WordPress .htaccess security best practices in Apache 2.4.6+
Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…
…WordPress .htaccess security best practices in Apache 2.4.6+Read More »
Increase WordPress’ memory limit WP_MEMORY_LIMIT properly in wp-config.php
The WordPress memory limit can be increased by the WP_MEMORY_LIMIT variable in wp-config.php
. However, I see this done wrong over and over again in WordPress plugins and themes. In a worst case scenario this may even decrease the available amount of memory for WordPress! So be careful with the advice you follow. In this post I show you a correct way of setting WordPress WP_MEMORY_LIMIT and PHP memory_limit settings.
Increase WordPress’ memory limit WP_MEMORY_LIMIT properly in wp-config.phpRead More »
Protect WordPress from brute-force XML-RPC attacks
The WordPress XML-RPC API has been under attack for many years. Back in August 2014, WordPress released version 3.9.2, fixing a possible denial of service issue in PHP’s XML processing. There are brute-force amplification attacks, reported by Sucuri, and so on. So, how do you protect WordPress from these xmlrpc.php attacks, optionally still being able to use (some of) its functionality like Jetpack? This post gives you some insights.
…Protect WordPress from brute-force XML-RPC attacksRead More »
Remove Jetpack email sharing service
Recently the WordPress Jetpack email sharing service is often abused by spammers. They use the Send to Email Address for sending spam. All these kind of “Tell a Friend” scripts are abused a lot. Here is how to disable email share service in Jetpack.
…How to make Twenty Seventeen theme full width in WordPress
The default WordPress theme Twenty Seventeen’s content width can be easily changed to full width. All you need is this bit of CSS. To make Twenty Seventeen full width in WordPress, add the following CSS to your theme’s CSS file, or in Customizer’s Additional CSS:
…How to make Twenty Seventeen theme full width in WordPressRead More »
Check WordPress Core files integrity
Check WordPress integrity and verify WordPress Core files’ md5 checksums against WordPress’ checksums API, using this standalone PHP file. I chose to use a standalone PHP script to check the md5sum of WordPress Core files against the API so you’re not dependent on a possibly hacked WordPress installation. This kind of guarantees the result can be trusted, as opposed to using a WordPress plugin. I think this is a better integrity check of WordPress Core files.
…Clear PHP opcode caches before WordPress Updates: ease the updating process
In various hosting environments, WordPress core-, plugin- and theme updates sometimes fail because of enabled opcode caches. Popular PHP opcode caches are OPcache, WinCache and APC. This little WordPress Must Use Plugin tries to flush opcode caches. Making your live a bit easier when updating WordPress Core, Plugins and Themes.
…Clear PHP opcode caches before WordPress Updates: ease the updating processRead More »
The WinCache effect: Save with object caching
WinCache, or Windows Cache Extension for PHP, is a PHP accelerator that is used to significantly increase the speed of PHP applications running on Windows Server IIS. Besides increasing the speed of PHP applications, WinCache decreases CPU usage making it a win win situation extension.
…Benchmarking WordPress, simple load & speed testing with ApacheBench
ApacheBench, or ab
, is a small benchmark utility that comes with Apache. It’s a really simple HTTP load generating tool, ideal for a simple WordPress load & speed test. How fast does your WordPress site respond? How many HTTP requests per second can your server handle? These are questions on which ab can shed some light. Here is how to load test WordPress with ApacheBench.
Benchmarking WordPress, simple load & speed testing with ApacheBenchRead More »
Measure WordPress loading time and queries
During an HTTP request, WordPress executes a lot of queries on your MySQL database. Not just the database queries take time, also loading and executing PHP takes time. How to measure WordPress’ loading time and executed database queries?
…Tips to speed up WordPress, serve gzip compressed static HTML files
Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. Here is how to serve gzip compressed HTML files through Windows Server IIS: create smaller, compressed, static HTML files, that are downloaded faster. This works with WP-Super-Cache and Cache Enabler on IIS!
…Tips to speed up WordPress, serve gzip compressed static HTML filesRead More »
Optimized WordPress hosting (9+ practical tips)
Optimized WordPress hosting is a subject on which a lot is written about. And therefore, this post is not about where to host your WordPress blog, or who offers the best WordPress hosting. This post is for you developers, what you can do to optimize your WordPress hosting. Or for any other PHP web application for that matter. This post is not about setting up high-availability, fail-over, clustering, IIS versus Nginx versus Apache, RAID 1, 5, 6, 10, different types of storage, and so on. It’s about solving performance issues.
…WordPress advisory: Akal premium theme XSS vulnerability
Over the course of one week I had the opportunity to audit two hacked WordPress websites. I could quickly discover two vulnerabilities: a Cross Site Scripting, or XSS, in a premium WordPress theme Akal, and a Denial-of-Service in an undisclosed newsletter plugin. This post describes the Akal premium WordPress theme XSS vulnerability.
…WordPress advisory: Akal premium theme XSS vulnerabilityRead More »
“How we broke PHP, hacked Pornhub and earned $20,000”
This is a very interesting read on how Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide) were able to find a PHP unserialize bug to exploit and gain remote code execution on Pornhub. Pornhub’s bug bounty program is at Hackerone. Instead of actively attacking Pornhub, they took another road and attacked what Pornhub is built upon: PHP.
…“How we broke PHP, hacked Pornhub and earned $20,000”Read More »