WordPress Security Blog

In the next couple of days, the team will be making its way to Athens, Greece, where we will be attending WordCamp Europe 2023. As one of the event’s sponsors, we will have a booth set up – and we have prepared some great things that you’ll surely want to know all about.

WCEU 2023 also marks an important milestone in WP White Security’s history with the unveiling of our brand-new, fresh rebranding; Melapress!

Emails are everywhere. They have become one of the most common methods of communication among people over the Internet. WordPress administrators and website owners use emails for various purposes, such as personal and professional communication, marketing, recruitment, and more.

Following the success of last year’s survey, we are happy to announce that this year’s WordPress Security Survey is now live. The survey aims to gain a clearer picture of the state of WordPress security in 2023 as well as identify trends from last year’s survey. Just like we did with previous surveys, we will be publishing the results directly on our blog.

The wp-config.php file is one of WordPress’ most important files. It contains the configuration information required to make WordPress work. As the name suggests, it is written in PHP – the language upon which WordPress is built.

We are happy to announce the release of CAPTCHA 4WP version 7.2.0. This version adds some very useful features and a number of improvements and bug fixes that’ll surely make it a great upgrade for anyone running this plugin – and many more reasons to get this plugin for those who aren’t.

Over the past few months, the team at WP White Security has been busy with a rebranding project. Customers that have been keeping up to date with our newsletters and blog posts will surely be aware that this rebranding has been in the works for some time. As we get closer to finalizing the rebrand and switching over, we wanted to let you know what is going on and what to expect.

The Domain Name System (DNS) is vital for the running of the web. In a nutshell, it converts requested domain names into IP (Internet Protocol) addresses – which is what computers use to find websites, deliver emails, and the many other activities that take place on the web.

Every website needs regular maintenance. WordPress maintenance involves checking your site’s configuration, functionality, security settings, available updates, unused files, and more. Just as with a house or a car, ongoing maintenance can prevent major technical issues down the line.

Most WordPress maintenance tasks take minimal time and can even be automated. You might even use a maintenance checklist (like this article) to help you remember every job you must do and how often. Doing so will keep your site running in top shape without paying for WordPress maintenance services or putting your website into WordPress maintenance mode.

Getting a WordPress critical error is not something that any of us wants to experience by any stretch of the imagination. A critical error can give even the most seasoned of administrators sweaty palms and wobbly knees. Knowing what to do can help you stay calm and cool when the cake hits the fan.

Quality and dependability are two tenets on which all of our plugins are built. We work to achieve this day in day out through a rigorous development process that also involves considerable testing by our internal team. This enables us to ensure we only release any new update or plugin once we are confident that it’s solid and will perform well.

It’s pretty safe to say that all software has some kind of vulnerabilities. This does not necessarily mean that the software is bad or sub-standard – vulnerabilities can arise for all sorts of reasons – from failed QA processes to environmental incompatibilities or misconfigurations.

Today, we are super proud to announce the new and improved MelaPress Login Security (formerly WPassword). This release marks some important changes to our plugin lineup, as well as WP White Security, which we have been working on for the past few months.

Improve the security and productivity of your WordPress website with regular updates. Learn why keeping WordPress, plugins, and themes up-to-date is essential for website administration, and how it can enhance the experience for your visitors. Keep your website running smoothly with the latest versions.

Using 2FA to secure your WordPress website is by far one of the best security measures you can take. It adds an additional layer of security while being very easy to set up. Furthermore, it has a proven track record of stopping the vast majority of login-based attacks, such as brute-force attacks. While many WordPress administrators have already implemented 2FA, several still shy away from this technology. A major reason for this is the misconception about lockouts.

WordPress is a very stable CMS system and, in most cases, works without a hitch. Due to its versatility, however, in certain cases, an issue may pop up. This can happen for several reasons, which is why troubleshooting and debugging are very important. Fortunately, WordPress comes with an essential tool right out of the box that will make the task much easier.

This article takes a look at the WordPress debugging tool before looking at the most common issues that many WordPress administrators and website owners may encounter. We’ll then look at causes and fixes to help you get back up and running in no time at all.

WordPress, the most popular CMS, runs on MySQL, the most popular database out there. Spending some time to ensure your MySQL installation and WordPress database configuration installation is adequately hardened against common attack vectors can help you reduce risks. This is especially true if you are managing your MySQL server yourself.

Exactly a year ago, I sat at this very same keyboard to write an article that’s not too different from this one. While a lot has happened since then, the year has all but flown past. I am told that this is due to my getting older – the older you get, the smaller of a percentage a year is of your lived life; hence it seems like less time has passed.

In last year’s recap (covering 2021), we were starting to free ourselves from the clutches of the pandemic. Today, we are better equipped to deal with its ramifications, but 2022 brought its own set of challenges and wins.

Writing legal policies for your WordPress website may feel a little daunting. However, without these important pages, you could find yourself in hot water and damage your brand’s reputation.

