities found on WordPress sites.
Sucuri often reports on new problems before anyone else notices them.
GSC is lets you know about malicious things going on in your site.
Record everything going on in the dashboard when your site has multiple authors.
When building a new PHP app/website, PHP error reporting is a good debug tool.
But if enabled on a live site, your whole server path gets displayed on the screen if an error occurs.
XML-RPC protocol support for WordPress is turned on by default.
Unfortunately, deleting the xmlrpc.php file affects the functionality of some plugins.
Make any SQL injection attack attempt harder by changing the default database prefix:
Code in wp-config.php generated randomly for each WordPress install.
Determine whether the theme you plan to use follows all the latest WordPress standards and recommended code practices:
Malicious software is used to disrupt computer operations, gather sensitive information, gain access to private computer systems, or display unwanted advertising.
CloudFlare routes all traffic coming to your site through a network of servers.
Those servers let in only genuine people who want to read your content, and bounce anyone who’s suspicious.
Surgical attack: they meticulously look for a vulnerability, and then explore it with precision.
Brute force attack: they simply attempt to guess the password multiple times until successful.
BruteProtect has been integrated into Jetpack.
- contact forms
- image galleries & carousels
- social media buttons
- mobile theme
- links to related posts
- site stats
Instead of just deactivating the plugin you’re not using at the moment, delete it completely.
A detailed change log goes alongside every new release of WordPress:
However, each new update seems to include changes to the user interface. Version 4.5.2 makes it worse. Consider the add link button.
Now it gives you a little box requiring an extra click to get the same dialog.
Bad Passwords: 000000, 111111, 123123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 654321, 696969, aaaaaa, abc123, access, admin, adobe1, azerty, baseball, batman, dragon, football, iloveyou, letmein, macromedia, master, michael, monkey, mustang, password, photoshop, qwerty, shadow, superman, trustno1.
Subject-Action-Object-Place method: For a long password, visualize someone doing something at some place.
Use one, ultra-secure “vault” password?
Login as Admin only on networks you know to be secure.
Otherwise, login as Editor or even Author.
Create a new Admin user role:
then , delete the old one.
or, use a plugin:
or, modify the database directly using phpMyAdmin:
Your website can be targeted for an attack, or simply be vulnerable to invasion.
Thus, there are two types of security attacks: Targeted and Opportunistic.
Hackers who break into computers for nefarious purposes or malicious intent, perhaps motivated by profit, protest, or simply the challenge, are referred to as wearing black hats.
Because there are so many WordPress websites, robots crawl the web looking for an opportunity to invade those which are vulnerable . These sites get added to black-hat portfolios to form a network of sites that can be used for things like spamdexing, keyword stuffing, doorway pages, page hijacking, email spoofing, data scraping, url redirects, etc.
To assist in removing a security weakness, you may need the advice of a hacker wearing a white hat.
01. Admin Username
02. Editor Role
04. Login Attempts
05. Client Machine
06. WordPress Updates
07. Plugins Updates
09. Web Host
10. Plugin & Theme Sources
11. Unused Plugins
12. Plugins Quantity
13. Security Plugins
14. Brute Force Attacks
17. Theme Check
20. Database Prefix
23. PHP Error Reporting
24. WP Security Audit Log
25. Google Search Console (GSC)
27. Unsafe Plugins
*Thank you John Stevens
Hosting Facts.com – How To Secure WordPress