Exactly a year ago, I sat at this very same keyboard to write an article that’s not too different from this one. While a lot has happened since then, the year has all but flown past. I am told that this is due to my getting older – the older you get, the smaller of a percentage a year is of your lived life; hence it seems like less time has passed.

In last year’s recap (covering 2021), we were starting to free ourselves from the clutches of the pandemic. Today, we are better equipped to deal with its ramifications, but 2022 brought its own set of challenges and wins.

We are happy to announce the latest release of WPassword. This version includes several improvements and bug fixes for an even smoother user and administrative experience while maintaining focus on WordPress password security.

We are happy to announce the release of Admin Notices Manager version 1.3.0. This latest version allows you to gain even more control over the admin notices than ever before, with a number of fixes and enhancements ensuring a smooth user experience throughout.

2021 was touted as the year in which everything returns back to normality. Alas, this was not to be, as the developments we were hoping for didn’t fully materialize. 2021, however, was a year of hope in which human ingenuity triumphed over tragedy.

When the original developer of the plugin formerly known as Advanced noCaptcha & invisible Captcha (v2 & v3) developed the plugin, he included integration with third-party plugins such as Contact Form 7 and WooCommerce as a premium feature. This could be clearly seen in the Premium Edition advert located on the right side of the plugin page.

This article explains why many WordPress websites have a lot of failed login attempts. It also explains what you can do to protect your WordPress website from failed login attacks.

We are happy to announce update 2.4.1 of WPassword. This update includes several new features and housekeeping updates designed to improve the plugin’s functionality, usability, and performance.

If you have an e-commerce or business WordPress site, most probably you’ve already heard of PCI DSS and PCI compliance. As an online merchant / seller your WordPress website has to be compliant to the PCI DSS regulations, otherwise you risk being fined. Even if you use a third party payment gateway such as PayPal or Stripe, there are still some regulatory requirements your website has to adhere to.

Whether your WordPress website has been hacked and you’re currently in damage control, or whether you’re preparing for the worst, this article will guide you through the process of cleaning a hacked WordPress website. The process is documented in an easy to follow step-by-step format to help you accomplish the following:

When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling.

Today we are happy to announce the release of Website File Changes Monitor 1.7.1. This is a minor but must-install followup to update 1.7.0. In this update we have improved several aspects of the plugin’s user experience (UX) and also addressed a few issues reported in update 1.7.0.

Ryan Dewhurst is an ethical hacker and penetration tester who has dedicated many years in helping people in the WordPress community improve the security posture of their websites and protect them from malicious attackers. Ryan is the founder of WPScan, a free, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.

WordPress vulnerabilities statistics show that the main source of WordPress vulnerabilities are in WordPress plugins. These vulnerabilities statistics also show how important it is to always run the latest version of WordPress core, plugins and themes.

Learn more about WordPress user roles and what capabilities users have when assigned to a specific WordPress user role. With WordPress user roles, the WordPress owner can have control of what the users can and cannot do on the WordPress installation.

Today we are excited to announce update 2.3.1 of the WPassword. The highlight of this update is improved support for other third party plugins, such as login redirects, e-Commerce and membership type plugins. Even though this update is a maintenance release, it still packs a punch. Let’s dive right in to see what’s new and improved in this update.

Today we are announcing WPassword update 2.3.0. This is an exciting release featuring the all new inactive WordPress users check. In it we also included a good number of other password policies improvements and performance updates.

Today we are announcing two releases; Website File Changes Monitor 1.6 and  WP Activity Log 4.1.2. They are being released together because we have integrated the plugins.

The security of your WordPress website depends on the systems you put in place to protect it and harden its security. With the sharp increase of automated password guessing, your users’ sensitive information and access to your site are more at risk than ever.

Today we are releasing WPassword 2.2. The highlights of this update are the out of the box support for custom login pages and the plugin translations. We have also included a number of updates and fixed a number of issues in this update. These release notes highlight what is new, improved and fixed in this exciting update of our password security plugin for WordPress.

In this update of the Website File Changes Monitor plugin we focused on further improving the file scanning technology. The results speak for themselves; faster scans that requires less resources. Here, you can read in more details what is new and improved in update 1.5 of our file integrity monitor WordPress plugin.

WPassword 2.1 is out today! In this plugin update we added a new policy to disable dormant users, support for post login redirect plugins, and several other improvements. This post highlights all that is new and improved in the latest version of WPassword.

When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. There are several ways how to harden the authentication to improve the defence in depth of your WordPress login mechanism. One of them is to implement two-factor authentication (2FA).

Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber attacks, but you’ll need a way to enforce them without deterring customers.

WPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.

These last few weeks we have been busy working on our file integrity monitor plugin for WordPress: Website File Changes Monitor. In this update we focused on improving the coverage of the plugin, so it can detect file changes which it didn’t before.

Today we are announcing WPassword 2.0! We are very excited about this release. Finally, WordPress multisite network administrators can also enforce strong password policies.

Ivica Delic has been working with WordPress since 2011 and has co-founded FreelancersTools.com. He has volunteered in the WordPress community and attended and presented at numerous WP Meetups about speeding up WordPress websites.

Since this is only the third update of the Website File Changes Monitor plugin, we are still finding new ways how to improve the user experience (UX). Thankfully, we get a lot of valuable feedback from the plugin users on how we can make the plugin easier to use and better.

In September 2018 we released the first version of WPassword. The plugin has been a great success. It helps hundreds of administrators ensure their WordPress users use very strong passwords. Today we are announcing update 1.4 of the plugin. With this update we are allowing users to trial the plugin before they buy it, which […]

In order to do business, your WordPress website and business have to adhere to rules and regulations. These rules and regulations may take the form of laws (such as GDPR or HIPAA). They may also be compliance requirements, such as PCI DSS or ISO 27001, and may vary from one country to the other.

In update 1.2 of the Website File Changes Monitor plugin we are building the foundations for many other new features. We have also included some performance improvements, so when you update click the Scan Now button to run an instant & quick file changes scan on your WordPress website

Today we are releasing update 1.1 of the Website File Changes Monitor plugin. This update is based on the important feedback we got from our users after launching this plugin a few weeks ago. The main highlight of this update are the instant file changes notifications via email. However there is much more to this update, as this blog highlights.

Today we announce WPassword update 1.2, the plugin that enables administrators to enforce strong WordPress passwords. The highlight of this update is a new hook that allows theme developers to include the password policies in custom pages. In this update we have also included a few minor improvements and enhancements.

This post explains how File integrity monitoring (FIM) helps you answer such questions. We will see how a file integrity monitor plugin is instrumental in helping you better manage your WordPress site’s files. Detecting issues at an early stage is very important – it allows you to mitigate and limit the attack’s or problem’s damage.

We have been toying with the idea of developing a WordPress file integrity scanning and monitoring plugin for quite some time. However, we did not want to develop just another file scanning plugin.

As of the beginning of 2019, WordPress powers 33% of the top ten million websites, confirming it as the most popular and widely used blogging and CMS platform again. Such popularity attracts a lot of attention, and application security software companies which typically focus on security solutions for custom web applications are now also interested in WordPress, and developing security solutions for WordPress sites.

We released the first version of WPassword around three months ago. Since its released we received some valuable feedback and the plugin has been featured on some of the leading WordPress sites, such as Torque Magazine.

Vulnerabilities in WordPress plugins have been the cause of more site hacks than vulnerabilities in WordPress core. One of the reasons why this is happening is lack of resources.

According to statistics published by WPMUDEV in 2017, malicious hackers attack WordPress websites with over 90,978 attacks per minute. Therefore every WordPress site must have some sort of security hardening and service protecting it. Even if it is small and not popular, your WordPress website is always a target.

WordPress has come a long way in helping administrators run more secure sites, though weak passwords are still a big issue. That is why we still see so many successful WordPress brute force attacks. Though there is light at the end of the tunnel! We have developed a plugin to help WordPress site owners like you enforce strong passwords on users – WPassword.

WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. However, with compliance and standards such as the OWASP Top 10 list business can easily get started with WordPress security. This article explains what is the OWASP Top 10 list. It also explains how WordPress site administrators can have an Owasp Top 10 compliant WordPress website.

If you manage a WordPress website, you surely need to give temporary access to someone so they can fix a problem or do some work on your website. Though there is a problem – the process of creating and managing temporary users can become cumbersome and can also lead to security issues.

Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages to further harden the overall security of your WordPress site. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password.

Julio Potier is the developer behind SecuPress, the WordPress plugin that makes it possible to easily secure your WordPress websites and blogs. Julio is based in France and is very active in the WordPress security scene

During this interview Akshat explains what happened during the BlogVault security incident, how he and his team found out about it, its aftermath, and how did the public react to their announcements and transparent approach. A lot of noise is made when a popular WordPress website or service is hacked, but not much is done to […]

WordPress is a very simple web application. It is made up of a number of PHP files and a database, typically a MySQL database. The files are the actual web application and the database is where all the information such as users, blog posts, pages and other data is stored. The WordPress setup is so […]

Once you clean up the malware infection from your hacked WordPress website or blog you have to apply for a Google malware review to have the Google malware warning removed. Read this post for more information on how to apply for a Google malware review.

