Year in review: 2022
Exactly a year ago, I sat at this very same keyboard to write an article that’s not too different from this one. While a lot has happened since then, the year has all but flown past. I am told that this is due to my getting older – the older you get, the smaller of a percentage a year is of your lived life; hence it seems like less time has passed.
In last year’s recap (covering 2021), we were starting to free ourselves from the clutches of the pandemic. Today, we are better equipped to deal with its ramifications, but 2022 brought its own set of challenges and wins.
Announcing the release of WPassword 2.6.0
We are happy to announce the latest release of WPassword. This version includes several improvements and bug fixes for an even smoother user and administrative experience while maintaining focus on WordPress password security.
ANM 1.3.0: Better support for custom admin notices
We are happy to announce the release of Admin Notices Manager version 1.3.0. This latest version allows you to gain even more control over the admin notices than ever before, with a number of fixes and enhancements ensuring a smooth user experience throughout.
2021: A year in review
2021 was touted as the year in which everything returns back to normality. Alas, this was not to be, as the developments we were hoping for didn’t fully materialize. 2021, however, was a year of hope in which human ingenuity triumphed over tragedy.
Important CAPTCHA 4WP Announcement
When the original developer of the plugin formerly known as Advanced noCaptcha & invisible Captcha (v2 & v3) developed the plugin, he included integration with third-party plugins such as Contact Form 7 and WooCommerce as a premium feature. This could be clearly seen in the Premium Edition advert located on the right side of the plugin page.
How to block failed login attempts on WordPress
This article explains why many WordPress websites have a lot of failed login attempts. It also explains what you can do to protect your WordPress website from failed login attacks.
PPMWP 2.4.1: Weekly summary email & other improvements
We are happy to announce update 2.4.1 of WPassword. This update includes several new features and housekeeping updates designed to improve the plugin’s functionality, usability, and performance.
WordPress PCI compliance for e-commerce & business sites
If you have an e-commerce or business WordPress site, most probably you’ve already heard of PCI DSS and PCI compliance. As an online merchant / seller your WordPress website has to be compliant to the PCI DSS regulations, otherwise you risk being fined. Even if you use a third party payment gateway such as PayPal or Stripe, there are still some regulatory requirements your website has to adhere to.
How to clean a hacked WordPress website or blog
Whether your WordPress website has been hacked and you’re currently in damage control, or whether you’re preparing for the worst, this article will guide you through the process of cleaning a hacked WordPress website. The process is documented in an easy to follow step-by-step format to help you accomplish the following:
WordPress HTTPS, SSL & TLS – a guide for website administrators
When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling.
WFCM 1.7.1: improved UX & other minor improvements
Today we are happy to announce the release of Website File Changes Monitor 1.7.1. This is a minor but must-install followup to update 1.7.0. In this update we have improved several aspects of the plugin’s user experience (UX) and also addressed a few issues reported in update 1.7.0.
Interview with Ryan Dewhurst, founder of WPScan
Ryan Dewhurst is an ethical hacker and penetration tester who has dedicated many years in helping people in the WordPress community improve the security posture of their websites and protect them from malicious attackers. Ryan is the founder of WPScan, a free, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.
Statistics highlight the biggest source of WordPress vulnerabilities
WordPress vulnerabilities statistics show that the main source of WordPress vulnerabilities are in WordPress plugins. These vulnerabilities statistics also show how important it is to always run the latest version of WordPress core, plugins and themes.
How to use WordPress user roles for improved WordPress security
Learn more about WordPress user roles and what capabilities users have when assigned to a specific WordPress user role. With WordPress user roles, the WordPress owner can have control of what the users can and cannot do on the WordPress installation.
PPMWP 2.3.1: improved support for third party plugins
Today we are excited to announce update 2.3.1 of the WPassword. The highlight of this update is improved support for other third party plugins, such as login redirects, e-Commerce and membership type plugins. Even though this update is a maintenance release, it still packs a punch. Let’s dive right in to see what’s new and improved in this update.
