On a daily bases, new vulnerabilities are found in WordPress plugins. And when you host thousands of WordPress sites, you can count on the fact you have some customers using that vulnerable version of that particular plugin. So you need to find those vulnerable versions on your servers fast. On Windows Server, PowerShell is a perfect tool for the job!
It’s recommended to disallow access to and execution of PHP files in wp-content/uploads folder. Preferably without the use of a security plugin. Blocking access to PHP files in WordPress wp-content/uploads folder is easily achieved with a .htaccess file on Linux Apache, or web.config accesssPolicy in Windows Server IIS, and here is how.
Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’. Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?
With PHP 7.1, some PHP web applications fail because of deprecated code usage. This may result in an error message like [] operator not supported for strings for various Joomla, WordPress and Drupal components. Here’s how to fix this code for PHP 7.1+.
The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.
The default WordPress theme Twenty Seventeen’s content width can be easily changed to full width. All you need is this bit of CSS:How to make Twenty Seventeen theme full width in WordPress
Check and verify WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. WordPress integrity matters, therefore I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.
This post describes the Akal premium WordPress theme XSS vulnerability that I discovered. The theme suffers from a reflected Cross Site Scripting (XSS) vulnerability that would allow an attacker to steal an admin’s cookie, if WordPress wasn’t secured against that type of attacks.
Block bad bots in WIndows Server IIS using web.config. Learn to protect your WordPress website with this web.config file!
Using Windows Server File Server Resource Manager’s File Screens you can block vulnerable WordPress plugins from being uploaded to your IIS web server. In the following example, you’ll learn how to block WP DB Backup plugin system-wide on Windows Server, read on
Elasticsearch is a highly scalable open-source full-text search and analytics engine. It allows you to store, search, and analyze big volumes of data quickly and in near real time. In this article we’ll go over the steps to install Elasticsearch on CentOS 6.7.
This plugin adds a three second delay when logging into WordPress. This slows down brute-force attacks on your website. However, it is not recommended to use sleep(), because a heavy brute-force attack will let all those POST requests sleep for the given amount of time.
Deny direct access to PHP files in wp-content/uploads/. The following PHP function secures your WordPress website by disabling the execution of PHP scripts in wp-content/uploads, on Windows Server IIS web servers. It creates a web.config file for this purpose.
How to set up a global Geolocation DNS load balancing Varnish Cache Content Delivery Network with Bind9, geo-ip database, Varnish Cache and DigitalOcean. DIY High-Availability for your website!
Replace all instances of a string in WordPress using phpMyAdmin and SQL statements, or a WordPress plugin. Learn how to replace content in your MySQL database in bulk with MySQL REPLACE.