Jump to content
dummzeuch

How secure is your WordPress installation?

Recommended Posts

I have been using WordPress for this blog for several years and always thought my setup was reasonably secure. Turns out that there is something called the WordPress REST API which allows to get quite a lot information about the installation without any security at all.

Read on in the blog post.

  • Like 2
  • Thanks 2

Share this post


Link to post

I'm not a WP expert, so it's nice to see a blog where the the problem is explained and solution is simple: download plugin+upload+activate. Simple, thanks!

Share this post


Link to post

I don't see how enabling basic authentication would make the web site more secure.

The password is sent as plain in the headers, just base-64 encoded, so there is no benefit.
If just adding a password would make something more secure... it would have been used everywhere.

 

The best security advice, which is not on your blog post, is to maintain your WP installation up-to-date, with all the security fixes.

  • Like 1

Share this post


Link to post

My blog post is not meant as a general security advice for WordPress. I'm not qualified to give that. It just highlights one particular problem which apparently many overlook. As for authentication: It is only as secure as the transport protocol, so if the installation uses plain http its not much. It does prevent automated data harvesting by simple bots though.

Share this post


Link to post

Install WordFence (the are free and paid version) and keep the number of plug-ins to a minimum.

  • Like 1

Share this post


Link to post
19 minutes ago, David Hoyle said:

Install WordFence (the are free and paid version) and keep the number of plug-ins to a minimum.

The description scares me a little bit... almost feels like it sends an assassin to anybody trying to access my website... 🙂

 

"Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available."

Share this post


Link to post

I pay an arm and a leg for WordPress' own hosted version for https://larsfosdal.blog so I that wouldn't have to think about these things.

I wonder if that also leaks these things?

Share this post


Link to post
2 hours ago, Lars Fosdal said:

 I wonder if that also leaks these things?

No, it doesn't.

  • Thanks 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×