PPMWP 2.3.0: Inactive users check, policies & performance updates
Today we are announcing WPassword update 2.3.0. This is an exciting release featuring the all new inactive WordPress users check. In it we also included a good number of other password policies improvements and performance updates.
WFCM 1.6.0: full integration with WP Activity Log
Today we are announcing two releases; Website File Changes Monitor 1.6 and WP Activity Log 4.1.2. They are being released together because we have integrated the plugins.
WordPress Two-Factor Authentication (2FA): what is it & using it on your site
The security of your WordPress website depends on the systems you put in place to protect it and harden its security. With the sharp increase of automated password guessing, your users’ sensitive information and access to your site are more at risk than ever.
PPMWP 2.2.0: Out of the box support for custom login pages & other updates
Today we are releasing WPassword 2.2. The highlights of this update are the out of the box support for custom login pages and the plugin translations. We have also included a number of updates and fixed a number of issues in this update. These release notes highlight what is new, improved and fixed in this exciting update of our password security plugin for WordPress.
WFCM 1.5.0: Hourly file integrity scans & other plugin improvements
In this update of the Website File Changes Monitor plugin we focused on further improving the file scanning technology. The results speak for themselves; faster scans that requires less resources. Here, you can read in more details what is new and improved in update 1.5 of our file integrity monitor WordPress plugin.
PPMWP 2.1.0: the new dormant users policy & support for post login redirects
WPassword 2.1 is out today! In this plugin update we added a new policy to disable dormant users, support for post login redirect plugins, and several other improvements. This post highlights all that is new and improved in the latest version of WPassword.
Using the Google Authenticator app for WordPress 2FA
When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. There are several ways how to harden the authentication to improve the defence in depth of your WordPress login mechanism. One of them is to implement two-factor authentication (2FA).
Strong WooCommerce passwords – enforcing policies without deterring customers
Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber attacks, but you’ll need a way to enforce them without deterring customers.
Using WPScan to find WordPress vulnerabilities on your website
WPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.
WFCM 1.4.0: Improved file changes coverage for WordPress websites
These last few weeks we have been busy working on our file integrity monitor plugin for WordPress: Website File Changes Monitor. In this update we focused on improving the coverage of the plugin, so it can detect file changes which it didn’t before.
PPMWP 2.0.0: Multisite networks support & first time login password change
Today we are announcing WPassword 2.0! We are very excited about this release. Finally, WordPress multisite network administrators can also enforce strong password policies.
Interview with Ivica Delic on WordPress professionals & security
Ivica Delic has been working with WordPress since 2011 and has co-founded FreelancersTools.com. He has volunteered in the WordPress community and attended and presented at numerous WP Meetups about speeding up WordPress websites.
WFCM 1.3.0: UX improvements
Since this is only the third update of the Website File Changes Monitor plugin, we are still finding new ways how to improve the user experience (UX). Thankfully, we get a lot of valuable feedback from the plugin users on how we can make the plugin easier to use and better.
PPMWP 1.4.0: premium trials, advantageous pricing & plugin improvements
In September 2018 we released the first version of WPassword. The plugin has been a great success. It helps hundreds of administrators ensure their WordPress users use very strong passwords. Today we are announcing update 1.4 of the plugin. With this update we are allowing users to trial the plugin before they buy it, which […]
What is regulatory compliance & how does it affect WordPress security?
In order to do business, your WordPress website and business have to adhere to rules and regulations. These rules and regulations may take the form of laws (such as GDPR or HIPAA). They may also be compliance requirements, such as PCI DSS or ISO 27001, and may vary from one country to the other.