If you’re unable to hire a legal expert, there are tools you can use to create policies for your WordPress site. This way, you can ensure that you’re protected against claims or complaints from disgruntled users.

phpMyAdmin is a GUI web application (Graphical User Interface) that allows you to access and work on MySQL-based databases. Having a GUI can make it easier to manage MySQL databases if you’re unfamiliar with the CLI (Command Line Interface). While the CLI is often preferred by professionals and enthusiasts due to its flexibility, it can be daunting to those who do not regularly work on databases – this is the problem that phpMyAdmin seeks to address.

This article will take a hard look at phpMyAdmin from the WordPress point of view, including how it works, available installation options, and basic navigation.

Back in November of this year, we launched a second WordPress survey, this time aimed at understanding how WordPress administrators and website owners manage their WordPress websites. As promised, we will be sharing our findings, which is exactly what this post is all about.

You’re about to make an online purchase but all of a sudden you’re asked to decode a strangely twisted word, make a simple calculation, or identify which images presented include a bus. What just happened? What is this popup that looks like a cross between a game and a test – but that’s definitely wasting your time?

You were confronted with a CAPTCHA or Completely Automated Public Turing test to tell Computers and Humans Apart. It’s a method used by website owners to identify human visitors and users, then enable logged in users to make purchases, view pages, or create accounts. It also works as a way to block bots and fraudulent users.

This Black Friday, we are offering an amazing 50% discount on all new plugin subscriptions. This is the perfect opportunity to shore up your WordPress security and administration (at a hefty discount) as we head into a busy festive season.

Following the success of our WordPress security survey, we are launching another survey – this time addressing WordPress administration. The purpose of this survey is to get an understanding of how our customers and readers undertake basic WordPress administration tasks.

GDPR stands for General Data Protection Regulation. It is an extensive EU (European Union) regulation that represents the minimum requirements for anyone handling the data of EU citizens. The regulation has 99 articles, split into 11 chapters. While this might sound intimidating, breaking it down can help us understand its key points and how it affects WordPress websites.

WordPress auto-updates can be quite a divisive topic. When enabled, auto-updates can ensure that you get the latest updates as soon as they become available. This can help you mitigate certain risks, such as security holes, as fast as possible. Yet, untested updates can break your website – so what’s the deal? Should auto-updates be enabled or disabled? The answer is not so simple.

On the 24th of May, 2022, Cisco was made aware by its security teams that there had been a breach. The attacker had managed to gain access, escalate their privileges, install remote access and hacking software, and take steps to maintain access to the systems. They managed to do all of this one step at a time. As we shall see, this should have been easily preventable.

We recently ran a survey to get a better understanding of the state of WordPress security. The survey was open to everyone and included several WordPress security-related questions. This report details our findings.

CISA, which stands for Cybersecurity & Infrastructure Security Agency, is a US federal agency operating under the Department of Homeland Security. Established in 2018, it supersedes the NPPD – National Protection and Programs Directorate and is tasked with improving cybersecurity against attacks originating from both private and state-backed hackers.

What are the best methods of WordPress password protection for website administrators? This blog post examines the top password security options, such as strong password policies, password managers, two-factor authentication, educating users, and the use of other, wider safeguards.

We are launching our very first WordPress security survey. The aim of this survey is to understand how WordPress administrators and owners view and manage basic security tasks on their WordPress websites. While we have carried out surveys in the past, this survey is perhaps more ambitious than what we have previously done.

We are thrilled to announce the release of CAPTCHA 4WP version 7.1.0. This release features some highly-requested new features alongside a number of improvements to help administrators and website owners ensure the success of CAPTCHA deployments on WordPress websites when using CAPTCHA 4WP.

If you own an eCommerce store, you’ve probably heard of GDPR. However, you may not be fully conversant with GDPR law and have a lot of questions in your mind. Our goal with this article is to address all your GDPR concerns for your WooCommerce website and help you ensure GDPR compliance for your business.

The WP White Security team went to WCEU 2022 and it was a blast! Read here for a recap of the event and see what we got up to.

A security breach can be expensive. Many studies and statistics put the average of a security breach in the millions of dollars. This figure, however, does not mean much without context. Indeed, it can be complicated to derive an average cost for a security breach.

We are happy to announce the latest release of WPassword. This version includes several improvements and bug fixes for an even smoother user and administrative experience while maintaining focus on WordPress password security.

Since CAPTCHA was first introduced, it has undergone various iterations and evolutions. With each step, the aim always has been to make it easier for humans and more challenging for non-humans to pass the test.

Careful and consistent administration of a WordPress website can not only help you ensure happy visitors and users but ultimately more of them. However, many WordPress website owners are not in the business of managing WordPress websites.

If you’ve been thinking about adding CAPTCHA to your WordPress website (or have recently installed our amazing CAPTCHA 4WP plugin), you’ll undoubtedly have come across the many different versions and iterations of the word CAPTCHA.

Due to their function, web servers are different from many other devices in a typical network environment—they are not only exposed to the internet by design, but they likely serve web traffic to complete strangers.

We are launching version 7.0.6 of CAPTCHA 4WP Free Edition. This latest release includes several improvements and fixes, for a smooth-running and stable CAPTCHA plugin for WordPress.

