WordPress Knowledge Base

Security

Hardening WordPress Security

WordPress is an open source software and sometimes hackers may use security exploits to compromise your site. Therefore, we’ve created a few video tutorials to help you strengthening your WordPress security.

BulletProof Security Plugin

The first video is about BulletProof Security plugin configuration. This plugin is extremely important for protecting your website from brute force attack!

In particular, we also demonstrated how to whitelist IP address(es) so that only the people using the registered IP address(es) can access to the admin dashboard of your WordPress website. This can greatly reduce the chances of having brute force attacks. To do so, you will need to insert some simple codes (found from WordPress Codex page). Below is the code you need:

<Files wp-login.php>
# Block access to wp-admin.
order deny,allow
deny from all
# Add IP to Whitelist
allow from 111.222.333.444
</Files>

Please note that 111.222.333.444 represents your IP address. You will need to replace this with your own IP address when you customize your BulletProof settings.

After watching the first video, you will know where to put the above code and how to whitelist IP address for accessing to your admin panel.

Sucuri Security SiteCheck Malware Scanner

The second video tutorial is about Sucuri Security plugin.

Sucuri Security SiteCheck Malware Scanner checks your WordPress site for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code, etc.

Captcha Plugin

The third video tutorial is about captcha plugin

This plugin significantly reduce the chances of spammers attacking your website by asking a math question when submitting a request to your website (e.g. visitors are asked “what’s the answer for 2+3” when leaving comment). The plugin can work on comment section as well as the login page.

Permalink.

3 WordPress Plugins to Protect your Website against Malicious Codes

  • WordPress Exploit Scanner – this plug-in will search through your website’s files and database tables and notifies you of any suspicious code. It also examines your active plugins for unusual filenames.
  • TAC (Theme Authenticity Checker) – this plug-in searches the source files of installed themes on your blog for signs of malicious code.
  • WordPress AntiVirus – this plug-in scans your theme directory to look for a WordPress permalink back door, which is a very malicious malware.

Permalink.

10 ways to speed up WordPress load times

The reason why you choose WordPress to build your website is because it is easy to use and you do not need any HTML background knowledge to create your website. So, when your website is done and completed, you work very hard to create more posts and content everyday. Your website traffic picks up and it starts to grow. To enhance your readers browsing experiences, you start using more WordPress plugins so that your website can have a few extra features (i.e. Social Media Share button, different language translators, etc). However, you start to realize that the more plugins and posts you make, the longer load time your website experiences. What should you do now?

Nobody likes slow websites. Nobody likes to wait around for websites to load every minute. Your (potential) readers will leave your website when it does not load for 10 seconds which means it is very important to optimize the load time of your WordPress website. Therefore, we have prepared a list with 10 easy tips to speed up your website.

1. Caching Plugin

Caching plugin helps your website improve its load speed because the plugin caches every aspect of your website. As a result, this will significantly reduce the download time. Among the different caching plugins available online, we recommend W3 Total Cache because it is very simple to use (and it’s FREE)!

2. Optimizing Image

Image file sizes are much larger than text files. If your website is image-oriented, it will take a much longer time to load your website. There is a free plugin called WP-Smushlt which can automatically help you reduce the file sizes of your website but does not reduce the quality of the image. Definitely check this out!

3. Another Image-related plugin: LazyLoad

This plugin will not only speed up your website load time but will also help your website lower the bandwidth by loading less data for your viewers who do not scroll down your website. For example, if your website is vertically long and requires readers to scroll down in order to view your entire page, with LazyLoad, the images on the lower side on your website will NOT load until your readers scroll down.

4. Optimizing databases

There are three plugins that we would like to recommend for optimizing your WordPress databases. The first one is WP-Optimize. This plugin, as the name suggests, optimizes your database by reducing the overhead of spams, drafts, tables, etc. Second, you can also consider installing WP-DBManger to help you schedule dates for database optimization.

Last, Revision Control is another great tool that can help you optimize your database. This plugin enables you to set the numbers of revisions you make for each post. WordPress, by default, stores all of your drafts indefinitely. By installing this powerful plugin, your database will be very lightweight compared to other websites without this plugin.

5. Removing unused plugins

The title says it all. If there are plugins that you do not use, simply delete them. Give it a try! Your site will load faster for sure!

