If you know WordPress database inside and out, the user_nicename shouldn’t be strange to you. It is such kind of thing that has been ignored and easily overlooked, but hackers are always trying to dig into and get useful information from. Of course, useful to hack your site.
Category Archives: Security
How to Clean Up a Hacked WordPress Site
One of client’s WordPress site got hacked. The client can’t access the site, even admin dashboard at the back-end, because the site is always being redirected to a phishing site: http://www.indoforextrading.com/. If you run into exactly same problem, here is how I fixed it.
Top 25 Worst Passwords of 2014
In previous post, I showed you how to possibly discover username on a WordPress site using WPScan. On a regular site without extra layer of security such as 2 factor authentication, username and password are all one needs to gain access to WordPress dashboard.
WPScan has “brute force” option which can brute force test (or say attack if you like) any WordPress site. To use this feature is easy, a valid username and a common password wordlist.
How to Manually Cleanup Malware from WordPress Site
Is your WordPress site infected with malware? It can be extremely headache to deal with. Scanning and cleanup a hacked site isn’t a simple task. There are many things involved and many techniques required to get it done properly. But sometimes, if a site is just slighted infected, cleaning up the malicious code and infected file isn’t as difficult as you may think.
I happen to have a site like this recently. It didn’t take me too long to identify the infected files and cleanup the site. It is a very good example to demonstrate some basic skills and steps to cleanup malware from infected WordPress site. Hope it could give you some ideas, and help you in your battle fighting malware.
WordPress Security with WPScan: Username
WPScan is a popular black box WordPress security scanner. For anyone who is serious about WordPress security but still stuck with a list of to-do tasks, it is highly recommended to check WPScan out, and learn how to implement it into your workflow.
Manually Reset WordPress User Password
From time to time, we need to reset user’s password because user forgets his / her password on a WordPress website. There are few ways to do so. Either use “Lost your password?” function on login page to reset the password, or to change password with the help of one of the site administrators. In very rare cases, none of this works.
Password Protect wp-login.php
In previous post, I mentioned a security tip called “Password Protect WordPress Admin Directory (wp-admin) for Enhanced Security“. Beside http://your-url/wp-admin, there is another login link to your site, which is http://your-url/wp-login.php. Matter of fact, http://your-url/wp-admin still requires access to file wp-login.php, a file seating outside wp-admin folder. It makes sense to extend password protection strategy to wp-login.php as well.
Password Protect WordPress Admin Directory (wp-admin) for Enhanced Security
Everyone knows WordPress well type http://URL/wp-admin for login, so does hacker. Other than using stronger password, there is another way to protect yourself. That is “password protect admin directory”. It adds and additional level of security, works somewhat like two-step authentication. This can be very easy to implement and effective for website with handful of users.
Continue Reading →
How to Block Comment Spam More Efficiently on Your WordPress Website
Most blog owners block comment spam in their WordPress blog heavily relying on anti-spam plugin or built-in Comments Blacklist. While this provides easy solution that works, it does have drawbacks. Because it does NOT stop spammer from doing this, but check if the comment is legitimate. It takes a hit on website performance by consuming system resources, which could be saved to serve valuable visitors.
WordPress Security Tip: Disable Theme and Plugin Editors in Admin Panel
WordPress administrators can modify Theme & Plugin files in build-in editor. The editor provides a convenient approach for site administrator to change something on the fly without going through FTP client. It also makes it possible for novice site owner to crash the site. As a security measure, it is recommended to disable the editor to improve security.
