You are here: Sysadmins of the North » WordPress

WordPress

You are here: Sysadmins of the North » WordPress

Are you in my blocklist?

Access blocked

Recently, Jeff Starr wrote about blocking IP addresses posting random string comment spam. That post reminded me about my own older post about blocking WordPress comment spammers manually. With just a few manual steps, you create your own little blocklist for WordPress in either a .htaccess or web.config file. Here are the IP addresses I’m currently blocking. Note, this list can get long (loooonnggg).

Find vulnerable WordPress plugin versions fast using PowerShell

source code WordPress security plugin

On a daily bases, new vulnerabilities are found in WordPress plugins. And when you host thousands of WordPress sites, you can count on the fact you have some customers using that vulnerable version of that particular plugin. So you need to find those vulnerable versions on your servers fast. On Windows Server, PowerShell is a perfect tool for the job!

Disallow direct access to PHP files in wp-content/uploads/

Set PHP handler accessPolicy (Request Restrictions) to Read in IIS

It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.

WordPress .htaccess security best practices in Apache 2.4.6+

Security?

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Protect WordPress from brute-force XML-RPC attacks

WordPress XMLPRC

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

Check WordPress Core files integrity

brown wooden blocks on white surface

Check WordPress integrity and verify WordPress Core files’ md5 checksums against WordPress’ checksums API, using this standalone PHP file. I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.

WordPress advisory: Akal premium theme XSS vulnerability

Security?

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens

Summary of file screen properties

Using Windows Server File Server Resource Manager’s File Screens you can block vulnerable WordPress plugins from being uploaded to your IIS web server. In the following example, you’ll learn how to block WP DB Backup plugin system-wide on Windows Server, read on…

Add a delay to your WordPress login form

Or why *not* to add a delay … ! It is important to protect your WordPress website from brute-force attacks, and various security plugins exist in doing so. For the purpose of this article, I modified the WordPress Login Delay plugin with a fixed delay of three seconds for my wp-login.php page. This provides you with an easy to use method of protecting your WordPress login form (but do read the caveats!).

Scroll to Top