This excellent guide by /u/ded1cated was linked to from here a few days ago.
It gets a bit technical, but is very good.
GDPR tools are included on the lates WordPress version. If you need additional things like security and cookie notices etc. I suggest to go for https://www.webarxsecurity.com. They support WordPress and have WAF, Uptime monitoring, Domain reputation scans and you can add Cookie and Privacy Policy notices on your sites centrally.
The article mainly focuses on plugin vulnerabilities, updates, etc. but also causes/motivation behind why someone would even target WordPress sites:
https://www.webarxsecurity.com/wordpress-sites-get-hacked/
I noticed that many wondered what was the context. There was an article shared on Facebook with a title Why WordPress sites get hacked? - lots of people commented with their opinions, the one on the picture was just too good.
Yes I need to share the exact correct rule to avoid multiple redirects. It should be the same as Apache the point is try to set rules as far as possible from Apache to save on resources and let it done before hitting your website. I will find the correct rule and share it.
Regarding the security headers. There are blogs cover this nicely. You can read this https://www.webarxsecurity.com/https-security-headers-wp/
Yeah, just confirmed that one of my sites that is behind Cloudflare (paid version with security features enabled) has been exploited by the Elementor Pro vulnerability - cloudflare didn't help: https://www.webarxsecurity.com/elementor-pro-vulnerability-and-attack-analysis/
Wordfence (good tool! Waddup to the CEO) has a neat feature where you can scan for changes to core WordPress files. Hello for situations like these. I would eliminate unnecessary plugins, update themed and plugins, check to make sure all plugins are being actively updated and maintained.
This is a pretty good guide. You have been making daily backups, right?
https://www.webarxsecurity.com/comprehensive-wordpress-malware-removal-guide/
>Once the plugin detects that a ThemeGrill theme is installed and activated, it loads the file /includes/class-demo-importer.php
which hooks reset_wizard_actions
into admin_init
on line 44
.
>The admin_init
hook runs not only in the admin environment but also on calls to /wp-admin/admin-ajax.php
which does not require a user to be authenticated.
source: https://www.webarxsecurity.com/critical-issue-in-themegrill-demo-importer/
Aww those poor developers, if only there had been some way for them to foresee this behaviour… Oh wait what's this‽
>Note, this does not just run on user-facing admin screens. It runs on admin-ajax.php and admin-post.php as well.
source: https://developer.wordpress.org/reference/hooks/admin_init/
> not everyone uses chrome.
Yes, sorry, I don't even know why I wrote Chrome instead of Browser, my bad.
Google Blacklist actually is propagated to antiviruses which implement the block system-wide.
(when it happened to me, It took 10 months of continuous emails for Panda antivirus to de-blacklist it after it was cleared by Google)
Other browsers use Google Blacklist as well.
This is what you see on different browsers (without antivirus intervention, that's a whole other story):
https://www.webarxsecurity.com/wp-content/uploads/2018/04/blog-wordpress-malware-removal-chrome-blacklist-warnings.png
​
> Never heard of that
This is probably because you never had your wordpress website hacked or you patched it very quickly, I was once tasked to resolve the situation of an istitutional website, after months it has been in that way.
If you have lots of sites and you want to create rules to redirect traffic to custom location and create advanced redirect rules, I would suggest you to look here: https://www.webarxsecurity.com/web-application-firewall-engine/
It's important to monitor plugin vulnerabilities and consider WordPress site as a web application. For that reason, web application firewall is pretty essential. You can try out WebARX to monitor plugin vulnerabilities and receive automated virtual patching etc. Of course, server-side security plays a strong part as well.
https://www.webarxsecurity.com/wordpress-security
Geeez, worst suggestion ever. Set proper file/user permissions (look at hosting configuration in general), adapt 2FA for users and monitor your plugins for vulnerabilities and install mamaged WAF (which is automatically being updated with the latest filters) to block the bots and more advanced attacks. And please!! Stop installing so many plugins. Keep plugin count at minimum and find one security plugin that does the most for you.
Cleanup guide here: https://www.webarxsecurity.com/comprehensive-wordpress-malware-removal-guide/
We are a startup that is about to take off. Gonna have AppSumo campaign starting tomorrow and have a lot of traction lately.
The product is: https://www.webarxsecurity.com
If you're interested. DM me :)
We do weekly, but on different topics. Last week was focused on Digital Agencies:
https://www.webarxsecurity.com/5-must-read-articles-digital-agencies-week/