6. Optimizing your home page

Your home page is the most important part that requires a quick load speed among all of your other pages because this is where your readers normally enter first. Here are a few tips to optimize your home page

  • – Show excerpts of your posts.
  • – Set fewer number of posts displayed on your home page (we recommend 5 posts)
  • – Set the Social Media Share plugins to only display on the actual post page instead of the home page.

Remember the key: less is MORE!!

7. Enabling hotlink protection

Hotlinking happens when external websites direct a link to the images on your websites making your server load increase. In cPanel, there is a function called “HotLink Protection”. Once you enable the protection, you can eliminate this form of “bandwidth theft”.

8. cPanel “Optimize Website” Feature

Another great feature of cPanel! There is a feature under “Software/Services” in cPanel which is called “Optimize Website”. By enabling this feature, cPanel tweaks the way Apache will handle requests and will compress content before sending it to the visitor’s browsers.

9. Making use of Google PageSpeed Insights

PageSpeed Insights, developed by Google, is a tool that analyzes the content of a web page and provides suggestions to make that page load faster. Check out their official page for full details.

10. Good web hosting service company

A good web host can provide not only stable uptime and connection but also professional solutions and support when needed. At Doteasy, our in-house Customer Support agents are resourceful web technicians and experts. We can provide speedy solutions for WordPress and other website builder programs. It’s our goal to keep our customers up-to-date with the latest web hosting trends through our blog, our Scripts Library, and our how-to video tutorials on the YouTube channel.

Recently we launched the new state-of-the-art Solid State Drive (SSD) Hosting Service. This brand new hosting service utilizes web servers that are fitted with SSDs rather conventional hard disk drives. Typically, SSDs perform 30 times faster than HDDs. So, users can expect this hosting service to be much more responsive than traditional hosting services that run on HDDs. Database-driven websites such as WordPress and eCommerce websites can all be optimized with SSD Hosting plan. To learn more about our SSD Hosting plan, check out our feature page.

Lack of time to complete all these tips?

It takes a great amount of time to secure a website and maintain a quick load time. Therefore, we strongly recommend our customers to perform all of the above tips on your own. But, we understand that many of you do not have the time to do these tasks on your website. In this case, we can suggest to you our Managed Hosting plan which is an ideal solution for customers who need some extra help in maintaining their websites. Our Managed Hosting plan includes automated website backup as well as import, export, and optimization of your MySQL databases. To learn more, check out our Managed Hosting service feature page.

Permalink.

WordPress Security 101

WordPress is an open source software and sometimes hackers may use security exploits to compromise your site. Here are some things that you can do to better protect your site.

1. Always be up to date and use the latest version of WordPress. Older versions of WordPress are not maintained with security updates.

2. Make sure your plugins/themes are always updated. Also, if you are not using a specific plugin/theme, delete it from the system.

3. Use an admin ID other than ‘admin’ in new WordPress installations. If you are already using ‘admin’ as your admin ID, you can create a new one and remove the old ‘admin’ ID. To setup a new Admin and remove the old Admin:

a) Go to WordPress admin panel.

b) Click on “Users” to add a new user, and set its role to administrator.

c) Remove the ‘admin’ user after the new user is created. Check out this short video to see the steps for removing the existing “admin” ID

4. Many vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.

5. Make backups of your site and database on regular basis.

For the more advanced users, we also suggest the following changes:

i. File permissions: Allowing write access to your files can potentially be dangerous. It is best to lock down your file permissions as much as possible and to loosen those restrictions only when needed.

Folder: 755

php/html, and other files: 644

wp-config.php: 600

ii. Secure the wp-admin folder: It can be done through password protection inside cPanel.

https://kb.doteasy.com/questions/435/How+to+password+protect+a+directory

iii. Disable File Editing: The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool that an attacker will use since it allows code execution. You can disable editing from the Dashboard. Placing this line in the wp-config.php file is the equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities for all users:

define(‘DISALLOW_FILE_EDIT’, true);

This will not prevent an attacker from uploading malicious files to your site, but it will stop some attacks.

You can download the wp-config.php file through FTP, use a text editor to add the code to the very bottom of the file, save it, and then publish it to the server. Make sure you set the permission of the file to 600 after the upload.

If you have any problems making any of our suggested changes, please do not hesitate to contact our Customer Service Support Team.

http://www.doteasy.com/support/

Permalink.

7 Common WordPress Mistakes (Solutions Provided)

We all make mistakes. But, learning from our mistakes makes the lesson meaningful.

Below are 7 common mistakes that WordPress users often make. By outlining them, we hope this list can help prevent other WordPress users from running into the same problems in the future.