WFCM 1.2.0: New Scan Now button & improvements
In update 1.2 of the Website File Changes Monitor plugin we are building the foundations for many other new features. We have also included some performance improvements, so when you update click the Scan Now button to run an instant & quick file changes scan on your WordPress website
WFCM 1.1.0: Email notifications & more
Today we are releasing update 1.1 of the Website File Changes Monitor plugin. This update is based on the important feedback we got from our users after launching this plugin a few weeks ago. The main highlight of this update are the instant file changes notifications via email. However there is much more to this update, as this blog highlights.
PPMWP 1.2.0: Support for custom login pages
Today we announce WPassword update 1.2, the plugin that enables administrators to enforce strong WordPress passwords. The highlight of this update is a new hook that allows theme developers to include the password policies in custom pages. In this update we have also included a few minor improvements and enhancements.
What is file integrity monitoring & why you need it on your WordPress website?
This post explains how File integrity monitoring (FIM) helps you answer such questions. We will see how a file integrity monitor plugin is instrumental in helping you better manage your WordPress site’s files. Detecting issues at an early stage is very important – it allows you to mitigate and limit the attack’s or problem’s damage.
Announcing File Changes Monitor plugin for WordPress
We have been toying with the idea of developing a WordPress file integrity scanning and monitoring plugin for quite some time. However, we did not want to develop just another file scanning plugin.
High-Tech Bridge COO Talks About Web & WordPress Security
As of the beginning of 2019, WordPress powers 33% of the top ten million websites, confirming it as the most popular and widely used blogging and CMS platform again. Such popularity attracts a lot of attention, and application security software companies which typically focus on security solutions for custom web applications are now also interested in WordPress, and developing security solutions for WordPress sites.
PPMWP 1.1.0
We released the first version of WPassword around three months ago. Since its released we received some valuable feedback and the plugin has been featured on some of the leading WordPress sites, such as Torque Magazine.
Interview with Code Risk – A Free Source Code Analysis Service For WordPress Plugins
Vulnerabilities in WordPress plugins have been the cause of more site hacks than vulnerabilities in WordPress core. One of the reasons why this is happening is lack of resources.
Malcare WordPress Site Security Service Reviewed
According to statistics published by WPMUDEV in 2017, malicious hackers attack WordPress websites with over 90,978 attacks per minute. Therefore every WordPress site must have some sort of security hardening and service protecting it. Even if it is small and not popular, your WordPress website is always a target.
Announcing WPassword
WordPress has come a long way in helping administrators run more secure sites, though weak passwords are still a big issue. That is why we still see so many successful WordPress brute force attacks. Though there is light at the end of the tunnel! We have developed a plugin to help WordPress site owners like you enforce strong passwords on users – WPassword.
Using OWASP Top 10 to improve WordPress security
WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. However, with compliance and standards such as the OWASP Top 10 list business can easily get started with WordPress security. This article explains what is the OWASP Top 10 list. It also explains how WordPress site administrators can have an Owasp Top 10 compliant WordPress website.
Easily Create & Manage WordPress Temporary Users with a Plugin
If you manage a WordPress website, you surely need to give temporary access to someone so they can fix a problem or do some work on your website. Though there is a problem – the process of creating and managing temporary users can become cumbersome and can also lead to security issues.
Best Two-Factor Authentication Plugins for WordPress
Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages to further harden the overall security of your WordPress site. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password.
Interview with Julio Potier, Developer of SecuPress
Julio Potier is the developer behind SecuPress, the WordPress plugin that makes it possible to easily secure your WordPress websites and blogs. Julio is based in France and is very active in the WordPress security scene
Interview with BlogVault CEO Akshat Choudhary
During this interview Akshat explains what happened during the BlogVault security incident, how he and his team found out about it, its aftermath, and how did the public react to their announcements and transparent approach. A lot of noise is made when a popular WordPress website or service is hacked, but not much is done to […]
Restoring WordPress from a Backup
WordPress is a very simple web application. It is made up of a number of PHP files and a database, typically a MySQL database. The files are the actual web application and the database is where all the information such as users, blog posts, pages and other data is stored. The WordPress setup is so […]
How to Remove the Google Malware Warning
Once you clean up the malware infection from your hacked WordPress website or blog you have to apply for a Google malware review to have the Google malware warning removed. Read this post for more information on how to apply for a Google malware review.
