Penetration testing for WordPress websites
WordPress powers a lot of websites on the Internet. So it’s no surprise that seasoned attackers and “script-kiddies” like to target WordPress websites. Whether you’re a webmaster, or a security professional, when tasked with assessing the security posture of a WordPress website, it tends to help to be aware of common security pitfalls attackers typically take advantage of. It is also important to use the right penetration testing tools. In this article, I’ll be covering a number of common security holes, malpractices and useful information an attacker may be able to abuse in many WordPress installations. I’ll also highlight a […]

Should maintained plugins be suspended from the WordPress repository when there is a security issue?
On 27th February 2020, at 9:34PM (CET) we received an email notifying us that our plugin WP Security Audit Log was “temporarily withdrawn from the Plugin directory due to an exploit”. We submitted a fix on Friday, 28th February 2020, at 4:08PM. It only took us 16.5 hours to release the fix. We would have fixed the issue much earlier if this happened during our normal working hours (we are based in Europe), because we have a very good support response time (reference). Our plugin was reinstated on Monday 2nd March 2020 at 1:00PM. That is 69 hours after […]

PPMWP 2.1: the new dormant users policy & support for post login redirects
Password Policy Manager for WordPress 2.1 is out today! In this plugin update we added a new policy to disable dormant users, support for post login redirect plugins, and several other improvements. This post highlights all that is new and improved in the latest version of Password Policy Manager for WordPress. The dormant WordPress users policy The dormant users policy is an additional layer of security on top of the password expiry policy. Users are marked as dormant when their password expires, and they do not change it within 30 days. Dormant users are basically locked user accounts, therefore they […]

Why your WordPress e-commerce solution has to be secure (and how to do it)
There’s plenty you need to do to ensure your e-commerce store offers the best possible User Experience (UX). This means keeping WordPress and all other software up-to-date, optimizing your store, and of course, ensuring it’s safe to use and secure. By safe to use, we mean making your best to protecting your customer’s data. Also making sure nobody besides you or your team has access to your store’s back end. For example, choosing the right web host goes a long way towards offering a secure e-commerce experience. However, that’s just one of many factors. In this article, we’re going to […]

Setting up 2FA on WordPress with the Google Authenticator app
Whenever you implement a security measure, you should also have some sort of fallback. You do not want to be compromised by the failure of a single component. This is known as defense in depth. When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. One of the ways to improve the defence in depth of your WordPress login mechanism is to implement 2FA. Improving defense in depth with two-factor authentication A way of adding defense-in-depth to your WordPress authentication mechanism is by implementing two-factor authentication (2FA). […]

How to eliminate false positives in file integrity monitoring on WordPress
File integrity monitoring (FIM) allows you to quickly detect file changes on your WordPress site. It is an important part of securing a WordPress site and the way it works is very simple: it compares baseline cryptographic hashes to the current hash of the monitored files. When a change happens, you get an alert. However, there is a major problem with unsophisticated approaches to file integrity monitoring: false positives (aka false alarms). Not all file changes on a WordPress website are harmful, or a sign of an attack. Many are harmless and expected parts of maintenance. So false positives lead […]

WordPress automatic updates: understanding and configuring them
We all know how important it is to keep the WordPress core, plugins, and themes up to date. Failing to do so will leave your website exposed to malicious hacks. Luckily, since version 3.7 WordPress has automatic background updates. However, by default automatic updates only apply to minor releases. For example from 5.3.1 to 5.3.2. In this article we will look into how you can configure automatic updates and enable them for WordPress major version updates, plugin and theme updates. We will also see how you can turn off automatic updates. Let’s dive right into WordPress automatic updates. The different […]

Strong WooCommerce passwords – enforcing policies without deterring customers
Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber attacks, but you’ll need a way to enforce them without deterring customers. By creating thoughtful password policies, and using intuitive software you can help your staff and customers craft secure passwords for their WooCommerce store accounts. This also applies to any other eCommerce store on WordPress. At the same time, you can avoid annoying them with tedious requirements that […]

Using WPScan to find WordPress vulnerabilities on your website
WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. Since it is a WordPress black box scanner, it mimics a real attacker. This means it does not rely on any sort of access to your WordPress dashboard or source code to conduct the tests. In other words, if WPScan can find a vulnerability in your WordPress website, so can an attacker. WPScan uses the vulnerability database called to check the target for known vulnerabilities. The team […]

Why you need both Two-factor Authentication & strong passwords on WordPress sites
Two-factor authentication (2FA) is an important part of maintaining the security of a WordPress site. However, 2FA alone isn’t enough to harden your WordPress site authentication. Strong passwords are also an important part, even when using two-factor authentication. In this article we review 2FA, explain how hackers are bypassing it in some cases, and provide tips for using strong passwords on your WordPress website to compliment 2FA. Two-factor authentication explained Two-factor authentication is a way to authenticate to a system using a combination of two different factors. Generally, there are three different “factors” that may be used for 2FA. These […]