wordpress security Archives

How to Protect Your WordPress Site From Hackers

January 29, 2020 by Blog Herald

Whether you’re maintaining a personal blog, putting together a portfolio, or building a business website, security is paramount. As a platform, WordPress is hit more than almost any other by cybercriminals. Don’t worry, though. Securing your site is actually a lot easier than you’d expect.

Security can be overwhelming. Even a user-friendly content management system (CMS) like WordPress is, when you look under the hood, fairly technically complex (at least for a layperson). At the same time, it’s not something you can afford to ignore, even if you’re just using WordPress to host a simple digital portfolio.

[Read more…]

SQL Injection – The Old Trick that Keeps on Giving

December 8, 2016 by The Blog Herald

If you’ve never heard of an SQL injection, don’t worry; it’s a term that only really entered the public consciousness in the last few years. Describing a way for hackers and other criminals to steal data, an SQL injection basically makes let’s malicious people inject bad code into a website’s database and then they can tamper with the website, such as by sending customer details to somebody outside a company. [Read more…]

A Quick Guide on Beefing Up Your WordPress Security

July 1, 2015 by Christopher Jan Benitez

WordPress is one of the best CMS platforms for users to build their websites on. It has an intuitive interface with easy-to-use features to help them develop the best-looking site or blog possible. This is one of the many reasons why WordPress has more than 75 million users worldwide.

Due to its popularity, WordPress is also prone to security threats, if not outright hacker attacks. WPWhiteSecurity.com found out that more than 70% of websites running on WordPress are vulnerable to attacks.

There’s a slim chance that your site or blog will be hacked anytime soon, unless it’s one of the most popular ones out there, in which case it has 33% chance of contracting malware. However, if you’re really serious about making a living with your site or blog, then you need to take these threats seriously as well.

Below are tips on how you can beef up your WordPress security to safeguard your site or blog from possible attacks. [Read more…]

Here’s What You Need to Secure Your WordPress Site in 2014 & Beyond

May 19, 2014 by Blog Herald

Internet security is the only topic on the web that I can predict will always be in the headlines as long as mankind and internet technologies exist. As we take exponential leaps and bounds in technological advancements, security is an issue that is always there to keep us busy. An increased number of our most valuable assets are gradually being transferred online in the form of private data, financial information and general web presences and the opportunities for exploitation by scammers and thieves increase. Our reliance on the web can potentially be our greatest downfall. Especially those of us who are not prepared.

As you search the web you’ll find a plethora of articles on how to secure your WordPress blog but you won’t find articles that point out the overall evolution of online threats and the fact that exploits and attack maneuvers are becoming tremendously complex and smarter and WordPress sites are at great risk. Keeping your WordPress installation up to date, tweaked and cleaned won’t cut it for total security. [Read more…]

How to Keep WordPress Locked Down with Duo Security

August 8, 2013 by Mike Stenger

WordPress blogs are one of many targets for hackers, and with so many people making simple mistakes, it becomes clear why. There are many ways of protecting your blog, and we’ve outlined five mistakes you might be making. While using a stronger password or keeping your plugins and theme updated tend to be common advice, you can take additional measures. In fact, you can ensure that absolutely no one, even if they were to get your password, will ever be able to access your blog.

Two-factor authentication is a wonderful thing, and was first used in the workplace to protect sensitive data. Nowadays, companies like Google or Microsoft offer the functionality, and all that’s required is a mobile phone. How it works is when you go to login someplace, and have two-factor authentication enabled, you are required to enter a special pin. For example, Google has its “Authenticator” app which you fire up to see the special pin, or you can opt to receive a text message or phone call instead. A special pin isn’t always required, and Twitter recently implemented its own solution which involves approving a trusted device. [Read more…]

Five Rookie Mistakes Killing Your Blog’s Security

July 3, 2013 by Mike Stenger

It doesn’t matter if you write about Teletubbies, or are even relatively unknown. Hackers will go after anyone, often injecting malware or adding links to suspicious websites. This can put a sour taste in reader’s mouths, making them wary of visiting your blog again. While WordPress has gotten better over the years, and blog security has improved, there are still multiple factors that make your site an easy target, mistakes that can easily be avoided… [Read more…]

Cloaking Hack Puts Spam In Your WordPress Search Engine Results

April 6, 2010 by Franky Branckaute

Since some days a rather nasty hack has been going round in the WordPress community. I actually noticed it myself not that long when I googled for ‘Chris Pearson‘ and what I saw in the results was… shall we say ‘interesting’?

Prozac, Levitra, Lexapro? Had Chris sold the ‘Best Damn Blog on the Planet’, AKA Pearsonified? I went to check out Chris’ blog but no. No Prozac, Levitra or anything else of suspicious nature to be found there. Just your regular well-tuned Pearson content. I even looked in the source code and a quick search for known brands ended empty. I left again, having long forgotten already why I googled Chris in the first place.

