WPShout: In the Quick Guide we’ll use WP Security Audit Log to keep an activity log of what’s happening on our WordPress site. Activity logs are a chronological list of records of what logged in users did on your WordPress sites and multisite networks. A WordPress activity log a vital part of site security and management because in them, you can find a user log full of information about user logins—from where they logged in and when, what content they have created, published, modified and deleted, what user profile and WordPress settings changes other administrators have done, and much more.
The deeper you get into site security, the darker it gets. Penetration testing is the practice of simulating an attack on a system, network, app or website to identify vulnerabilities that might be exploited.
WordPress Unlink to RCE A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations. The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.
After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites. Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.
Excerpt: In today’s post, we’ll look at a few common mistakes made by owners of WordPress sites that can create security concerns. These mistakes aren’t strictly application-specific, but are issues many WordPress users will encounter in the course of running their site.
WordPress is, by far, the most popular way to build a website. That popularity has the unfortunate side effect of also making WordPress sites a juicy target for malicious actors all across the world. And that might have you wondering whether WordPress is secure enough to handle those attacks. First – some bad news: Every year, hundreds of thousands of WordPress sites get hacked. Sounds grim, right? Well…not really, because there’s also good news:
Wordfence: In the context of cybersecurity, the adage “An ounce of prevention is worth a pound of cure” is a massive understatement. Make no mistake, the easiest way to handle a security incident is to prevent it from ever happening in the first place. We continually remind our readers about security best practices because the time spent implementing them is nominal compared to the time that would be spent responding in the aftermath of a successful attack.
The right time to talk about WordPress security is always now, before anything bad happens.
But there are still a number of misconceptions about WordPress security floating around out there, bred of ignorance, sure, but also more than a little paranoia.