1. All about “username”

There are mainly 2 types of popular mistakes under this category and let’s go over each of them in detail. The first common one we see is: clients using “admin” as username. Recently, WordPress has been attacked by a massive botnet of tens of thousands of computers and the attack was mainly targeting websites with “admin” as the usernames. “Admin” is the most common username that people choose to create. It would make sense for hackers to attack the websites with “easy-to-hack” usernames first.

Solution: don’t use “admin” as your username when you install WordPress. However, if you’ve already used it, check out this article to see how you can change the WordPress username (by default, WordPress does not allow users to change their usernames).

Also, you have the option of inserting your first name and last name when creating an account for your WordPress login. If you manually insert a name for your account, all your posts will no longer display your username as the author of the posts. Instead, it will display your first name and last name (Note: you are NOT required to insert a GENIUNE first and last name!). Differentiating your username from your “account display name” decreases the chances of hackers successfully guessing your login-name.

Another common mistake in regards to WordPress username is keeping the unused user account. For example, if you hire a contract webmaster to take care of your WordPress website, you should always remove the account once the service ends. Remember, the more user account you have on your site, the greater chance the hackers can access to your website.

Solution: if you don’t need an account, delete it right away.

2. All about “password”

Did you know that the most common passwords are actually “password”, “123456”, and “12345678”? Compiled by a password management company, these results were gathered using the data that hackers have previously posted online.

So, imagine you have a username “admin” with a password “password”, what is the level of difficulty for hackers to attack your website?

Solution: Create a stronger password (e.g. contains at least a letter, a number, and a symbol). Also, regularly update the password!

3. Never backing up your website

Myth: “Why should I back up my own site? Doesn’t my web hosting service provider backup my website anyways?”

Answer: Yes, we do backups of your website, but the backups are mainly for our benefits. All the backup files we make (e.g. in one particular server) are jumbled together. Also, when we perform our backups, it may not be the moment you make changes to your websites. So, chances are, we may not include the latest changes of your website.

Solution: Log in to cPanel and do a full backup of your website regularly. If you don’t know how, read this blog post.

4. Too many categories

The architecture and planning of a website greatly affect its SEO performance. Moreover, leaving excessive categories will slow down your website load time.

Solution: One of the greatest features of WordPress is the capability of using “tags”. “Tag” is very similar to category and it helps WordPress owners to group posts based on the keywords they manually set. So, try to limit the usage of categories and make use of tags to group different posts.

5. Ignoring WordPress and plugin updates

WordPress regularly releases updates for security reasons. If you ignore them, you would probably know the consequences right? The same problem goes to plugins too. Remember this: there are reasons why plugin developers release updates. So when you see the update signs, give them a click immediately!

Solution: Besides regularly logging in to your WordPress Dashboard to see if there are any updates available for download, you may consider using Softaculous to install WordPress. The benefit of using Softaculous to install WordPress is that it will send out email notifications for users when there are new updates release for the installed scripts. For full details, check out our article in our Scripts Library.

6. All about plugins

Speaking of plugins, one of the most common mistakes a WordPress user makes is: missing out the great features of certain plugins. For example, you have a photo WordPress website and you often experience slow load time. You never have the time to investigate the reason behind it. In fact, your high quality images slow down the website. To solve this problem, you can simply install a caching plugin as well as other tools that can help you reduce the file sizes of your website while keeping the quality of the images. To learn more how these plugins help you increase the load time of your WordPress website, check out this article.

While many WordPress users miss out the great features of plugins, on the contrary, there are other WordPress users who like keeping the unused plugin files on the website. Remember: the more files you have on your website, the longer time it takes to load your website. It makes sense to store the files on your website if you are actively using them. But for those that are not in use, why not remove these unnecessary plugins and have a faster website load time?

7. Unfriendly Permalink Structure

By default, WordPress has this setting for permalink:

/?p=123

If you see a blog post with this URL (e.g. YourWordPressBlog.com/?p=123), can you guess what this post is about? If you can’t tell what this blog post is about, your readers (including search engine robots) will have the same experience too.

Solution: login to your WordPress Dashboard. Go to “Settings” and click “Permalinks”. There are 6 settings for you to choose and you can decide which one that fits your need the most.

We hope this article gives you an opportunity to review some of the settings on your WordPress website as well rectify any mistakes. If you need help in solving the problems, our Customer Support Team is happy to assist you. Simply contact us by our live chat, telephone, or customer support ticket system.

