Security?

WordPress .htaccess security best practices in Apache 2.4.6+

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’. Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?

Read More

Increase WordPress’ memory limit WP_MEMORY_LIMIT properly in wp-config.php

How to increase the memory limit for your WordPress website, the right way. The WordPress memory limit can be increased by the WP_MEMORY_LIMIT variable in wp-config.php. However, I see this done wrong over and over again in WordPress plugins and themes. In a worst case scenario this may even decrease the available amount of memory for WordPress! So be careful with the advice you follow. In this post I show you a correct way of setting WordPress WP_MEMORY_LIMIT and PHP memory_limit settings.

Read More

WordPress XMLPRC

Protect WordPress from brute-force XML-RPC attacks

The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.

Read More

brown wooden blocks on white surface

Check WordPress Core files integrity

Learn the importance of checking and verifying WordPress Core files md5 checksums against WordPress’ checksums API, using this standalone PHP file. WordPress integrity matters and therefore I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API. Doing os makes you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.

Read More