Since we acquired CAPTCHA 4WP (previously Advanced noCaptcha & invisible Captcha (v2 & v3)) we set about updating the code and mechanics of the plugin to bring it in line with WP White Security’s standards. In many ways. Version 7.0.0 was the first phase of this endeavour.

CAPTCHA is one of the best tools WordPress administrators and website owners have at their disposal in their fight against spam, such as spam comments and fake user registrations. Just like every other tool, sometimes it needs to be sharpened and serviced.

We are happy to announce the release of Admin Notices Manager version 1.3.0. This latest version allows you to gain even more control over the admin notices than ever before, with a number of fixes and enhancements ensuring a smooth user experience throughout.

Most modern browsers support a variety of HTTP security headers to improve the security of your WordPress website, better protect your visitors from classes of browser attacks such as clickjacking, cross-site scripting, and other common attacks, and even improve your site’s visitors’ privacy online.

At its core, WordPress is a CMS (Content Management System). To manage content, it needs to be able to store it. WordPress does this through folders and files, and a database. We have previously covered the WordPress filesystem in a separate article; we will focus on the database this time around.

2021 was touted as the year in which everything returns back to normality. Alas, this was not to be, as the developments we were hoping for didn’t fully materialize. 2021, however, was a year of hope in which human ingenuity triumphed over tragedy.

When the original developer of the plugin formerly known as Advanced noCaptcha & invisible Captcha (v2 & v3) developed the plugin, he included integration with third-party plugins such as Contact Form 7 and WooCommerce as a premium feature. This could be clearly seen in the Premium Edition advert located on the right side of the plugin page.

When we first came across the opportunity to acquire Advanced noCaptcha & invisible Captcha (v2 & v3) last year, we quickly understood this plugin’s potential to elevate the CAPTCHA game for WordPress administrators and website owners. While we felt that the plugin needed some TLC that we were more than happy to put in, we also understood that it had the basics right.

In this article, we will be going on a CAPTCHA exploration journey, starting at its inception, all the way through the various iterations it went through to become what it is today. We will also be looking at how WordPress websites can leverage what CAPTCHA has to offer to increase WordPress security, reliability, and reputation.

XAMPP is used by many WordPress administrators to set up WordPress environments. While there are many different case uses, some of the most common use cases are to set up a staging, development or testing environment.

WordPress is, at its core, a web application, and just like every other web application, it requires and uses a labyrinth of folders and files to work. These files and folders include everything from access controls and WordPress’ core code to the plugins, themes, media you upload, and everything in between.

Since its inception, WP 2FA has evolved to become one of the top WordPress 2FA plugins – thanks to the hard work of the team and our customers who have shown faith in us and our products and provided us with invaluable feedback.

On the 6th of September 2021, as-of-yet unknown actors breached and gained access to data of 1,200,000 GoDaddy customers. GoDaddy noticed the breach on November the 17th, some 36 days later. The breach was reported to the SEC some five days later and 41 days after the fact.

Many things make WordPress great. Firstly, it’s free. This fact alone has allowed countless people to set up their own websites, contributing to the mass democratization of information that we enjoy today.

Everything must evolve, or it risks being relegated to the history books. At WP White Security, we are firm believers in the philosophy of kaizen and always seek to develop our plugins for the better.

This article explains why many WordPress websites have a lot of failed login attempts. It also explains what you can do to protect your WordPress website from failed login attacks.

If you’re running an online business using WooCommerce, ensuring your site’s security is of paramount importance. While security requires a 360-degree approach with continuous monitoring, improving, testing, and hardening, low-hanging fruit such as user 2FA authentication can protect you from security breaches due to weak passwords.

Aurelio Volle is the Chief Marketing Officer and Product Owner of LIVEN – the umbrella company that has brought us Image SEO Optimizer and WP Umbrella. With 4 degrees to his name, he works as a lobbyist and university lecturer by day, while handling marketing and communications for LIVEN by night.

Looking after the security of your WordPress website involves a lot of different tasks. One of the tasks is to make sure that the plugins, themes and WordPress version that you are using on your website do not have any known vulnerabilities.

We are happy to announce our first plugin acquisition as we pursue our mission to build value-driven WordPress security and admin plugins. This new acquisition will undoubtedly help us deliver more value to our customers.

We are happy to announce update 2.4.1 of WPassword. This update includes several new features and housekeeping updates designed to improve the plugin’s functionality, usability, and performance.

Logs provide the foundational data to support performance, user and technical monitoring on your WordPress sites and the web servers they run. With them you can understand who changed what and when.

Keeping your WordPress secure involves a continuous process of testing, hardening, monitoring, and improving. There are several things WordPress administrators can take care of to help them ensure their websites are safe.

Logs are an essential part of good systems governance and management, providing administrators with a detailed view into the innermost workings of the very systems they manage.

We are happy to announce the release of update 1.2.0 for Admin Notices Manager. This update sees the introduction of a number of new features, improvements to existing functionality, and a bug fix, designed to improve the management of admin notices.

Even though the principle of least privileges is very popular in the IT security industry, many WordPress users still do not apply this principle because “things do not work out of the box”. Though by applying it you can improve the security of your WordPress blogs and websites.

