Category Archives: Security

How to Clean Up a Hacked WordPress Site

One of client’s WordPress site got hacked. The client can’t access the site, even admin dashboard at the back-end, because the site is always being redirected to a phishing site: http://www.indoforextrading.com/. If you run into exactly same problem, here is how I fixed it.

Continue Reading →

Top 25 Worst Passwords of 2014

In previous post, I showed you how to possibly discover username on a WordPress site using WPScan. On a regular site without extra layer of security such as 2 factor authentication, username and password are all one needs to gain access to WordPress dashboard.

WPScan has “brute force” option which can brute force test (or say attack if you like) any WordPress site. To use this feature is easy, a valid username and a common password wordlist.

Continue Reading →

How to Manually Cleanup Malware from WordPress Site

Is your WordPress site infected with malware? It can be extremely headache to deal with. Scanning and cleanup a hacked site isn’t a simple task. There are many things involved and many techniques required to get it done properly. But sometimes, if a site is just slighted infected, cleaning up the malicious code and infected file isn’t as difficult as you may think.

I happen to have a site like this recently. It didn’t take me too long to identify the infected files and cleanup the site. It is a very good example to demonstrate some basic skills and steps to cleanup malware from infected WordPress site. Hope it could give you some ideas, and help you in your battle fighting malware.

Continue Reading →

WordPress Security with WPScan: Username

WPScan is a popular black box WordPress security scanner. For anyone who is serious about WordPress security but still stuck with a list of to-do tasks, it is highly recommended to check WPScan out, and learn how to implement it into your workflow.

Continue Reading →

Manually Reset WordPress User Password

From time to time, we need to reset user’s password because user forgets his / her password on a WordPress website. There are few ways to do so. Either use “Lost your password?” function on login page to reset the password, or to change password with the help of one of the site administrators. In very rare cases, none of this works.

Continue Reading →

How to Block Comment Spam More Efficiently on Your WordPress Website

Most blog owners block comment spam in their WordPress blog heavily relying on anti-spam plugin or built-in Comments Blacklist. While this provides easy solution that works, it does have drawbacks. Because it does NOT stop spammer from doing this, but check if the comment is legitimate. It takes a hit on website performance by consuming system resources, which could be saved to serve valuable visitors.

Continue Reading →

WordPress Security Tip: Disable Theme and Plugin Editors in Admin Panel

WordPress administrators can modify Theme & Plugin files in build-in editor. The editor provides a convenient approach for site administrator to change something on the fly without going through FTP client. It also makes it possible for novice site owner to crash the site. As a security measure, it is recommended to disable the editor to improve security.

Continue Reading →