Permalink.

Increasing WordPress Security

Recently, WordPress has been attacked by a massive botnet of tens of thousands of computers. In particular, the attack mainly targeted WordPress websites with “admin” as the usernames and tried numerous possible passwords.

If you are planning to install WordPress on your website, please make sure that you DO NOT set the username as “admin”. This will greatly reduce the chances of being compromised. Also, here are a few extra tips on increasing your WordPress security:

  • – Always keep your WordPress version and plugins up-to-date!
  • – Remove unused plugins
  • – Avoid usernames with words that contain your domain name
  • – Create a stronger password (e.g. password that contains at least a number, a letter, and a symbol)
  • – Update your username and password regularly
  • – Check out our WordPress Security 101 article

WordPress, by default, does not allow users to change the username once it is created. So, now the question is:

What can I do if I’ve already set ‘admin’ as my username? Is there any way I can change it?

Please watch this short video to see how quick and easy it is to change the username in WordPress in an alternative way.

If you have troubles in updating your username in WordPress, please contact us and our Customer Support Team is happy to assist you. Also, share this article on your Facebook, Twitter, and Google+ account to help spread out this useful tip. A recent study shows that there are approximately 64 million WordPress websites (18% of all websites) in the world. By sharing this tip, you are helping to create a more secured internet!

Permalink.

Update Your WordPress MailPoet Plugin ASAP to Avoid Security Vulnerabilities

Sucuri, an online firm that offers website scanning, monitoring, and malware removal services, has recently found a serious security vulnerability in the MailPoet WordPress plugin. This plugin helps users create newsletters, post notifications and auto-responders and has a record of over 1.7 million downloads. Therefore, the impact is HUGE over the internet. The good news is that this vulnerability has been patched. If you run your WordPress website with this plugin, please update the plugin to 2.6.7 version ASAP.

What Exactly is the Problem?

The bug allows for any PHP file to be uploaded. What that means is the vulnerability can allow an attacker to use your website for phishing lures, sending SPAM, host malware, and much more. You can read the details about this security bug by visiting the Sucuri blog article.

Once again, update the plugin ASAP. In fact, you should always keep your WordPress version and all plugins up-to-date in order to keep your sites secured.

mailpoet_newsletters

Permalink.

Update the WPTouch Plugin Immediately to Avoid Security Vulnerability

The online website scanning firm Sucuri has recently discovered a very dangerous vulnerability in the WPTouch Plugin for WordPress. This vulnerability allows attackers to upload files remotely to WordPress websites running this plugin with versions prior to 3.4.3. WPTouch Plugin has a record of over 5 million downloads. If your WordPress is running this plugin, please make sure to update the plugin immediately.

What Exactly is the Problem?

If your website has enabled the “Guest Registration Allowed” feature, a logged-in attacker can upload a backdoor (remote shell) inside your website’s directories and potentially take over your website. You can read the details about this security bug by visiting the Sucuri blog article.

Once again, update the plugin ASAP. In fact, you should always keep your WordPress version and all plugins up-to-date in order to keep your sites secured.

wptouch_3

Permalink.

Update your Custom Contact Forms Plugin Immediately to Avoid Security Vulnerabilities

Sucuri, an online firm that offers website scanning, monitoring, and malware removal services, has recently found a serious security vulnerability in the Custom Contact Forms plugin. This plugin enables users to create customizable contact form on their WordPress websites and has a record of over 600,000 downloads. Therefore, the impact is pretty huge over the internet. The good news is that this vulnerability has been patched. If you run your WordPress website with this plugin, please update the plugin to 5.1.0.4 version ASAP.

What Exactly is the Problem?

The bug allows attackers to take control of the affected website without setting accounts beforehand. You can read the details about this security bug by visiting the Sucuri blog article.

Once again, update the plugin ASAP. In fact, you should always keep your WordPress version and all plugins up-to-date in order to keep your sites secured.

Permalink.

Update the Slider Revolution Premium plugin to Avoid Security Vulnerability

The Slider Revolution Premium plugin, one of the most downloaded slider plugins from the WordPress plugin marketplace Code Canyon, has been reported for a serious vulnerability found in it. This vulnerability is a type of Local File Inclusion (LFI) attack which allows attacker to access, review, and download a local file on the server. In particular, the attacker can download any file from the server and steal the database credentials. Consequently, the attacker can compromise the website through the database. You can read more about this vulnerability by visiting this page.