Get Alerted via Email When a New User Is Created or Logs in To Your WordPress
There are several benefits to keeping a record of everything that is happening on your website in a WordPress audit log. As seen in this example, you can configure email alert so you are alerted of any suspicious user behaviour at an early stage, allowing you to thwart any possible hacker attacks before any damage is done on your WordPress website and multisite network.
Collective WordPress Plugins Security Advisory Addresses XSS Vulnerability
A cross-site scripting vulnerability has been discovered in a number of WordPress plugins and today all of them have released updates to address this issue. Read this article for more details.
WordPress Firewalls – How They Work & Enhance The Security Of Your WordPress Site
A WordPress website firewall (also known as a Web Application Firewall) helps you protect your WordPress websites and blogs from malicious hacker attacks, though it is not a bullet broof solution. This article explains how they work and discusses their pros and cons.
Hide WordPress Usernames to Improve WordPress Security
A WordPress security tutorial that explains how and why you should hide your WordPress usernames to improve the security of your WordPress blogs and websites.
What are Targeted and Non-Targeted WordPress Hack Attacks
There are various types of WordPress hack attacks and most of them can be classified under two categories; Targeted and Non-Targeted WordPress hack attacks. This security articles explains what each type of attack is, how it works and how to protect your WordPress sites and blogs from these malicious WordPress hack attacks.
Should You Change Your WordPress Login Page URL?
Should you change the WordPress Login Page URL to improve the security of your WordPress blogs and websites? Are there any other and better ways how to protect your WordPress login page?
Why You Should Change the WordPress Administrator User ID
This security article explains why you should change your WordPress Administrator ID to improve the security of your WordPress blogs and sites. It also explains how to change the WordPress administrator ID so malicious hackers cannot target the WordPress administrator account.
How to Grant Remote Access Privileges to a WordPress MySQL Database
This document explains how to grant remote access to a WordPress or any other MySQL database. Remote access might be needed if you need to extract or read data from the WordPress database from a remote location, for example to read the WordPress security alerts generated by WP Activity Log plugin and store them in a centralized logging and monitoring system.
All You Need To Know On the WordPress Unique Authentication Keys and Salts
WordPress security keys are used to encrypt the WordPress login details stored in user’s cookies once they login to WordPress. By configuring the WordPress security keys you also improve the security of your WordPress. This article explains what are the WordPress security keys and how you can configure them in the wp-config.php file.
BBQ:Block Bad Queries WordPress Plugin Review
This WordPress security tutorial features a WordPress plugin called BBQ:Block Bad Queries. This WordPress security plugin is a maintenance free WordPress Web Application Firewall that protects your WordPress blogs and websites from malicious hacker attacks by blocking malicious HTTP requests sent to your WordPress prior to being executed by the WordPress core.
How to Manually Add a WordPress Administrator to the Database using SQL Queries
This WordPress tutorial explains how to manually create a WordPress administrator account directly in the database using SQL queries or phpMyAdmin. This operation is useful to regain access to a hacked WordPress blog or website.
WordPress WordCamp Europe | October 2013
WP White Security will be at the first large-scale European WordPress WordCamp, which will be held between the 5th and the 7th of October 2013, in Leiden, Holland. If you will be at the WordCamp, or around Leiden, come and speak to us.
Must Have WordPress Database Tools for Administrators
In this WordPress Webmaster Tip we recommend two automated tools (BigDump and Search Replace DB) that will make your WordPress Admin life easier.