If you have an e-commerce or business WordPress site, most probably you’ve already heard of PCI DSS and PCI compliance. As an online merchant / seller your WordPress website has to be compliant to the PCI DSS regulations, otherwise you risk being fined. Even if you use a third party payment gateway such as PayPal or Stripe, there are still some regulatory requirements your website has to adhere to.

WordPress runs on PHP, and is a core component to pay attention to when hardening your WordPress site. This article will cover some of the most common, low-hanging fruit you can address when it comes to PHP security for WordPress.

Today, we are happy to announce update 1.8.0 of the Website File Changes Monitor plugin for WordPress. Prior to this update, the plugin had some issues with the scan timing and resources required to run the scans. This update introduces a completely revamped version of the plugin allowing for better reliability, performance and scalability.

Whether you’re building, maintaining, or operating an eCommerce website, you need to be aware of your security responsibilities. Luckily, there are standards and regulations that can help you keep online stores, such as those built with WooCommerce, safe and secure. The most notable among these is the Payment Card Industry Data Security Standard (PCI-DSS).

Email is arguably the most common electronic communication medium on Earth. It’s used for everything, from communication to alert notifications, to password reset flows and email-based Two-factor Authentication (2FA).

Today we are happy to announce WPassword update 2.4.0. This exciting release features the much anticipated new feature to block users which have failed login attempts as well as other updates and improvements.

If you’re asking what is the best way to backup a WordPress website, then you’ve made a good start. That means you know backing up your WordPress website or blog is necessary. You just want to know which option works best for you. We’re here to help you answer the question.

One takeaway we can be proud of as a community is how most of us had to be even more creative than usual to get through 2020… With long hours, a lot of stress & uncertainty within our businesses. To have a better 2021 for you and your agency, keep learning and investing in yourself to ensure any situation that’s thrown your way can be dealt with, swiftly and with much less stress.

It’s important to understand the most fundamental WordPress tasks when running your site. Security, of course, should be one of your primary considerations. Creating a manual WordPress backup should also be in your toolbox. You should use a dedicated backup plugin or online service to automatically back up your website.

Whether your WordPress website has been hacked and you’re currently in damage control, or whether you’re preparing for the worst, this article will guide you through the process of cleaning a hacked WordPress website. The process is documented in an easy to follow step-by-step format to help you accomplish the following:

You’re searching the web for information on how to choose the best WordPress web hosting service, right? You’re determined that your website host will help search engines prioritize your website above other slower, less reliable and less secure websites. But, how do you decide?

When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling.

WordPress is massively popular. Around every one in five sites on the Internet uses WordPress in some form. Be that to run a humble blog, or a multi-site Content Management System (CMS) or e-commerce site. As a result, it is no surprise that WordPress websites are a very popular target for both experienced hackers and script-kiddies alike.

2020 has been a challenging year for many. However, we have been very lucky and even though it was challenging, we’ve made the best out of it, and we turned it into a big one!

Today we are happy to announce the release of Website File Changes Monitor 1.7.1. This is a minor but must-install followup to update 1.7.0. In this update we have improved several aspects of the plugin’s user experience (UX) and also addressed a few issues reported in update 1.7.0.

Like any other web application with a login form, WordPress submits your username and password in an HTTP request when logging in. By default, HTTP is not an encrypted protocol. That means that unless your WordPress website is using HTTPS, the communication between you and the web server is susceptible to eavesdropping.

We can all agree that 2020 was a difficult year. That’s why we are excited to start 2021 with our very first update of the Admin Notices Manager plugin. In this update we added the ability to choose which type of admin notices to show as normal on the WordPress dashboard, in the plugin pop-up, or choose to hide them completely.

Ryan Dewhurst is an ethical hacker and penetration tester who has dedicated many years in helping people in the WordPress community improve the security posture of their websites and protect them from malicious attackers. Ryan is the founder of WPScan, a free, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites.

Users are often looking for ways to tweak their websites, plugins and themes, or to add some modifications to an existing functionality. In most of these cases, you can do so by adding custom code to your WordPress website. There is nothing wrong with adding custom code to your website. However, there are a few things that you need to look out for when making these changes to your WordPress website.

2020 has been a very difficult year for everyone. So there is nothing better than ending the year on a high; before we leave for the holidays and enjoy some downtime, we are excited to announce the last release of this year; Website File Changes Monitor 1.7.0.

WordPress plugins are awesome and if you want your site to have a specific function, or add additional functionality, the chances are there is a plugin out there for it. If you’d like to learn more about what WordPress plugins are, refer to our WordPress plugins introduction.

If you are new to WordPress, you might be wondering what are WordPress plugins and what’s their purpose. It’s a reasonably common question to ask because plugins are an important part of the WordPress ecosystem. They are essential if you want to build a website with WordPress.

Your WordPress site’s security should be one of your top concerns as a webmaster. However, there’s no such thing as a ‘set and forget’ approach with security. In actual fact, your security arrangements should form part of a never-ending process. You need to continually harden, monitor, improve, and test your WordPress security arrangements.