There are several benefits to keeping a record of everything that is happening on your website in a WordPress audit log. As seen in this example, you can configure email alert so you are alerted of any suspicious user behaviour at an early stage, allowing you to thwart any possible hacker attacks before any damage is done on your WordPress website and multisite network.

A cross-site scripting vulnerability has been discovered in a number of WordPress plugins and today all of them have released updates to address this issue. Read this article for more details.

A WordPress website firewall (also known as a Web Application Firewall) helps you protect your WordPress websites and blogs from malicious hacker attacks, though it is not a bullet broof solution. This article explains how they work and discusses their pros and cons.

A WordPress security tutorial that explains how and why you should hide your WordPress usernames to improve the security of your WordPress blogs and websites.

There are various types of WordPress hack attacks and most of them can be classified under two categories; Targeted and Non-Targeted WordPress hack attacks. This security articles explains what each type of attack is, how it works and how to protect your WordPress sites and blogs from these malicious WordPress hack attacks.

Should you change the WordPress Login Page URL to improve the security of your WordPress blogs and websites? Are there any other and better ways how to protect your WordPress login page?

This security article explains why you should change your WordPress Administrator ID to improve the security of your WordPress blogs and sites. It also explains how to change the WordPress administrator ID so malicious hackers cannot target the WordPress administrator account.

This document explains how to grant remote access to a WordPress or any other MySQL database. Remote access might be needed if you need to extract or read data from the WordPress database from a remote location, for example to read the WordPress security alerts generated by WP Activity Log plugin and store them in a centralized logging and monitoring system.

WordPress security keys are used to encrypt the WordPress login details stored in user’s cookies once they login to WordPress. By configuring the WordPress security keys you also improve the security of your WordPress. This article explains what are the WordPress security keys and how you can configure them in the wp-config.php file.

This WordPress security tutorial features a WordPress plugin called BBQ:Block Bad Queries. This WordPress security plugin is a maintenance free WordPress Web Application Firewall that protects your WordPress blogs and websites from malicious hacker attacks by blocking malicious HTTP requests sent to your WordPress prior to being executed by the WordPress core.

This WordPress tutorial explains how to manually create a WordPress administrator account directly in the database using SQL queries or phpMyAdmin. This operation is useful to regain access to a hacked WordPress blog or website.

WP White Security will be at the first large-scale European WordPress WordCamp, which will be held between the 5th and the 7th of October 2013, in Leiden, Holland. If you will be at the WordCamp, or around Leiden, come and speak to us.

In this WordPress Webmaster Tip we recommend two automated tools (BigDump and Search Replace DB) that will make your WordPress Admin life easier.

Every year, hundreds of thousands of WordPress blogs and websites are hacked. This leads to the question, how do I know if my WordPress site is hacked? How do I tell if my WordPress site is hacked? Sometimes it is very easy to tell, especially if a website is defaced. But most of the time, […]

In this WordPress tutorial we explain how to change some entries in the WordPress database to fix the You do not have sufficient permissions to access this page WordPress problem and regain access to the WordPress dashboard / wp-admin section.

A source code analysis of several WordPress plugins shows that more than 20% of the 50 most popular WordPress plugins are vulnerable to common web attacks. In this blog post we present you with the facts and statistics of this one of a kind study and give recommendations to help WordPress owners choose secure plugins and to help WordPress plugins developers develop more secure plugins.

A WordPress security article that explains how to use the popular WordPress security scanner WPScan to enumerate WordPress users or plugins for reporting purposes or WordPress security audits.

With WPScan WordPress Security Scanner you can launch a security check to ensure that all your users are using strong WordPress passwords. In this WordPress security tutorial we demonstrate how to use WPScan to launch a brute force security check against a WordPress user account.

By defaut WordPress discloses the version number in the generator meta tag and default RSS feeds. In this WordPress security tutorial we show you how to hide the WordPress version number without installing a WordPress security plugin.

Use WordPress security plugin Old Core Files to delete old, obsolete and probably vulnerable WordPress core files which can be exploited by hackers to inject malware on your WordPress blog or website. Read how simple it is to use this WordPress security plugin.

In this WordPress tutorial we explain how to password protect the WordPress wp-admin from Cpanel to add an additional layer of security to your WordPress administrator dashboard and protect WordPress from zero day vulnerabilities.