Has my WordPress site been hacked? How to check
Every year, hundreds of thousands of WordPress blogs and websites are hacked. This leads to the question, how do I know if my WordPress site is hacked? How do I tell if my WordPress site is hacked? Sometimes it is very easy to tell, especially if a website is defaced. But most of the time, […]
You Do Not Have Sufficient Permissions To Access This Page
In this WordPress tutorial we explain how to change some entries in the WordPress database to fix the You do not have sufficient permissions to access this page WordPress problem and regain access to the WordPress dashboard / wp-admin section.
State of Security of WordPress Plugins
A source code analysis of several WordPress plugins shows that more than 20% of the 50 most popular WordPress plugins are vulnerable to common web attacks. In this blog post we present you with the facts and statistics of this one of a kind study and give recommendations to help WordPress owners choose secure plugins and to help WordPress plugins developers develop more secure plugins.
How to Enumerate WordPress Users with WPScan
A WordPress security article that explains how to use the popular WordPress security scanner WPScan to enumerate WordPress users or plugins for reporting purposes or WordPress security audits.
Checking the Password Strength of WordPress Users with WPScan
With WPScan WordPress Security Scanner you can launch a security check to ensure that all your users are using strong WordPress passwords. In this WordPress security tutorial we demonstrate how to use WPScan to launch a brute force security check against a WordPress user account.
How to Hide the WordPress Version from the Generator Meta Tag
By defaut WordPress discloses the version number in the generator meta tag and default RSS feeds. In this WordPress security tutorial we show you how to hide the WordPress version number without installing a WordPress security plugin.
Delete Old (and Obsolete) WordPress Core Files | WordPress Security Tip
Use WordPress security plugin Old Core Files to delete old, obsolete and probably vulnerable WordPress core files which can be exploited by hackers to inject malware on your WordPress blog or website. Read how simple it is to use this WordPress security plugin.
Add Additional WordPress wp-admin HTTP Authentication from CPanel
In this WordPress tutorial we explain how to password protect the WordPress wp-admin from Cpanel to add an additional layer of security to your WordPress administrator dashboard and protect WordPress from zero day vulnerabilities.
The Complete htaccess File for WordPress
If you host your own WordPress most probably you have heard about .htaccess files and all the things you can do with .htaccess files to secure WordPress. If you are not familiar with .htaccess files in relation to WordPress you can go through our definite guide to htaccess and WordPress, where you can find all the information you need about .htaccess files and their usage in WordPress.
Configure Custom Error Pages on Apache with htaccess
Having user friendly custom error pages for your website is perhaps as important as having good content. In this article we show you how to easily implement custom error pages for your WordPress website or blog with .htaccess files.
How to Restrict Access to WordPress files With htaccess
If you would like to restrict access to a WordPress file, or a number of files on your website from being accessed from an external source, you can do so by using .htaccess files. Restricting access to files with .htaccess is ideal for files which still need to be accessed by your WordPress but never accessed directly by your website visitors, such as the wp-config.php.
How to Prevent Hotlinking of Images in WordPress
Hotlinking is the direct linking to a number of website’s files from another website. If someone hotlinks to images or other media files on your WordPress website or blog, it will result in extra load on your website and bandwidth theft, therefore you should prevent hotlkinking.
How to Block Bad Bots with htaccess for WordPress
Bots, short for robots, are computer programs that browse (surf) websites all over the internet and automatically perform specific tasks. Like almost everything else on the internet, there are good bots and bad bots. Follow this guide to learn how to block bad bots with .htaccess files.
Block Bad Users From Accessing Your WordPress
If you want to ban a bad user from accessing your WordPress website or blog and you have the user’s IP address, or hostname, you can block such users by using an htaccess file.
Use htaccess to Restrict Access to WordPress wp-admin via IP address
There are several methods to protect the WordPress admin dashboard (wp-admin directory). You can restrict access to the WordPress wp-admin directory to your IP address only via an .htaccess file.