Every time you log into the WordPress dashboard, you are probably greeted with a few message at the top of your screen. These messages are called WordPress admin notices. Contrary to what many WordPress users might think – that they’re an annoyance without an ‘off’ switch – they can be incredibly useful. At least, that is if you know how to manage them effectively.

Sometimes we are unable to reproduce a problem that a user is encountering when using one of our WordPress plugins. When this happens, we ask the user to send us more information about their website’s and plugin’s setup.

The global pandemic has turned the world of work upside down. Commuting to the workplace is no longer a daily habit for up to 40% of the workforce. What’s more, it’s a trend set to stay in place long after the scientific community has found an effective treatment or vaccine for the virus.

WordPress vulnerabilities statistics show that the main source of WordPress vulnerabilities are in WordPress plugins. These vulnerabilities statistics also show how important it is to always run the latest version of WordPress core, plugins and themes.

The WordPress Admin Area can be packed with lots of popups, reminders, and advertisements. Even though some of these notices might not be that useful, there are many other admin notices that are helpful and need your attention. It’s easy to imagine that all WordPress users enjoy the same clean, well-organized Admin experience. We all want a world where the Admin Area is freely available for all users.

Admin notices give you critical information about your site, which enables you to take timely action. Moreover, if you’re a theme or plugin developer, knowing how to add admin notices to WordPress is important since they allow you to easily communicate messages to your users.

Learn more about WordPress user roles and what capabilities users have when assigned to a specific WordPress user role. With WordPress user roles, the WordPress owner can have control of what the users can and cannot do on the WordPress installation.

Today we are excited to announce update 2.3.1 of the WPassword. The highlight of this update is improved support for other third party plugins, such as login redirects, e-Commerce and membership type plugins. Even though this update is a maintenance release, it still packs a punch. Let’s dive right in to see what’s new and improved in this update.

There’s nothing more complicated for webmasters than to manage their website users. If your website or e-commerce solution users aren’t managed correctly, they can inflict site-breaking damage and loosen up tight security protocols. While WordPress user management is vitally important, you also have to be able to run your business. You do not want to […]

Today we are announcing WPassword update 2.3.0. This is an exciting release featuring the all new inactive WordPress users check. In it we also included a good number of other password policies improvements and performance updates.

WordPress can pretty much run on any operating system that runs PHP. However, the vast majority of WordPress websites run on Linux. Therefore it is important that you understand Linux file permissions.

Today we are announcing two releases; Website File Changes Monitor 1.6 and  WP Activity Log 4.1.2. They are being released together because we have integrated the plugins.

The security of your WordPress website depends on the systems you put in place to protect it and harden its security. With the sharp increase of automated password guessing, your users’ sensitive information and access to your site are more at risk than ever.

This guide will walk you through what the CCPA website compliance requirements are. It also explains what it means for your website in practice, and how to implement the necessary changes. So without further ado, let’s begin by discussing the principal themes of the CCPA.

Today we are releasing WPassword 2.2. The highlights of this update are the out of the box support for custom login pages and the plugin translations. We have also included a number of updates and fixed a number of issues in this update. These release notes highlight what is new, improved and fixed in this exciting update of our password security plugin for WordPress.

In this update of the Website File Changes Monitor plugin we focused on further improving the file scanning technology. The results speak for themselves; faster scans that requires less resources. Here, you can read in more details what is new and improved in update 1.5 of our file integrity monitor WordPress plugin.

When you use two-factor authentication (2FA) on your WordPress website, you need the username, password, and a one-time code to login. The one-time code can be generated by an app, sent to you over email, or generated by a third party specialized device. However, how can you still login if you not have access to the 2FA app, or the mailbox where the 2FA code was sent? Is there a fail safe backup plan?

WordPress powers a lot of websites on the Internet. So it’s no surprise that seasoned attackers and “script-kiddies” like to target WordPress websites. Whether you’re a webmaster, or a security professional, when tasked with assessing the security posture of a WordPress website, it tends to help to be aware of common security pitfalls attackers typically take advantage of.

WPassword 2.1 is out today! In this plugin update we added a new policy to disable dormant users, support for post login redirect plugins, and several other improvements. This post highlights all that is new and improved in the latest version of WPassword.

When you manage a WordPress website, one of the most important aspects of security is authentication, a.k.a. how you login to your website. There are several ways how to harden the authentication to improve the defence in depth of your WordPress login mechanism. One of them is to implement two-factor authentication (2FA).

This WordPress tutorials explains how you can configure the WordPress automatic update to ensure that your websites and blogs always run on the latest, most stable and secure WordPress version. It also explains how to enable automatic updating of WordPress plugins and theme.

Keeping your eCommerce store secure is a must. Not only is it an important source of income for your business, but it also contains sensitive customer information, such as billing details and credit card numbers. Strong passwords can prevent many cyber attacks, but you’ll need a way to enforce them without deterring customers.

WPScan is a black box WordPress Security Scanner written in Ruby. Ideal for penetration testers, security professionals and WordPress administrators WPScan can find security weaknesses within a WordPress blog or website.

These last few weeks we have been busy working on our file integrity monitor plugin for WordPress: Website File Changes Monitor. In this update we focused on improving the coverage of the plugin, so it can detect file changes which it didn’t before.

