The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.Read more
Sjoerd Langkemper writes about Cracking PHP rand():
Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling
rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with
This is a very interesting read about how PHP
rand() works, and how to attack & crack it. The post ends with the following conclusion:
Or why *not* to add a delay … !
It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my
wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).
25 Most Popular Tags
Proudly hosted by
Email: firstname.lastname@example.org (remove no-spam)
15 Most popular entry posts you might like
- List all SPNs used in your Active Directory
- Remove IIS Server version HTTP Response Header
- PowerShell return value, exit code, or ErrorLevel equivalent
- Explicit Congestion Notification (ECN) slows down outbound connections
- 5 Extra ways to clean up disk space in Windows Server
- Disk Cleanup in Windows Server
- Tunnel RDP through SSH & PuTTY
- WsusPool keeps crashing: stops again and again
- HTTP to HTTPS redirect using IIS web.config
- Fatal error: Uncaught Error:  operator not supported for strings – PHP 7.1
- MySQL InnoDB performance improvement: InnoDB buffer pool instances – Updated!
- "The length of the URL for this request exceeds the configured maxUrlLength value"
- Fix "Could not establish trust relationship for the SSL/TLS secure channel" error
- How to install IIS URL Rewrite Module on Windows Server 2016 & IIS 10
- Set IIS Application Pool recycle defaults to Specific Times, not Regular Time Interval