Posts

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.

Read more

Sjoerd Langkemper writes about Cracking PHP rand(): Webapps occasionaly need to create tokens that are hard to guess. For example for session tokens or CSRF tokens, or in forgot password functionality where you get a token mailed to reset your password. These tokens should be cryptographically secure, but are often made by calling rand() multiple times and transforming the output to a string. This post will explore how hard it is to predict a token made with rand().


This is a very interesting read about how PHP rand() works, and how to attack & crack it. The post ends with the following conclusion:

Read more

Or why *not* to add a delay … !

It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).

Read more