Update the plugin ASAP if you are currently using this on your WordPress website. In fact, you should always keep your WordPress version and all plugins up-to-date in order to keep your sites secured. And of course, perform a full site backup before you do any updates.

Permalink.

Update the WP eCommerce WordPress Plugin to Avoid Security Vulnerability

The WP eCommerce WordPress Plugin, with the record of over 2.9 million downloads, has been recently reported for a serious vulnerability found in it. The vulnerability can possibly lead to some users’ information leakage issues. If you have installed this plugin to your WordPress website, please update it to 3.8.14.4 version. And, make sure you perform a full site backup before updating the plugin.

What Exactly is the Problem?

Malicious attackers could use this vulnerability to get access and modify private information in the site that uses this plugin. For example, the vulnerability allows a malicious attacker to export all the user names and other confidential information of anyone that has previously made a purchase through the plugin. Furthermore, the attacker could also run administrative-related tasks without being authenticated as the administrator of the affected website. To learn more about this vulnerability, you can click this link to visit Sucuri, the online firm that offers website scanning, monitoring, and malware removal services.

Permalink.

Update the WP-Statistics WordPress Plugin to Avoid Security Vulnerability

WP-Statistics WordPress Plugin is comprehensive plugin for your WordPress visitor statistics. Recently a vulnerability has been found in all versions 8.3 and lower.

Quote Sucuri:
“An attacker can use Stored Cross Site Scripting (XSS) and Reflected XSS attack vectors to force a victim’s browser to perform administrative actions on its behalf. Leveraging this vulnerability, one could create new administrator account[s], insert SEO spam in legitimate blog posts, and a number of other actions within the WordPress’s admin panel.”

If you are using version 8.3 or lower, please upgrade immediately to version 8.3.1 or higher. For further details on the issue, please visit this page.

As always, keeping your WordPress and Plugins updated is vital. So is having a complete backup of your site. For worry free backup service which starts at $1.50/mo, Doteasy Auto Site Backup is a great deal for a great service.

Permalink.

Update the InfiniteWP Client WordPress plugin to Avoid Security Vulnerability

InfiniteWP allows users to manage unlimited number of WordPress sites from their own server. Recently a Vulnerability has been found in earlier verions of this plug-in.

Quote Sucuri:
“While doing a routine audit of our Website Firewall product, we discovered a vulnerability in the plugin that could be used by a malicious individual to 1) disable a users web site by putting it in maintenance mode and 2) allows the user to control the content of the maintenance page.”

If you are using a lower than version 1.3.8, please upgrade immediately to version 1.3.8 or higher. For further details on the issue, please visit this page.

As always, keeping your WordPress and Plugins updated is vital. So is having a complete backup of your site. For worry free backup service which starts at $1.50/mo, Doteasy Auto Site Backup is a great deal for a great service.

 

Permalink.

Update the WordPress Download Manager plugin to Avoid Security Vulnerability

The popular WP Download Manager plugin, with the record of over 850,000 downloads, helps users better manage, track, and control file downloads from your WordPress website. The plugin has been recently reported with a vulnerability issue found in earlier version of this plugin.

The WordPress site running this plugin is susceptible to code execution. With this vulnerability, the attacker may inject a backdoor and change the important credentials, including admin accounts. For full details, please visit this article published by Sucrui.

For those WP Download Manager plugin users, please update the plugin to version 2.7.5 ASAP. Don’t forget to perform a full site backup before updating the plugin.

Permalink.

Have You Done This Yet? Steps to Take After Installing WordPress: Part 1

Congratulations, you’ve successfully installed WordPress! But what to do now? Not to fear! We’ve devised a list of the top 10 essential steps to take next. Let’s dive right in.

1) Modify the Title, Tagline and Time Zone

This is the first step to making your site just a little more personal. In your WordPress Admin Dashboard, go to Settings -> General. You can change the timezone in the General Settings area as well. Be sure to save when you make a change!

title_tagline

2) Customize the Permalink Structure

In Settings, select Permalink and choose a new structure. We recommend that you choose the “Post Name” option. Again, don’t forget to save! This will make your site name more Google-friendly.

permalink

3) Keep Spam Out

Fight against spam comments by installing an anti-spam plugin. We recommend Antispam Bee– it’s free and can be a great first defence against spam.

4) Speed Up your Load Time

There are many ways to do this.

