You are currently browsing the tag archive for wordpress security

May 19, 2014

Here’s What You Need to Secure Your WordPress Site in 2014 & Beyond

Filed as Guides with no comments

Internet security is the only topic on the web that I can predict will always be in the headlines as long as mankind and internet technologies exist. As we take exponential leaps and bounds in technological advancements, security is an issue that is always there to keep us busy. An increased number of our most valuable assets are gradually being transferred online in the form of private data, financial information and general web presences and the opportunities for exploitation by scammers and thieves increase. Our reliance on the web can potentially be our greatest downfall. Especially those of us who are not prepared.

wordpress security 2014

As you search the web you’ll find a plethora of articles on how to secure your WordPress blog but you won’t find articles that point out the overall evolution of online threats and the fact that exploits and attack maneuvers are becoming tremendously complex and smarter and WordPress sites are at great risk. Keeping your WordPress installation up to date, tweaked and cleaned won’t cut it for total security. read more

Tags: ,

August 8, 2013

How to Keep WordPress Locked Down with Duo Security

Filed as Guides with no comments

Duo Security

WordPress blogs are one of many targets for hackers, and with so many people making simple mistakes, it becomes clear why. There are many ways of protecting your blog, and we’ve outlined five mistakes you might be making. While using a stronger password or keeping your plugins and theme updated tend to be common advice, you can take additional measures. In fact, you can ensure that absolutely no one, even if they were to get your password, will ever be able to access your blog.

Two-factor authentication is a wonderful thing, and was first used in the workplace to protect sensitive data. Nowadays, companies like Google or Microsoft offer the functionality, and all that’s required is a mobile phone. How it works is when you go to login someplace, and have two-factor authentication enabled, you are required to enter a special pin. For example, Google has its “Authenticator” app which you fire up to see the special pin, or you can opt to receive a text message or phone call instead. A special pin isn’t always required, and Twitter recently implemented its own solution which involves approving a trusted device. read more

Tags: , ,

July 3, 2013

Five Rookie Mistakes Killing Your Blog’s Security

Filed as Guides with 5 comments

Blog security

It doesn’t matter if you write about Teletubbies, or are even relatively unknown. Hackers will go after anyone, often injecting malware or adding links to suspicious websites. This can put a sour taste in reader’s mouths, making them wary of visiting your blog again. While WordPress has gotten better over the years, and blog security has improved, there are still multiple factors that make your site an easy target, mistakes that can easily be avoided… read more

Tags: , ,

April 6, 2010

Cloaking Hack Puts Spam In Your WordPress Search Engine Results

Since some days a rather nasty hack has been going round in the WordPress community. I actually noticed it myself not that long when I googled for ‘Chris Pearson‘ and what I saw in the results was… shall we say ‘interesting’?

Prozac, Levitra, Lexapro? Had Chris sold the ‘Best Damn Blog on the Planet’, AKA Pearsonified? I went to check out Chris’ blog but no. No Prozac, Levitra or anything else of suspicious nature to be found there. Just your regular well-tuned Pearson content. I even looked in the source code and a quick search for known brands ended empty. I left again, having long forgotten already why I googled Chris in the first place.

Now it seems though that this hack is making the rounds and becoming more and more popular. Leland Fiegel from Themelab first reported about it on first reported about it on the Themelab blog, more than a month ago already. Afterwards the issue was covered over at the WP Tavern forums but no solution has been found so far. Even the WordPress Lead Developer, Mark Jaquith, is left clueless and hopes to solve the issue ASAP. read more

Tags: , , , , ,

January 19, 2009

Security and Hacking: Protect Thyself and Thy WordPress Blog

WordPress Security Tips and TechniquesThe front page of CERT/CC, the Carnegie Mellon Software Engineering Institute and cyber security experts, looks back at 2008 as the 20th anniversary of the Morris worm, sometimes called the “Great Worm,” which crippled the Internet in 1988. Created by Robert Morris, now an associate professor at MIT, it was one of the first computer worms to infect the brand new Internet, exploiting known vulnerabilities and causing millions in damages. It also was the first conviction in the United States as part of the 1986 Computer Fraud and Abuse Act.

Years ago, a friend of mine worked for Boeing IT and taught many company workshops and training programs that began with an amusing lecture on “Safe Computer Sex.” She taught fellow employees to take care when flipping floppies to avoid transferring computer program infections across the network. How far we have come from those days.

As our dependence upon the web increased with email communication, spammers, hackers and attackers spread evil through your email inbox. Now, they are attacking our websites, social media tools, and web browsers.

Microsoft announced recently security issues with the Internet Explorer web browser and the dangers of visiting websites that could exploit that security vulnerability. Many warned to not use Internet Explorer until it was patched and updated.

Google created the Browser Security Handbook to help people and developers understand the security issues facing web browsers and the steps to take to protect individuals and web applications.

As mentioned in the last article in this series on web and blog security and hacking, Security and Hacking: The State of WordPress Blogs, WordPress, Movable Type, and other popular web services are not immune from security hacks or vulnerabilities. read more

Tags: , , , , , , , , , , , , , , , , ,

January 16, 2009

Security and Hacking: The State of WordPress Blogs

WordPress SecurityLast year, there was a lot of noise about WordPress being especially vulnerable to attacks and hacks. Not all of those reported hacks and wild fire assuptions about WordPress security were true.

In “SecurityFocus SQL Injection Bogus,” talked about one false report:

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

…All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.)

“Sponsored” WordPress Themes were banned from the official WordPress Theme Directory due to inclusion of ads, spam, and malicious links in Themes offered for free, with a hidden price. WordPress Theme scams continue and WordPress users are warned repeatedly to be cautious about downloading and using WordPress Themes without careful inspection and testing.

