How to eliminate false positives in file integrity monitoring on WordPress
File integrity monitoring (FIM) allows you to quickly detect file changes on your WordPress site. It is an important part of securing a WordPress site and the way it works is very simple: it compares baseline cryptographic hashes to the current hash of the monitored files. When a change happens, you get an alert. However, there is a major problem with unsophisticated approaches to file integrity monitoring: false positives (aka false alarms). Not all file changes on a WordPress website are harmful, or a sign of an attack. Many are harmless and expected parts of maintenance. So false positives lead […]

WordPress automatic updates: understanding and configuring them
We all know how important it is to keep the WordPress core, plugins, and themes up to date. Failing to do so will leave your website exposed to malicious hacks. Luckily, since version 3.7 WordPress has automatic background updates. However, by default automatic updates only apply to minor releases. For example from 5.3.1 to 5.3.2. In this article we will look into how you can configure automatic updates and enable them for WordPress major version updates, plugin and theme updates. We will also see how you can turn off automatic updates. Let’s dive right into WordPress automatic updates. The different […]

Strong WooCommerce passwords – enforcing policies without deterring customers
Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber attacks, but you’ll need a way to enforce them without deterring customers. By creating thoughtful password policies, and using intuitive software you can help your staff and customers craft secure passwords for their WooCommerce store accounts. This also applies to any other eCommerce store on WordPress. At the same time, you can avoid annoying them with tedious requirements that […]

Using WPScan to find WordPress vulnerabilities on your website
WPScan is an open source WordPress security scanner. You can use it to scan your WordPress website for known vulnerabilities within the WordPress core, as well as popular WordPress plugins and themes. Since it is a WordPress black box scanner, it mimics a real attacker. This means it does not rely on any sort of access to your WordPress dashboard or source code to conduct the tests. In other words, if WPScan can find a vulnerability in your WordPress website, so can an attacker. WPScan uses the vulnerability database called to check the target for known vulnerabilities. The team […]

Why you need both Two-factor Authentication & strong passwords on WordPress sites
Two-factor authentication (2FA) is an important part of maintaining the security of a WordPress site. However, 2FA alone isn’t enough to harden your WordPress site authentication. Strong passwords are also an important part, even when using two-factor authentication. In this article we review 2FA, explain how hackers are bypassing it in some cases, and provide tips for using strong passwords on your WordPress website to compliment 2FA. Two-factor authentication explained Two-factor authentication is a way to authenticate to a system using a combination of two different factors. Generally, there are three different “factors” that may be used for 2FA. These […]

WFCM 1.4 – Improved file changes coverage for WordPress websites
These last few weeks we have been busy working on our file integrity monitor plugin for WordPress: Website File Changes Monitor. In this update we focused on improving the coverage of the plugin, so it can detect file changes which it didn’t before. Let’s dive in and see what is new in update 1.4. Detect changes in files with special characters in the filename Up until update 1.4 the plugin ignored files with special characters in their name, such as ind+ex.php, or !hello.php. So we redesigned the file integrity monitor scanning engine to handle special characters. The result? Much improved file […]

Password Policy Manager 2.0 – Multisite networks support & first time login password change
Today we are announcing Password Policy Manager 2.0! We are very excited about this release. Finally, WordPress multisite network administrators can also enforce strong password policies. In this update we have also added the new first time login password change policy. In addition to these new features, we have added several other plugin improvements, as we highlight in these release notes. WordPress multisite network support Typically, multisite networks have many users. In most cases the network’s administrators do not even know who owns the users, and how security conscious they are. So the need to enforce strong WordPress password policies […]

Understanding DDoS attacks: a guide for WordPress administrators
A Distributed Denial of Service (DDoS) is a type of Denial of Service (DoS) attack in which the attack comes from multiple hosts as opposed to one, making them very difficult to block. As with any DoS attack, the objective is to make a target unavailable by overloading it in some way. Generally, a DDoS attack  entails a number of computers, or bots. During the attack each computer maliciously sends requests to overload the target. Typical targets are web servers and websites, including WordPress websites. As a result, users are unable to access the website or service. This happens because […]

Top reasons why WordPress websites get hacked (and how you can stop it)
Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites. There are a lot of reasons why hackers target WordPress sites. One of them is the platform’s sheer popularity. By knowing what these reasons are, you’ll gain a better understanding of how to protect your website. In this article, we’re going to break down the reasons people hack websites. Then we’ll talk […]

Choosing the right HTTPS certificate for your WordPress website
In our previous post WordPress HTTPS, SSL and TLS – a guide for website administrators, we explained what HTTPS and all the other technical terms are, and how it works. In this article, we discuss HTTPS certificates, the different ways you may acquire one for your WordPress website, and why you should or shouldn’t pay for one. Let’s dive right in. What is an HTTPS certificate? Before we can discuss the hows and whys of HTTPS certificates, we need to discuss what a certificate is in the first place. A certificate is used to: encrypt the traffic between the web […]