Today we are announcing WPassword 2.0! We are very excited about this release. Finally, WordPress multisite network administrators can also enforce strong password policies.

Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites.

Ivica Delic has been working with WordPress since 2011 and has co-founded FreelancersTools.com. He has volunteered in the WordPress community and attended and presented at numerous WP Meetups about speeding up WordPress websites.

Since this is only the third update of the Website File Changes Monitor plugin, we are still finding new ways how to improve the user experience (UX). Thankfully, we get a lot of valuable feedback from the plugin users on how we can make the plugin easier to use and better.

Plugins are a great aspect of using WordPress. However, at some point, you’ll need to uninstall or deactivate a plugin for one reason or another. This might present a problem, in that, the default method for deactivating WordPress plugins might not be always available.

In September 2018 we released the first version of WPassword. The plugin has been a great success. It helps hundreds of administrators ensure their WordPress users use very strong passwords. Today we are announcing update 1.4 of the plugin. With this update we are allowing users to trial the plugin before they buy it, which […]

In order to do business, your WordPress website and business have to adhere to rules and regulations. These rules and regulations may take the form of laws (such as GDPR or HIPAA). They may also be compliance requirements, such as PCI DSS or ISO 27001, and may vary from one country to the other.

In update 1.2 of the Website File Changes Monitor plugin we are building the foundations for many other new features. We have also included some performance improvements, so when you update click the Scan Now button to run an instant & quick file changes scan on your WordPress website

Today we are releasing update 1.1 of the Website File Changes Monitor plugin. This update is based on the important feedback we got from our users after launching this plugin a few weeks ago. The main highlight of this update are the instant file changes notifications via email. However there is much more to this update, as this blog highlights.

For every user or account you have you should use a unique and difficult password. That’s a given, but you’d be surprised at how many people don’t give a second though to password security.

Today we announce WPassword update 1.2, the plugin that enables administrators to enforce strong WordPress passwords. The highlight of this update is a new hook that allows theme developers to include the password policies in custom pages. In this update we have also included a few minor improvements and enhancements.

This post explains how File integrity monitoring (FIM) helps you answer such questions. We will see how a file integrity monitor plugin is instrumental in helping you better manage your WordPress site’s files. Detecting issues at an early stage is very important – it allows you to mitigate and limit the attack’s or problem’s damage.

As an owner  or contributor to a few WordPress sites you are subscribed to an overwhelming number of online services and websites. And even though you agree with the above statement, it is very difficult for you to follow this security best practice, even though you enforce strong WordPress password policies on your sites.

We have been toying with the idea of developing a WordPress file integrity scanning and monitoring plugin for quite some time. However, we did not want to develop just another file scanning plugin.

There are plenty of CMS solutions you can choose from. Each one of them has its pros and cons. In an ideal world there is a way to overcome all the issues you have with your CMS. However as such is not always possible, and sometimes it is simply easier to migrate to a new CMS.

As of the beginning of 2019, WordPress powers 33% of the top ten million websites, confirming it as the most popular and widely used blogging and CMS platform again. Such popularity attracts a lot of attention, and application security software companies which typically focus on security solutions for custom web applications are now also interested in WordPress, and developing security solutions for WordPress sites.

WordPress security is a continuous process of hardening > Monitoring > Testing > Improving. So automation is a must, and that is why you need to use multiple tools, such as a WordPress activity log plugin and an online WordPress security service such as Sucuri.

We released the first version of WPassword around three months ago. Since its released we received some valuable feedback and the plugin has been featured on some of the leading WordPress sites, such as Torque Magazine.

Vulnerabilities in WordPress plugins have been the cause of more site hacks than vulnerabilities in WordPress core. One of the reasons why this is happening is lack of resources.

It is impossible to ignore security when it comes to managing WordPress sites and blogs. In fact many business site administrators choose a secure WordPress web host for their sites. On top of that, they install a WordPress firewall plugin or service, and keep a log of what is happening one their site with a comprehensive WordPress activity log plugin.

According to statistics published by WPMUDEV in 2017, malicious hackers attack WordPress websites with over 90,978 attacks per minute. Therefore every WordPress site must have some sort of security hardening and service protecting it. Even if it is small and not popular, your WordPress website is always a target.

In this post, we’ll talk a little more about why you should consider adding a WordPress activity log plugin to your website. Then we’ll explore five of the top options, before showing you how to get started with WP Activity Log, the plugin which we chose to work with.

WordPress has come a long way in helping administrators run more secure sites, though weak passwords are still a big issue. That is why we still see so many successful WordPress brute force attacks. Though there is light at the end of the tunnel! We have developed a plugin to help WordPress site owners like you enforce strong passwords on users – WPassword.

WordPress security can be an intimidating subject to those who are new to WordPress, and to having a website. However, with compliance and standards such as the OWASP Top 10 list business can easily get started with WordPress security. This article explains what is the OWASP Top 10 list. It also explains how WordPress site administrators can have an Owasp Top 10 compliant WordPress website.

If you manage a WordPress website, you surely need to give temporary access to someone so they can fix a problem or do some work on your website. Though there is a problem – the process of creating and managing temporary users can become cumbersome and can also lead to security issues.

