background preloader

Wordpress Security

Facebook Twitter

8 Ways To Secure WordPress With .htaccess. Every CMS is susceptible to hacking, even WordPress - our support team deal with hacked WordPress sites on a frequent basis.

8 Ways To Secure WordPress With .htaccess

However there are a number of precautions that can be taken to harden security and keep WordPress protected, most of which are often either overlooked or even unheard of. We’ve listed five ways to keep WordPress secure before, and also highlighted a number of common mistakes WordPress users make, and how to avoid and rectify them. Authy Brings Two-Factor Authentication To Self-Hosted WordPress Sites (Updated)

If you run your own WordPress site, chances are you are using a pretty secure password to keep hackers from posting random stories to your blog.

Authy Brings Two-Factor Authentication To Self-Hosted WordPress Sites (Updated)

Still, even the best password isn’t as good as using Gmail-style two-factor authentication, but unless you are a programmer, chances are you don’t have the expertise to make this happen. Authy, which offers two-factor authentication as a service, is hoping to solve this by launching a WordPress plugin today that replaces the standard WordPress login with a more secure two-factor authentication login system. Update: The folks at Duo Security tell us that they have found a vulnerability in Authy’s plugin. Authy is aware of this and is looking into the issue, but the company still tells us that its “recommendation is to still continue and install the plugin.” Installing the plugin, which is now available in the WordPress.org plugin repository, just takes a few clicks once you have signed up for an Authy account.

Put a Lock on the Front Door of Your Site. Would you leave the front door of your house unlocked all the time?

Put a Lock on the Front Door of Your Site

Of course not! But, you wouldn’t believe how many site owners do just that. There are a lot of ways hackers can enter your site. Why make it easy for them by leaving the front door wide open? Read on to discover the super simple ways to secure the login of your site, plus ways to stop inviting hackers to even try. Your Site is Under Attack Most site owners think that hack attacks are something that happen to other people. The fact is, your site is under constant attack from every direction possible, including the front door of your login page. Brute Force Attacks When hackers try to break your site’s login encryption (username and password), it is called a Brute Force Attack.

How to Stop an Attack Stopping brute force attacks is a two-step process. The first is to limit how many attempts the hacker can make to crack the code.The second is to have a strong encryption combination (username and password). Stop the Attack.

Tools

New Mass Injection Wave of WordPress Websites on the Prowl. Posted: 05 Mar 2012 08:00 AM | uwang | The Websense® ThreatSeeker® Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign that we've been following in Security LabsTM for months.

New Mass Injection Wave of WordPress Websites on the Prowl

The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). Has Your WordPress Blog Been Hacked? This is a guest post by Simon Ward, founder and author of Pingable.org.

Has Your WordPress Blog Been Hacked?

You can find him on twitter @Pingable. I have been blogging with WordPress since 2007. It’s a fantastic platform with a huge variety of plugins and themes which allow for a fantastic experience for you and your readers. However, if you follow poor security practices, it can all turn to custard pretty quick. In this article I will take a look at some of the main causes of WordPress security issues and how to lock your blog down to avoid such issues.

So, what’s the problem? In a complex CMS environment like WordPress, where end users are running software on a range of different sever environments, with a range of different themes and plugins, and 3rd party software there are going to be vulnerabilities. If you have a vulnerable WordPress install, hackers can: What are the main causes? As mentioned above, the primary root cause is outdated software, i.e. Where to find out more about these vulnerabilities? Limit Login Attempts. Limit the number of login attempts possible both through normal login as well as using auth cookies.

Limit Login Attempts

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. Features Limit the number of retry attempts when logging in (for each IP). Translations: Bulgarian, Brazilian Portuguese, Catalan, Chinese (Traditional), Czech, Dutch, Finnish, French, German, Hungarian, Norwegian, Persian, Romanian, Russian, Spanish, Swedish, Turkish Plugin uses standard actions and filters only.

Reuters hack was due to old WordPress version. Posted on 07 August 2012.

Reuters hack was due to old WordPress version

While the individuals responsible for the recent hijacking of Reuters' blogging platform and one of its Twitter accounts are still unknown, it has emerged that the attackers likely managed to hack the former because Reuters still used an older version of WordPress. Mark Jaquith, a lead developer of the WordPress core and a member of the Wordpress security team, has shared with the WSJ that instead of the current version (3.4.1) Reuters was using version 3.1.1 of the popular blogging software - an iteration with a number of publicly known security issues. "If organizations ignore (update) notifications and stay on an outdated version, then they put themselves at risk of these sorts of breaches,” he commented.

I can't help but noticing that this case and the one of the recent Gizmodo Twitter account hack should teach us all number of valuable lessons.