In the last issue of this series on “Cyber Attacks on the Rise in 2009,” I covered the current spread of the Downadup Worm Infection that uses websites to spread its evil, impacting more than 3.5 million sites worldwide. Such attacks are becoming more rare, but hackers targeting blogs are growing in numbers and resourcefulness. We must be on our guard to protect our blogs more this year than ever before. read more

Tags: , , , , , , , ,

December 26, 2008

WordPress News: 650,000 WP 2.7 Downloads, BuddyPress, Theme Threat, Schwag, and More

WordPress 2.7 downloads now past 650,000. Poll out for WordPress 2.8 input. Possible WordPress Theme threat you need to know about. BuddyPress beta released. Imagine moving millions of Typepad blogs to WordPress? Want some WordPress schwag? WordCamps coming up in January – are you going to a WordCamp near you? And if the weather permits, and electricity holds, we’ve got more WordPress news for you!

WordPress News

Get Ready for WordPress 2.8: Already work is ongoing for WordPress 2.8 and WordPress wants your feedback. In “Prioritizing Features for WordPress 2.8,” Jane Wells invites people to take a poll on what are the top priorities WordPress developers should be putting their energy into. Currently, they are focused on WordPress Widget management, automatic Theme updates and installs, and performance improvements. The poll features the most popular features requests from the Ideas forum and more that the WordPress developers want to work on. Vote by noon on December 31 to have your say in what you want to see in WordPress 2.8.

Half-Million Downloads of WordPress 2.7 and Growing: Last week, there were 500,000 WordPress 2.7 Downloads and Miroslav Glavic caught the rollover of the counter. As I write this, there are now 654,434 downloads, moving fast for 1 million. Bets are on Twitter as to when one million downloads will be counted on the counter. There is now the WordPress Download Counter which adds a counter to your blog’s sidebar featuring the number of official WordPress version downloads from the WordPress Download Counter for WordPress fan blogs.

Friendster Moves Millions of Blogs from Typepad to WordPressMU: Matt Mullenweg and the WordPress Publisher Blog have switched “millions of blogs from Typepad to WordPress” to .

WordPress Theme Intruder Reported: A lot of people are reporting notifications from their web hosts regarding the remv.php file creating malicious behavior on your WordPress blog. Jason Cosper offers a good step-by-step tutorial and Ronald Davies has a video tutorial on how to remove this malicious file from your WordPress Theme folder. After removal of the file from your server via FTP, update your site immediately to WordPress 2.7. For more information, see these discussions on the WordPress Support Forums: Blog hacked, host said to upgrade and WTF is remv.php in wp-content/themes folder. read more

Tags: , , , , , , , , , , , ,

November 6, 2008

WordPress Wednesday News: WordPress 2.7 Beta 2, Danger WordPress Faker, and More WordCamps

WordPress 2.7 is at beta version 2 and a ton of work has been done on it, though the official release is now delayed until the end of November. Please upgrade WordPress 2.6. A lot of news about WordPress 2.7 is out, including what you need to know to prepare your blog for the upcoming release. WordPress Plugin and Theme authors are scurrying to update their work accordingly. A fake WordPress.org site is spreading bad WordPress versions – be alert! WordPress opens a new showcase to show off what WordPress can do. A ton of WordCamps are coming up in the next few weeks, and into 2009, including a traveling WordCamp for educators and a skiing, wintry WordCamp in Canada. And more WordPress news.

WordPress News


WordPress 2.7 Development: The original release date of November 10 has been pushed back by at least two weeks, though may change as beta testing continues. Two beta versions of WordPress have been released, with WordPress 2.7 Beta 2 fixing a lot of the bugs found in Beta 1. At the time of writing this, the WordPress Development Twitter had 149 changes and fixes reported over the past week. Improvements have been made to localization, the Write Post Panel, design problems for Internet Explorer, rewrite rules for various servers and hosts, and the WordPress Plugin update and install feature. More improvements, fixes, and design features are in process for the next beta release. The new interface is being cheered and readily accepted by testers and many are loving the new Comments and Write Post Panels. The ease of blogging and information on the new Dashboard Panel makes that screen more valuable than ever.

Your feedback and input is critical. Jane Wells asks “What’s your favorite thing about the 2.7 Beta?” to encourage your feedback. You are also asked to report to the Alpha/Beta sections on the and the mailing lists with feedback and input. So far, the reaction from most has been exceptionally positive and most are eager for the new version. Articles are coming out with news and information on the new version all around the web and include: read more

Tags: , , , , , , ,

October 29, 2008

WordPress Wednesday News: WordPress 2.7 Soon, Security Upgrade, PodCamp-WordCamp Hawaii, PollDaddy, and More

Work on WordPress 2.7 is rocking, but a security upgrade also announced for WordPress 2.6.3. Podcamp/WordCamp Hawaii success! Hot WordCamps coming up in Israel, DC, Charlotte, Australia, and more. PollDaddy WordPress Plugin and now on WordPress.com. Akismet gets stats. Gravatars required. And more WordPress news.

WordPress News

Security Upgrade Announced: WordPress 2.6.3 has been released covering a Snoopy class vulnerability. This is a mandatory security upgrade and involves replacing two files. Download WordPress 2.6.3 now to protect your blog.

WordPress 2.7 Development: The WordPress 2.7 development team is working overtime to help educate and prepare the WordPress Community for WordPress 2.7 and its new interface. They have been testing the final version with some users and getting input from all over the world on how the program is working for them. The official release is due November 10, and testing will continue right up until the release. Your feedback and input is critical, so be sure and report in to the Alpha/Beta sections on the and the mailing lists. So far, the reaction from most has been exceptionally positive and most are eager for the new version. Articles are coming out with news and information on the new version all around the web and include: read more

Tags: , , , , , , , , , , , ,