Two-Factor Authentication (2FA) or Two-Step Verification is an additional layer of security you add to your WordPress login pages to further harden the overall security of your WordPress site. With 2FA it is virtually impossible for attackers to hijack your WordPress user, even if they guess the password.

Julio Potier is the developer behind SecuPress, the WordPress plugin that makes it possible to easily secure your WordPress websites and blogs. Julio is based in France and is very active in the WordPress security scene

During this interview Akshat explains what happened during the BlogVault security incident, how he and his team found out about it, its aftermath, and how did the public react to their announcements and transparent approach. A lot of noise is made when a popular WordPress website or service is hacked, but not much is done to […]

WordPress is a very simple web application. It is made up of a number of PHP files and a database, typically a MySQL database. The files are the actual web application and the database is where all the information such as users, blog posts, pages and other data is stored. The WordPress setup is so […]

Once you clean up the malware infection from your hacked WordPress website or blog you have to apply for a Google malware review to have the Google malware warning removed. Read this post for more information on how to apply for a Google malware review.

There are several benefits to keeping a record of everything that is happening on your website in a WordPress audit log. As seen in this example, you can configure email alert so you are alerted of any suspicious user behaviour at an early stage, allowing you to thwart any possible hacker attacks before any damage is done on your WordPress website and multisite network.

A cross-site scripting vulnerability has been discovered in a number of WordPress plugins and today all of them have released updates to address this issue. Read this article for more details.

A WordPress website firewall (also known as a Web Application Firewall) helps you protect your WordPress websites and blogs from malicious hacker attacks, though it is not a bullet broof solution. This article explains how they work and discusses their pros and cons.

A WordPress security tutorial that explains how and why you should hide your WordPress usernames to improve the security of your WordPress blogs and websites.

There are various types of WordPress hack attacks and most of them can be classified under two categories; Targeted and Non-Targeted WordPress hack attacks. This security articles explains what each type of attack is, how it works and how to protect your WordPress sites and blogs from these malicious WordPress hack attacks.

Should you change the WordPress Login Page URL to improve the security of your WordPress blogs and websites? Are there any other and better ways how to protect your WordPress login page?

This security article explains why you should change your WordPress Administrator ID to improve the security of your WordPress blogs and sites. It also explains how to change the WordPress administrator ID so malicious hackers cannot target the WordPress administrator account.

This document explains how to grant remote access to a WordPress or any other MySQL database. Remote access might be needed if you need to extract or read data from the WordPress database from a remote location, for example to read the WordPress security alerts generated by WP Activity Log plugin and store them in a centralized logging and monitoring system.

WordPress security keys are used to encrypt the WordPress login details stored in user’s cookies once they login to WordPress. By configuring the WordPress security keys you also improve the security of your WordPress. This article explains what are the WordPress security keys and how you can configure them in the wp-config.php file.

This WordPress security tutorial features a WordPress plugin called BBQ:Block Bad Queries. This WordPress security plugin is a maintenance free WordPress Web Application Firewall that protects your WordPress blogs and websites from malicious hacker attacks by blocking malicious HTTP requests sent to your WordPress prior to being executed by the WordPress core.

This WordPress tutorial explains how to manually create a WordPress administrator account directly in the database using SQL queries or phpMyAdmin. This operation is useful to regain access to a hacked WordPress blog or website.

WP White Security will be at the first large-scale European WordPress WordCamp, which will be held between the 5th and the 7th of October 2013, in Leiden, Holland. If you will be at the WordCamp, or around Leiden, come and speak to us.

In this WordPress Webmaster Tip we recommend two automated tools (BigDump and Search Replace DB) that will make your WordPress Admin life easier.

Every year, hundreds of thousands of WordPress blogs and websites are hacked. This leads to the question, how do I know if my WordPress site is hacked? How do I tell if my WordPress site is hacked? Sometimes it is very easy to tell, especially if a website is defaced. But most of the time, […]

In this WordPress tutorial we explain how to change some entries in the WordPress database to fix the You do not have sufficient permissions to access this page WordPress problem and regain access to the WordPress dashboard / wp-admin section.

A source code analysis of several WordPress plugins shows that more than 20% of the 50 most popular WordPress plugins are vulnerable to common web attacks. In this blog post we present you with the facts and statistics of this one of a kind study and give recommendations to help WordPress owners choose secure plugins and to help WordPress plugins developers develop more secure plugins.

A WordPress security article that explains how to use the popular WordPress security scanner WPScan to enumerate WordPress users or plugins for reporting purposes or WordPress security audits.

With WPScan WordPress Security Scanner you can launch a security check to ensure that all your users are using strong WordPress passwords. In this WordPress security tutorial we demonstrate how to use WPScan to launch a brute force security check against a WordPress user account.

By defaut WordPress discloses the version number in the generator meta tag and default RSS feeds. In this WordPress security tutorial we show you how to hide the WordPress version number without installing a WordPress security plugin.

Use WordPress security plugin Old Core Files to delete old, obsolete and probably vulnerable WordPress core files which can be exploited by hackers to inject malware on your WordPress blog or website. Read how simple it is to use this WordPress security plugin.