Now it seems though that this hack is making the rounds and becoming more and more popular. Leland Fiegel from Themelab first reported about it on first reported about it on the Themelab blog, more than a month ago already. Afterwards the issue was covered over at the WP Tavern forums but no solution has been found so far. Even the WordPress Lead Developer, Mark Jaquith, is left clueless and hopes to solve the issue ASAP. [Read more…]

Security and Hacking: Protect Thyself and Thy WordPress Blog

January 19, 2009 by Lorelle VanFossen

The front page of CERT/CC, the Carnegie Mellon Software Engineering Institute and cyber security experts, looks back at 2008 as the 20th anniversary of the Morris worm, sometimes called the “Great Worm,” which crippled the Internet in 1988. Created by Robert Morris, now an associate professor at MIT, it was one of the first computer worms to infect the brand new Internet, exploiting known vulnerabilities and causing millions in damages. It also was the first conviction in the United States as part of the 1986 Computer Fraud and Abuse Act.

Years ago, a friend of mine worked for Boeing IT and taught many company workshops and training programs that began with an amusing lecture on “Safe Computer Sex.” She taught fellow employees to take care when flipping floppies to avoid transferring computer program infections across the network. How far we have come from those days.

As our dependence upon the web increased with email communication, spammers, hackers and attackers spread evil through your email inbox. Now, they are attacking our websites, social media tools, and web browsers.

Microsoft announced recently security issues with the Internet Explorer web browser and the dangers of visiting websites that could exploit that security vulnerability. Many warned to not use Internet Explorer until it was patched and updated.

Google created the Browser Security Handbook to help people and developers understand the security issues facing web browsers and the steps to take to protect individuals and web applications.

As mentioned in the last article in this series on web and blog security and hacking, Security and Hacking: The State of WordPress Blogs, WordPress, Movable Type, and other popular web services are not immune from security hacks or vulnerabilities. [Read more…]

Security and Hacking: The State of WordPress Blogs

January 16, 2009 by Lorelle VanFossen

Last year, there was a lot of noise about WordPress being especially vulnerable to attacks and hacks. Not all of those reported hacks and wild fire assuptions about WordPress security were true.

In “SecurityFocus SQL Injection Bogus,” Matt Mullenweg talked about one false report:

Online, apparently, it’s fine for someone to run into a crowded theatre and yell “fire” and the less basis there is in fact the more people link to them. It’s not uncommon to see crying-wolf reports like the above several times in a week, and a big part of what the WP security team is sifting through things to see what’s valid or not.

…All that said, there is a wave of attacks going around targeting old WordPress blogs, particularly those on the 2.1 or 2.2 branch. They’re exploiting problems that have been fixed for a year or more. This typically manifests itself through hidden spam being put on your site, either in the post or in a directory, and people notice when they get dropped from Google. (Google will drop your site if it contains links they consider spammy, you’ll remember this is one of the main reasons I came out against sponsored themes.)

“Sponsored” WordPress Themes were banned from the official WordPress Theme Directory due to inclusion of ads, spam, and malicious links in Themes offered for free, with a hidden price. WordPress Theme scams continue and WordPress users are warned repeatedly to be cautious about downloading and using WordPress Themes without careful inspection and testing.

In the last issue of this series on “Cyber Attacks on the Rise in 2009,” I covered the current spread of the Downadup Worm Infection that uses websites to spread its evil, impacting more than 3.5 million sites worldwide. Such attacks are becoming more rare, but hackers targeting blogs are growing in numbers and resourcefulness. We must be on our guard to protect our blogs more this year than ever before. [Read more…]

WordPress News: 650,000 WP 2.7 Downloads, BuddyPress, Theme Threat, Schwag, and More

December 26, 2008 by Lorelle VanFossen

WordPress 2.7 downloads now past 650,000. Poll out for WordPress 2.8 input. Possible WordPress Theme threat you need to know about. BuddyPress beta released. Imagine moving millions of Typepad blogs to WordPress? Want some WordPress schwag? WordCamps coming up in January – are you going to a WordCamp near you? And if the weather permits, and electricity holds, we’ve got more WordPress news for you!

WordPress News

Get Ready for WordPress 2.8: Already work is ongoing for WordPress 2.8 and WordPress wants your feedback. In “Prioritizing Features for WordPress 2.8,” Jane Wells invites people to take a poll on what are the top priorities WordPress developers should be putting their energy into. Currently, they are focused on WordPress Widget management, automatic Theme updates and installs, and performance improvements. The poll features the most popular features requests from the Ideas forum and more that the WordPress developers want to work on. Vote by noon on December 31 to have your say in what you want to see in WordPress 2.8.

Half-Million Downloads of WordPress 2.7 and Growing: Last week, there were 500,000 WordPress 2.7 Downloads and Miroslav Glavic caught the rollover of the counter. As I write this, there are now 654,434 downloads, moving fast for 1 million. Bets are on Twitter as to when one million downloads will be counted on the counter. There is now the WordPress Download Counter which adds a counter to your blog’s sidebar featuring the number of official WordPress version downloads from the WordPress Download Counter for WordPress fan blogs.

Friendster Moves Millions of Blogs from Typepad to WordPressMU: Matt Mullenweg and the WordPress Publisher Blog have switched “millions of blogs from Typepad to WordPress” to WordPressMU.

WordPress Theme Intruder Reported: A lot of people are reporting notifications from their web hosts regarding the remv.php file creating malicious behavior on your WordPress blog. Jason Cosper offers a good step-by-step tutorial and Ronald Davies has a video tutorial on how to remove this malicious file from your WordPress Theme folder. After removal of the file from your server via FTP, update your site immediately to WordPress 2.7. For more information, see these discussions on the WordPress Support Forums: Blog hacked, host said to upgrade and WTF is remv.php in wp-content/themes folder. [Read more…]