Posts tagged “wordpress”
You’ve probably heard the news already that WordPress websites are facing an XML-RPC Brute Force Amplification Attacks. But did you also know that Sucuri, iThemes and Wordfence already have you protected?
If you use Sucuri’s Website Application Firewall (WAF), the company has you covered:
Note that users of our WAF are already protected against this attack, so if you are on CloudProxy you are safe.
Similarly, the Wordfence Security Plugin has login protection that takes into account XML-RPC. Just remember to enable Login Security in the Wordfence Options.
Yes we do protect against brute force via XML-RPC and we have for some time now. We also protect against multiple attempts via a single XML-RPC call
Finally, the iThemes Security Plugin protects against XML-RPC Brute Force attacks (even the free version):
Brute Force Protection in iThemes Security just got more robust. Now when you enable Brute Force Protection this feature includes protection from XML-RPC attacks
Make sure your websites are protected!
Edit (16th October 2015): iThemes Security v5.1.0 and iThemes Security Pro v2.0.0 protect against the XML-RPC Brute Force Amplification Attacks.
New Feature: Added “Multiple Authentication Attempts per XML-RPC Request” setting to the WordPress Tweaks section. When this setting is set to “Block”, iThemes Security will block brute force login attacks against XML-RPC
Edit (15th October 2015): If you have Jetpack installed, the Protect Module also stops XML-RPC attacks.
I’ve been using BlockBadQueries on all my WordPress websites for quite some time now. And I just realized BlockBadQueries Pro was released in June. The Pro version offers more minute customization options than the free version though if you just want to set-and-forget I suggest sticking with the free version.
BlockBadQueries is based on the 5G Blacklist 2013 and the 6G Beta. So you could certainly copy the rules into your .htaccess file if (assuming you’re comfortable with Apache commands & regular expressions) you want to customize the rules for free.
According to iThemes, version 4.8.0 of iThemes Security WordPress plugin removed the malware scanning feature that relied on VirusTotal. It’s not iThemes fault; VirusTotal discontinued the service to all WordPress plugins. Well, darn.
iThemes suggests using VirusTotal’s URL scanner or Sucuri’s SiteCheck, both of which require you to scan each website manually. Sucuri also offers automated server-side scanning as part of their paid plans.
One other option that wasn’t mentioned by iThemes is the Sucuri Security WordPress Plugin which allows you to initiate a scan from your WordPress admin. The scan needs to be initiated manually though.
Over the past few months I’ve been using a lot of what I call Page Builders, WordPress plugins that come with a set of modules which you drag-and-drop into a grid-based layout. I haven’t used, nor could I possibly use, all the available Page Builder plugins but here is what I have played around with:
- Themify Builder (as part of one of their themes.)
- Elegant Themes Page Builder plugin.
- Elegant Themes Divi Theme (note that the page builder included in Divi is different from their Page Builder plugin. Elegant Themes is investing development into the Divi builder.)
Of course, there are a lot more Page Builders than these. You also have Visual Composer., Startup Framework, Qards… the list goes on.
I am not going to be reviewing the Page Builders I have used. Rather I want to share my thoughts on them after having gained some experience using them.
After the recent security hole in Yoast SEO we now find an SQL Injection vulnerability in the popular WooCommerce plugin. Update now.
It goes without saying but if you are using the ever popular WordPress SEO by Yoast (and why wouldn’t you be? It’s an amazing SEO plugin for WordPress) then you need to update to version 1.7.4 immediately. A security vulnerability was discovered in the plugin which would allow bad things to happen.
Source: iThemes.
I’m not sure if this is a brand-spanking new feature or if I just missed it but using JetPack you can now update WordPress Plugins across all your websites through your WordPress.com My Sites Dashboard. What’s even more interesting is that you can set plugins to auto-update.
Right now this feature is limited only to Plugins — no updating Themes or the base WordPress installation.WordPress already auto-update (unless disabled) so I doubt this will ever be offered. I wonder if we’ll eventually see the option of updating Themes through WordPress.com.
There are already a few services out there that’ll help you manage all your WordPress websites. Here are a few that I know of in alphabetical order:
More information can be found on the Site Management support page. And be sure to turn on the JSON API.
I can’t change anything when I try to manage my sites on WordPress.com.
You need to enable site management on your Jetpack-connected site from the dashboard by either opting in as mentioned above, or by enabling it under the JSON API settings in Jetpack → Settings → JSON API → Configure and checking the box for the “Allow remote management of themes, plugins, and WordPress via the JSON API” option and saving your changes.
BackupBuddy by iThemes is a wonderfully simple solution for WordPress backup and migration. That is, when it works. On a hunch I decided to check my website backups and discovered that while database backups were fine BackupBuddy was failing to create full website backups. Even worse, emails that were supposed to notify me of the errors were not being delivered.
Yeah, that’s not good.
Now before you jump the gun and completely write-off iThemes, the TL;DR of this post is that there was nothing wrong with BackupBuddy; Acunetix WP Security had added an unreadable file to prevent directory listing. After adjusting some settings I got everything to work again.
iThemes recently held a free two-part webinar discussing WordPress Security. The first video takes an introductory level approach but I still grabbed a couple good tips from it.
The second video talks about the company’s iThemes Security Plugin and also hosts a Q&A session with Chris Wiegman, the developer of iThemes Security, as well as Tony Perez, CEO of Sucuri. Unfortunately the sound was non-existent during Chris’s portion so you might want to skip that section until it’s fixed.
I found Tony’s section particularly interesting as he talks about higher-level approaches to security. He also touches on the wide-spread belief that using a shared host is less secure because you run the risk of other websites on that host being infected or hacked. The tl;dr is this does not happen much today with reputable web hosts (Tony specifically mentions BlueHost, HostGator and GoDaddy as being OK).
Here’s that portion of the video:
Today I learned that there is a Malay translation of WordPress… version 2.9.2. Last updated on 24 November 2011.
Let’s just stick with the official releases, yeah?
Social Media Links