Using WPScan to find WordPress vulnerabilities on your website
WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. Since it is a WordPress black box scanner, it mimics a real attacker. This means it does not rely on any sort of access to your WordPress dashboard or source code to conduct the tests. In other words, if WPScan can find a vulnerability in your WordPress website, so can an attacker. WPScan uses the vulnerability database called to check the target for known vulnerabilities. The team […]

Why you need both Two-factor Authentication & strong passwords on WordPress sites
Two-factor authentication (2FA) is an important part of maintaining the security of a WordPress site. However, 2FA alone isn’t enough to harden your WordPress site authentication. Strong passwords are also an important part, even when using two-factor authentication. In this article we review 2FA, explain how hackers are bypassing it in some cases, and provide tips for using strong passwords on your WordPress website to compliment 2FA. Two-factor authentication explained Two-factor authentication is a way to authenticate to a system using a combination of two different factors. Generally, there are three different “factors” that may be used for 2FA. These […]

WFCM 1.4 – Improved file changes coverage for WordPress websites
These last few weeks we have been busy working on our file integrity monitor plugin for WordPress: Website File Changes Monitor. In this update we focused on improving the coverage of the plugin, so it can detect file changes which it didn’t before. Let’s dive in and see what is new in update 1.4. Detect changes in files with special characters in the filename Up until update 1.4 the plugin ignored files with special characters in their name, such as ind+ex.php, or !hello.php. So we redesigned the file integrity monitor scanning engine to handle special characters. The result? Much improved file […]

Password Policy Manager 2.0 – Multisite networks support & first time login password change
Today we are announcing Password Policy Manager 2.0! We are very excited about this release. Finally, WordPress multisite network administrators can also enforce strong password policies. In this update we have also added the new first time login password change policy. In addition to these new features, we have added several other plugin improvements, as we highlight in these release notes. WordPress multisite network support Typically, multisite networks have many users. In most cases the network’s administrators do not even know who owns the users, and how security conscious they are. So the need to enforce strong WordPress password policies […]

Understanding DDoS attacks: a guide for WordPress administrators
A Distributed Denial of Service (DDoS) is a type of Denial of Service (DoS) attack in which the attack comes from multiple hosts as opposed to one, making them very difficult to block. As with any DoS attack, the objective is to make a target unavailable by overloading it in some way. Generally, a DDoS attack  entails a number of computers, or bots. During the attack each computer maliciously sends requests to overload the target. Typical targets are web servers and websites, including WordPress websites. As a result, users are unable to access the website or service. This happens because […]

Top reasons why WordPress websites get hacked (and how you can stop it)
Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites. There are a lot of reasons why hackers target WordPress sites. One of them is the platform’s sheer popularity. By knowing what these reasons are, you’ll gain a better understanding of how to protect your website. In this article, we’re going to break down the reasons people hack websites. Then we’ll talk […]

Choosing the right HTTPS certificate for your WordPress website
In our previous post WordPress HTTPS, SSL and TLS – a guide for website administrators, we explained what HTTPS and all the other technical terms are, and how it works. In this article, we discuss HTTPS certificates, the different ways you may acquire one for your WordPress website, and why you should or shouldn’t pay for one. Let’s dive right in. What is an HTTPS certificate? Before we can discuss the hows and whys of HTTPS certificates, we need to discuss what a certificate is in the first place. A certificate is used to: encrypt the traffic between the web […]

WordPress HTTPS, SSL & TLS – A Guide For Website Administrators
When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling. If an attacker is on the same network as you they can intercept and read your HTTP traffic. They may also modify both your requests to the server, as well as the server’s responses back to you. This is known as a Man-in-the-Middle […]

Interview with Ivica Delic on WordPress professionals & security
So far we have only interviewed people who understand and work in application and WordPress security. We have always heard the vendors’ voice. However, in this interview we took a different approach. We interviewed Ivica Delic, a WordPress professional about security. The scope of this interview is to better understand how WordPress professionals, to whom maybe security is not their cup of team, see and understand security products and services. This interview also helps us understand where we can improve and what these professionals are doing to keep their customers’ websites secure. Ivica Delic has been working with WordPress since […]

Website File Changes Monitor 1.3 – UX improvements
Since this is only the third update of the Website File Changes Monitor plugin, we are still finding new ways how to improve the user experience (UX). Thankfully, we get a lot of valuable feedback from the plugin users on how we can make the plugin easier to use and better. Let’s jump right in and see what is new and improved in update 1.3 of our WordPress file integrity monitor plugin. UX improvements in update 1.3 Timestamp of file change: with this update the plugin reports the date and time when it identified the file change. The format of […]