Category Archives: WP Security

– WP Security – Contents

wordpress_security_FI

Your website can be targeted for an attack, or simply be vulnerable to invasion.

Thus, there are two types of security attacks: Targeted and Opportunistic.

Hackers who break into computers for nefarious purposes or malicious intent, perhaps motivated by profit, protest, or simply the challenge, are referred to as wearing black hats.

Because there are so many WordPress websites, robots crawl the web looking for  an opportunity to invade those which are vulnerable . These sites get added to black-hat portfolios to form a network of sites that can be used for things like spamdexing, keyword stuffing, doorway pages, page hijacking, email spoofing, data scrapingurl redirects, etc.

You could also be directly targeted for spywarekeystroke logging, etc.

To assist in removing a security weakness, you may need the advice of a hacker wearing a white hat.

CONTENTS *

01. Admin Username
02. Editor Role
03. Passwords
04. Login Attempts
05. Client Machine
06. WordPress Updates
07. Plugins Updates


08. Backups
09. Web Host
10. Plugin & Theme Sources
11. Unused Plugins
12. Plugins Quantity
13. Security Plugins
14. Brute Force Attacks


15. CloudFlare
16. Malware
17. Theme Check
18. Pingbacks
19. Keys
20. Database Prefix
21. htaccess


22. XML-RPC
23. PHP Error Reporting
24. WP Security Audit Log
25. Google Search Console (GSC)
26. Sucuri
27. Unsafe Plugins
28. SSL


29. Conclusion
30. Extra

*Thank you John Stevens
Hosting Facts.com – How To Secure WordPress

03. Passwords

Bad Passwords: 000000, 111111, 123123, 1234, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 654321, 696969, aaaaaa, abc123, access, admin, adobe1, azerty, baseball, batman, dragon, football, iloveyou, letmein, macromedia, master, michael, monkey, mustang, password, photoshop, qwerty, shadow, superman, trustno1.

lifehacker.com/four-methods-to-create-a-secure-password

Subject-Action-Object-Place method: For a long password, visualize someone doing something at some place.

Use one, ultra-secure “vault” password?

LastPass

zapmap.com/wp-content/uploads/2016/05/password-security.jpg

06. WordPress Updates

A detailed change log goes alongside every new release of WordPress:

wordpress.org/news/2016/05/wordpress-4-5-2

Enable auto-updates:

codex.wordpress.org/Configuring_Automatic_Background_Updates

However, each new update seems to include changes to the user interface. Version 4.5.2 makes it worse. Consider the add link button. inserteditlink452

Now it gives you a little box requiring an extra click to get the same dialog.

inserteditlink441
And the code for this extra step is buggy, too!

14. Brute Force Attacks

Surgical attack: they meticulously look for a  vulnerability, and then explore it with precision.

Brute force attack: they simply attempt to guess the password multiple times until successful.

BruteProtect has been integrated into Jetpack.

29. Conclusion

With 30 posts in this WP Security category, you can focus on one each day of the month.

Submit a comment with your observations and discoveries for each one.

30. Extra

blacklisthackers.com/category/security

blog.sucuri.net/2012/08/automation-is-key-with-todays-website-attacks.html

blog.sucuri.net/2015/02/why-websites-get-hacked.html

Codeable.io

codex.wordpress.org/Hardening_WordPress

en.wikipedia.org/wiki/Sandbox_(computer_security)

lifehacker.com/how-spammers-spoof-your-email-address-and-how-to-prote-1579478914

techlicious.com/tip/what-to-do-when-your-email-gets-hacked

usatoday.com/story/tech/2014/11/06/email-hijacking-phishing-google/18564671