Posts

How to: Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years now. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from xmlrpc.php attacks, but still being able to use (some of) its functionality like Jetpack? This post gives you some insight.

Read more

Remove Jetpack email sharing service

Recently the WordPress Jetpack email sharing service is often abused by spammers. They use the Send to Email Address for sending spam. All these kind of “Tell a Friend” scripts are abused a lot. Here is how to disable email share service in WordPress Jetpack.

Read more

Quiet WordPress 4.7 RC2 available

Helen Hou-Sandi writes on Make WordPress Core that there is a quiet RC2 now available – it is a fair number of commits (50+), so please take a look through those and test as you can.

Clear PHP opcode caches before WordPress Updates: ease the updating process

In various hosting environments, WordPress core-, plugin- and theme updates sometimes fail because of enabled opcode caches. Popular PHP opcode caches are OPcache, WinCache and APC. This little WordPress Must Use Plugin tries to flush opcode caches. Making your live a bit easier when updating WordPress Core, Plugins and Themes.

Read more

Benchmarking WordPress, simple load & speed testing with ApacheBench

WordPress load testing with ApacheBench. ab is a small benchmark utility that comes with Apache. It’s a really simple HTTP load generating tool, ideal for a simple WordPress load & speed test. How fast does your WordPress site respond? How many HTTP requests per second can your server handle? These are questions on which ab can shed some light.

Read more

Measure WordPress loading time and queries

How to measure WordPress’ loading time and executed database queries? During an HTTP request, WordPress executes a lot of queries on your MySQL database. Not just the database queries take time, also loading and executing PHP takes time. How do you measure this?

Read more

Tips to speed up WordPress, serve gzip comressed static HTML files

Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. Here is how to serve gzip compressed HTML files through Windows Server IIS: create smaller, compressed, static HTML files, that are downloaded faster. This works with WP-Super-Cache and Cache Enabler on IIS!

Read more

WordPress advisory: Akal premium theme XSS vulnerability & abandonded

Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a SQL injection Denial-of-Service in a later to be disclosed plugin. This post describes the Akal premium WordPress theme XSS vulnerability.

Read more

SSL in WordPress: how to move WordPress to HTTPS? The definitive guide

Having an SSL certificate in your WordPress is the de-facto standard nowadays, did you know that? Google ranks sites having HTTPS higher in their SERP. But in WordPress, how do you configure an SSL certificate and HTTPS URL? You’ll learn the important steps to move WordPress from http to https in this post.

Read more

17 Valuable WordPress snippets you never knew you could live without

17 valuable WordPress snippets for a site-specific plugin and functions.php that give you a better WordPress experience. Enhance your WordPress site with these small PHP snippets: WordPress filters, actions and functions. Quickly add or extend the functionality you need for your WordPress website! Read on…

Read more

Breaking into a WordPress site without knowing WordPress/PHP or InfoSec at all

Someone posted to notehub.org an article on how he broke into his college’s WordPress website, without having any prior knowledge of WordPress, PHP, and without any experience with hacking web servers. The attempts were spread out over a month, but effectively totaled a day maybe. The author said to have learned a lot of things while doing the research part which accounted for most of his time, though. On NoteHub, he shares some of the relevant details and how he went along doing this.

Read more

XSS Vulnerability in Wordfence 6.1.1 to 6.1.6

Security researcher Kacper Szurek reported a reflected XSS vulnerability in the current version of Wordfence. The CVSS scoring mechanism rates the severity of this XSS vulnerability as medium. A Wordfence update 6.1.7 is released to address the XSS vulnerability.

Read more

WordPress 4.5.2 Security Release

WordPress 4.5.2 – a security release – is just released tonight. WordPress 4.5.2 fixes a vulnerability through Plupload, the third-party library WordPress uses for uploading files.

Read more

HackRepair.com’s Bad Bots .htaccess in web.config for IIS

Jim Walker from HackRepair.com posted a 2016 version of his Bad Bots .htaccess on Pastebin. I offered Jim to translate his Bad Bots .htaccess to web.config, to be used with Windows Server IIS. And here it is, learn to protect your website with this web.config file!

Read more

Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens

Using Windows Server File Server Resource Manager’s File Screens you can block vulnerable WordPress plugins from being saved on your IIS web server. In the following example, you’ll learn how to block WP DB Backup plugin system-wide on Windows Server, read on…

Read more