If you host your own WordPress most probably you have heard about .htaccess files and all the things you can do with .htaccess files to secure WordPress. If you are not familiar with .htaccess files in relation to WordPress you can go through our definite guide to htaccess and WordPress, where you can find all the information you need about .htaccess files and their usage in WordPress.

Having user friendly custom error pages for your website is perhaps as important as having good content. In this article we show you how to easily implement custom error pages for your WordPress website or blog with .htaccess files.

If you would like to restrict access to a WordPress file, or a number of files on your website from being accessed from an external source, you can do so by using .htaccess files. Restricting access to files with .htaccess is ideal for files which still need to be accessed by your WordPress but never accessed directly by your website visitors, such as the wp-config.php.

Hotlinking is the direct linking to a number of website’s files from another website. If someone hotlinks to images or other media files on your WordPress website or blog, it will result in extra load on your website and bandwidth theft, therefore you should prevent hotlkinking.

Bots, short for robots, are computer programs that browse (surf) websites all over the internet and automatically perform specific tasks. Like almost everything else on the internet, there are good bots and bad bots. Follow this guide to learn how to block bad bots with .htaccess files.

If you want to ban a bad user from accessing your WordPress website or blog and you have the user’s IP address, or hostname, you can block such users by using an htaccess file.

There are several methods to protect the WordPress admin dashboard (wp-admin directory). You can restrict access to the WordPress wp-admin directory to your IP address only via an .htaccess file.

You can reset WordPress password using the phpMyAdmin web interface. Follow the three easy steps in this WordPress tutorial to reset a WordPress password within a minute and gain back access to your WordPress blog or website.

As seen in Why minimum MySQL user WordPress database privileges improve security, it is very important to assign the minimum required database privileges to the MySQL user being used by WordPress to access the MySQL WordPress database, i.e. the user specified in WordPress wp-config.php file.

The Windows hosts file can be used to redirect requests from your computer to a website to another IP rather than the original IP or domain. In other words, if I want to run a test copy of the website www.wpwhitesecurity.com on my laptop, I configure a lightweight web server on my computer and simply add an entry in the Windows Host File to point www.wpwhitesecurity.com to 127.0.0.1 (localhost).

There are different procedures that you can use to rename the WordPress database prefix. It depends on whether you have already installed WordPress or not. If you have not installed WordPress yet, you can simply specify a different database table prefix from the WordPress installation wizard or pre-define it in the wp-config.php file before running the installation.

If you need to exclude a category from the WordPress blog page and sidebar, you do not need to install a third party plugin and add extra administration overhead. All you need to do is follow this easy to follow step by step WordPress tutorial, and by simply modifying a file you will have the WordPress categories you want excluded in minutes.

When installing a new theme or configuring a PHP script for your WordPress, you might need to populate some entries with a WordPress Category ID. Even though an advanced WordPress user can find a Category ID in seconds, if you are a beginner you might be at lost. Follow the below step by step procedure to find a WordPress Category ID in seconds.

While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.

Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details.

A WordPress website is made up from a number of files, organized in a number of sub directories. These files and sub directories are saved in a directory on a web server. This is the root directory of your site, also known as the document root.

Protecting your wp-admin directory and WordPress dashboard with an .htaccess file is a vital procedure when locking down your WordPress blog or website. As a blogger and webmaster you know that once a malicious user gains access to your WordPress dashboard, it is game over.

To password protect a directory or section of your WordPress blog or website, you need to generate an Apache password file, better known as htpasswd file. In this article we will explain how to create a password file for Apache web server, which is the most popular web service used by hosting providers.

WordPress database connection problems are very common, especially when installing, upgrading and migrating a site. However, they can also occur on other occasions.  If you have a WordPress site you’ve surely seen the error establishing database connection: Error Establishing a Database Connection, WordPress database connectivity problems can be solved very easily.

If you lost your WordPress administrator password, or you cannot login to the WordPress dashboard and you do not have access to the WordPress MySQL database, or the password reset functionality is not working, it is still possible to change your password through FTP. In this ten step easy to follow guide we will explain how to change the WordPress administrator password using FTP to be able to access the WordPress dashboard again.

If you are thinking of starting your own blog, the first question that comes to mind is if you should have a hosted blog with WordPress.com, or if you should host your own blog by downloading the WordPress software from WordPress.org.

WordPress blogging platform is a PHP based web application and uses a MySQL database as a backend database. In this article we will explain in easy to follow step by step format how to manually create a MySQL database for your WordPress blog or website. Two options are explained below, either by connecting to MySQL using a web based graphical user interface such as phpMyAdmin, or by using the MySQL command line.