How to Reset a WordPress User Password using phpMyAdmin
You can reset WordPress password using the phpMyAdmin web interface. Follow the three easy steps in this WordPress tutorial to reset a WordPress password within a minute and gain back access to your WordPress blog or website.
How to Apply Secure WordPress MySQL Database Privileges
As seen in Why minimum MySQL user WordPress database privileges improve security, it is very important to assign the minimum required database privileges to the MySQL user being used by WordPress to access the MySQL WordPress database, i.e. the user specified in WordPress wp-config.php file.
How and Why to Use The Windows Hosts File
The Windows hosts file can be used to redirect requests from your computer to a website to another IP rather than the original IP or domain. In other words, if I want to run a test copy of the website www.wpwhitesecurity.com on my laptop, I configure a lightweight web server on my computer and simply add an entry in the Windows Host File to point www.wpwhitesecurity.com to 127.0.0.1 (localhost).
Change the WordPress Database Prefix and Improve Security
There are different procedures that you can use to rename the WordPress database prefix. It depends on whether you have already installed WordPress or not. If you have not installed WordPress yet, you can simply specify a different database table prefix from the WordPress installation wizard or pre-define it in the wp-config.php file before running the installation.
How to Exclude a Category from a WordPress Blog or Page
If you need to exclude a category from the WordPress blog page and sidebar, you do not need to install a third party plugin and add extra administration overhead. All you need to do is follow this easy to follow step by step WordPress tutorial, and by simply modifying a file you will have the WordPress categories you want excluded in minutes.
How to find a WordPress Category ID
When installing a new theme or configuring a PHP script for your WordPress, you might need to populate some entries with a WordPress Category ID. Even though an advanced WordPress user can find a Category ID in seconds, if you are a beginner you might be at lost. Follow the below step by step procedure to find a WordPress Category ID in seconds.
WordPress Backdoor to Create Administrator Account
While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.
Protect the WordPress wp-config.php Configuration File
Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details.
Finding the absolute path of a directory on a website (using PHP)
A WordPress website is made up from a number of files, organized in a number of sub directories. These files and sub directories are saved in a directory on a web server. This is the root directory of your site, also known as the document root.
Securing The WordPress wp-admin Directory with HTTP Authentication
Protecting your wp-admin directory and WordPress dashboard with an .htaccess file is a vital procedure when locking down your WordPress blog or website. As a blogger and webmaster you know that once a malicious user gains access to your WordPress dashboard, it is game over.
htpasswd tutorial | How to create an Apache password file
To password protect a directory or section of your WordPress blog or website, you need to generate an Apache password file, better known as htpasswd file. In this article we will explain how to create a password file for Apache web server, which is the most popular web service used by hosting providers.
Fixing “Error Establishing a Database Connection” in WordPress
WordPress database connection problems are very common, especially when installing, upgrading and migrating a site. However, they can also occur on other occasions. If you have a WordPress site you’ve surely seen the error establishing database connection: Error Establishing a Database Connection, WordPress database connectivity problems can be solved very easily.
How to reset the WordPress password through FTP
If you lost your WordPress administrator password, or you cannot login to the WordPress dashboard and you do not have access to the WordPress MySQL database, or the password reset functionality is not working, it is still possible to change your password through FTP. In this ten step easy to follow guide we will explain how to change the WordPress administrator password using FTP to be able to access the WordPress dashboard again.
WordPress.com or WordPress.org?
If you are thinking of starting your own blog, the first question that comes to mind is if you should have a hosted blog with WordPress.com, or if you should host your own blog by downloading the WordPress software from WordPress.org.
Creating a MySQL Database for WordPress
WordPress blogging platform is a PHP based web application and uses a MySQL database as a backend database. In this article we will explain in easy to follow step by step format how to manually create a MySQL database for your WordPress blog or website. Two options are explained below, either by connecting to MySQL using a web based graphical user interface such as phpMyAdmin, or by using the MySQL command line.