If someone tries to guess your username and password or tries a brute-force attack they’ll most probably start with username “admin”. This is the default username used by too many sites and should be removed. Create a new user and assign him the “administrator” role. Try not to use usernames like: “root”, “god”, “null” or […]
I have been working with a client (whose site/s I did NOT build) whose WordPress web site has been hacked. Here is the report I just sent him to show him what I have done to secure his site against further hacking attempts. How many of these things have YOU done to ensure your site […]
As with the WordPress core, keeping plugins up to date is one of the most important and easier way to keep your site secure. Since most plugins are free and therefore their code is available to anyone having the latest version will ensure you’re not prone to attacks based on known vulnerabilities. If you downloaded […]
Keeping the WordPress core up to date is one of the most important aspects of keeping your site secure. If vulnerabilities are discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open […]
Displaying any kind of debug info or similar information is extremely bad for WordPress Security. If any PHP errors happen on your site they should be logged in a safe place and not displayed to visitors or potential attackers. Open wp-config.php and place the following code just above the require_once function at the end of […]
Having any kind of debug mode (WP JavaScript debug mode in this case) or error reporting mode enabled on a production server is extremely bad for WordPress Security. Not only will it slow down your site, confuse your visitors with weird messages it will also give the potential attacker valuable information about your system. WordPress […]