In this WordPress tutorial we explain how to password protect the WordPress wp-admin from Cpanel to add an additional layer of security to your WordPress administrator dashboard and protect WordPress from zero day vulnerabilities.

If you host your own WordPress most probably you have heard about .htaccess files and all the things you can do with .htaccess files to secure WordPress. If you are not familiar with .htaccess files in relation to WordPress you can go through our definite guide to htaccess and WordPress, where you can find all the information you need about .htaccess files and their usage in WordPress.

Having user friendly custom error pages for your website is perhaps as important as having good content. In this article we show you how to easily implement custom error pages for your WordPress website or blog with .htaccess files.

If you would like to restrict access to a WordPress file, or a number of files on your website from being accessed from an external source, you can do so by using .htaccess files. Restricting access to files with .htaccess is ideal for files which still need to be accessed by your WordPress but never accessed directly by your website visitors, such as the wp-config.php.

Hotlinking is the direct linking to a number of website’s files from another website. If someone hotlinks to images or other media files on your WordPress website or blog, it will result in extra load on your website and bandwidth theft, therefore you should prevent hotlkinking.

Bots, short for robots, are computer programs that browse (surf) websites all over the internet and automatically perform specific tasks. Like almost everything else on the internet, there are good bots and bad bots. Follow this guide to learn how to block bad bots with .htaccess files.

If you want to ban a bad user from accessing your WordPress website or blog and you have the user’s IP address, or hostname, you can block such users by using an htaccess file.

There are several methods to protect the WordPress admin dashboard (wp-admin directory). You can restrict access to the WordPress wp-admin directory to your IP address only via an .htaccess file.

You can reset WordPress password using the phpMyAdmin web interface. Follow the three easy steps in this WordPress tutorial to reset a WordPress password within a minute and gain back access to your WordPress blog or website.

As seen in Why minimum MySQL user WordPress database privileges improve security, it is very important to assign the minimum required database privileges to the MySQL user being used by WordPress to access the MySQL WordPress database, i.e. the user specified in WordPress wp-config.php file.

The Windows hosts file can be used to redirect requests from your computer to a website to another IP rather than the original IP or domain. In other words, if I want to run a test copy of the website www.wpwhitesecurity.com on my laptop, I configure a lightweight web server on my computer and simply add an entry in the Windows Host File to point www.wpwhitesecurity.com to 127.0.0.1 (localhost).

There are different procedures that you can use to rename the WordPress database prefix. It depends on whether you have already installed WordPress or not. If you have not installed WordPress yet, you can simply specify a different database table prefix from the WordPress installation wizard or pre-define it in the wp-config.php file before running the installation.

If you need to exclude a category from the WordPress blog page and sidebar, you do not need to install a third party plugin and add extra administration overhead. All you need to do is follow this easy to follow step by step WordPress tutorial, and by simply modifying a file you will have the WordPress categories you want excluded in minutes.

When installing a new theme or configuring a PHP script for your WordPress, you might need to populate some entries with a WordPress Category ID. Even though an advanced WordPress user can find a Category ID in seconds, if you are a beginner you might be at lost. Follow the below step by step procedure to find a WordPress Category ID in seconds.

While doing a WordPress security audit and WordPress security lock down for one of our customers, I noticed he had a WordPress password backdoor installed on his WordPress installation. The WordPress backdoor is a very simple, yet powerful PHP script which can be triggered by accessing a specific URL using a normal web browser, such as Google Chrome of Firefox.

Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details.

A WordPress website is made up from a number of files, organized in a number of sub directories. These files and sub directories are saved in a directory on a web server. This is the root directory of your site, also known as the document root.

Protecting your wp-admin directory and WordPress dashboard with an .htaccess file is a vital procedure when locking down your WordPress blog or website. As a blogger and webmaster you know that once a malicious user gains access to your WordPress dashboard, it is game over.

To password protect a directory or section of your WordPress blog or website, you need to generate an Apache password file, better known as htpasswd file. In this article we will explain how to create a password file for Apache web server, which is the most popular web service used by hosting providers.

WordPress database connection problems are very common, especially when installing, upgrading and migrating a site. However, they can also occur on other occasions.  If you have a WordPress site you’ve surely seen the error establishing database connection: Error Establishing a Database Connection, WordPress database connectivity problems can be solved very easily.

If you lost your WordPress administrator password, or you cannot login to the WordPress dashboard and you do not have access to the WordPress MySQL database, or the password reset functionality is not working, it is still possible to change your password through FTP. In this ten step easy to follow guide we will explain how to change the WordPress administrator password using FTP to be able to access the WordPress dashboard again.

If you are thinking of starting your own blog, the first question that comes to mind is if you should have a hosted blog with WordPress.com, or if you should host your own blog by downloading the WordPress software from WordPress.org.

WordPress blogging platform is a PHP based web application and uses a MySQL database as a backend database. In this article we will explain in easy to follow step by step format how to manually create a MySQL database for your WordPress blog or website. Two options are explained below, either by connecting to MySQL using a web based graphical user interface such as phpMyAdmin, or by using the MySQL command line.