dummzeuch 1506 Posted October 24, 2020 I have been using WordPress for this blog for several years and always thought my setup was reasonably secure. Turns out that there is something called the WordPress REST API which allows to get quite a lot information about the installation without any security at all. Read on in the blog post. 2 2 Share this post Link to post
Mike Torrettinni 198 Posted October 24, 2020 I'm not a WP expert, so it's nice to see a blog where the the problem is explained and solution is simple: download plugin+upload+activate. Simple, thanks! Share this post Link to post
Arnaud Bouchez 407 Posted October 25, 2020 I don't see how enabling basic authentication would make the web site more secure. The password is sent as plain in the headers, just base-64 encoded, so there is no benefit. If just adding a password would make something more secure... it would have been used everywhere. The best security advice, which is not on your blog post, is to maintain your WP installation up-to-date, with all the security fixes. 1 Share this post Link to post
dummzeuch 1506 Posted October 25, 2020 My blog post is not meant as a general security advice for WordPress. I'm not qualified to give that. It just highlights one particular problem which apparently many overlook. As for authentication: It is only as secure as the transport protocol, so if the installation uses plain http its not much. It does prevent automated data harvesting by simple bots though. Share this post Link to post
David Hoyle 68 Posted October 27, 2020 Install WordFence (the are free and paid version) and keep the number of plug-ins to a minimum. 1 Share this post Link to post
Mike Torrettinni 198 Posted October 27, 2020 19 minutes ago, David Hoyle said: Install WordFence (the are free and paid version) and keep the number of plug-ins to a minimum. The description scares me a little bit... almost feels like it sends an assassin to anybody trying to access my website... 🙂 "Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by a suite of additional features, Wordfence is the most comprehensive security option available." Share this post Link to post
Lars Fosdal 1792 Posted October 27, 2020 I pay an arm and a leg for WordPress' own hosted version for https://larsfosdal.blog so I that wouldn't have to think about these things. I wonder if that also leaks these things? Share this post Link to post
dummzeuch 1506 Posted October 27, 2020 2 hours ago, Lars Fosdal said: I wonder if that also leaks these things? No, it doesn't. 1 Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