  • First, install a caching plugin to reduce downloading time. A good free one to use is W3 Total Cache.
  • Optimize your images – look into installing WP-SmushIt to reduce file sizes while maintaining the image quality.
  • Install plugins to optimize your databases. WP-Optimize is a great one to clean up your databases.

A fast loading site will keep your visitors happy- and we all love happy visitors.

5) Use Social Sharing Plugins

This tip might be an unexpected item on the list- but this step is essential now more than ever. Allow your content to be shared and actually read. Check out the Social Share Button

Yes, we did promise to give you the top 10 steps to take after installing WordPress! Find the next 5 in Part Two.

Permalink.

Have You Done This Yet? Steps to Take After Installing WordPress: Part 2

After installing WordPress, you may find yourself wondering what you need to do next. This is the second part of our top 10 essential steps to take after installing WordPress. Find Part One here.

6) Arrange the Reading Settings

Want your latest posts to show up on your front page? Customize your page display to make it happen! Just go to the Settings area of your dashboard and choose the Reading settings.

reading

7) Delete Unneeded Themes

If you’ve tried out a few different themes before settling on the one you’ve chosen, be sure to delete the unused ones. This will keep your site safer and lessen the chance of getting hacked. In the menu, find Appearance, then go to themes. Hover over the theme you want to delete, choose Theme Details, and delete the theme.

8) Beef Up Your Security

There are multiple ways to increase the security of your site. These are just a few ways to do it:

9) Install a SEO WordPress Plugin

You might have some amazing content on your site, but it would all be for naught if your posts never get a chance to be seen. Make your site SEO-friendly and optimize your posts for SEO with a plugin. We recommend WordPress SEO Plugin by Yoast.

10) Back It Up

You definitely don’t want to lose any of your website progress, so be sure to schedule some regular backups. Check out this video to learn how to manually backup your site in cPanel. If you don’t have the time to constantly backup your site, Doteasy also offers an automatic site backup service. It can be one less thing to worry about.

So that’s it, 10 essential steps to take after installing WordPress! Do you agree with our list? Let us know what you think.

Permalink.

Update Multiple WordPress Plugins to Avoid Security Vulnerability

A great number of WordPress plugins (including many popular plugins with over millions of downloads) have been reported with vulnerability issues due to the misuse of the add_query_arg() and remove_query_arg() functions. These plugins include:

  •    Jetpack
  •    WordPress SEO
  •    Google Analytics by Yoast
  •    All in One SEO Pack
  •    Gravity Forms
  •    UpdraftPlus
  •    WP e-Commerce
  •    WP Touch
  •    Download Monitor
  •    Related Posts for WordPress
  •    My Calendar
  •    P3 Profiler
  •    Give
  •    Broken Link Checker
  •    Ninja Forms

As the problematic functions are very popular (functions used by developers to modify and add query strings to URLs within WordPress websites), there is a great chance that some other problematic plugins are not listed above. We strongly recommend that all WordPress users perform a full site backup and update the plugins ASAP. To learn more details about the vulnerability issues, please visit this blog article from Sucuri, the online website scanning firm.

Permalink.

Update Your WooCommerce Plugin to Avoid Object Injection Vulnerability

A dangerous “Object Injection” vulnerability has been discovered in the WooCommerce plugin, which could allow an attacker to download any file on the vulnerable server. Attackers potentially downloading critical files which can result in a full site compromise.

If your WooCommerce “PayPal Identity Token” is set, you are most at risk.

Update Immediately

If you are using a version lower than 2.3.11, update the plugin as soon as possible. Remember to back up your site before updating your WordPress and Plugins. For a worry-free backup service, subscribe to Doteasy Auto Site Backup for just $1.50/month. For more info about this vulnerability, please read this article from Sucuri.

Permalink.

Brute Force Attack Prevention Tips

A Brute Force Attack is when a hacker tries many combinations of usernames and passwords until they succeed in guessing the right combination. Due to the fact that at any one time there may be many concurrent login attempts occurring on your site via malicious automated robots, this also has a negative impact on your website load time and performance. Therefore, we highly recommend WordPress users to install this comprehensive plugin, Lockdown WP Admin.

Lockdown WP Admin features hiding WordPress Admin (/wp-admin/) when a user isn’t logged in. If a user isn’t logged in and attempts to access WP Admin directly, the WordPress site will return a 404 error page. Users can can also rename the login URL. We’ve created this video to walk through the configuration steps for this plugin.

Permalink.