5 Responses

  1. Tom Zaker
    Tom Zaker February 12, 2015 at 18:12 | | Reply

    If you want a free plugin go with Better WP Security otherwise choose Hide My WP or Securi.

    Hide My WP has an interesting feature called IDS. It block dangerous requests and sends all details for you so you can learn how hackers work!

  2. Robert Abela
    Robert Abela February 13, 2015 at 10:11 | | Reply

    HI Tom,

    Thank you for your comment.

    The plugins you are mentioning mainly cater for one part of security, which is mostly hardening. I am not questioning the plugins’ capabilities but as the article explain there is much more that needs to be done in terms of WordPress security.

  3. Des Walford
    Des Walford February 13, 2015 at 10:50 | | Reply

    Hi Robert,
    Thanks for a great article which provokes much thought about the WP Security. What’s the best way to Pen Test a WP installation?

  4. Robert Abela
    Robert Abela February 15, 2015 at 17:54 | | Reply

    HI Desmond,

    thank you for your comment, that is not an easy question.

    I mean it is like asking an engineer “how do you develop a WordPress plugin?” Unless you have experience in development one can’t explain to you how to write a plugin and the same applies to security. Unless you have experience in security it is not easy to explain. Though here are two points which you can use to get started:

    1. Use tools such as WPScan scanner to run a number of black box based scans and see if you can identify some weaknesses.
    2. If the WordPress installation uses custom code do a source code analysis. You can also use automated tools (such as web vulnerability scanners) to scan the custom code.

    Then there are the usual routine checks, such as checking that all plugins, themes and core are up to date. Understanding all the plugins and their functionality and see that they are configured correctly and that there are no “defaults” that could lead to a hack etc.

    I trust the above helps.

  5. Donna George
    Donna George February 22, 2015 at 04:04 | | Reply

    Thanks for your insightful information concerning site security. I had a WP fashion blog hijacked last year hosted by Dream Host. A web developer set up the account so I didn’t have the log in Intel to communicate with Dream Host so basically I lost the whole blog and all the work. Now I am blogging on WP (not self hosted). I was under the impression that no plugins could be added to WP hosted sites. Is it necessary on these blogs?

Leave a Reply