Category Archives: wordfence

WordPress Security for Beginners – Where to Start

One of the reasons that WordPress is so popular, powering 25% of all websites, is how easy it is use. This is encouraging a lot of beginners to build their own websites. In fact, according to our recent WordPress Security Survey, 17.4% of respondents self-identify as novices or having little to no website security expertise.

With this in mind, when we developed our recently launched WordPress Security Learning Center, we created content for every level including beginners.

For you beginners out there we recommend that you start with our Introduction to WordPress Security article. In it you will learn how to run more secure websites. We cover topics like password security, how to manage comments, how to select and manage themes and plugins and how to manage user security.

read more

The 2015 WordPress Security Survey Results are out

To bring a close to 2015 we conducted a WordPress security survey. We sent a broadcast to our community and 7,375 members responded by completing what was a long and comprehensive survey.

Firstly, a big thanks to the thousands of WordPress community members who took the time out of their busy schedules to complete this survey. We appreciate it and we hope you find the results useful in your daily work with WordPress and in your decision making.

We are very excited today to officially announce the results. You can find the full results of our security survey in our WordPress Security Learning Center.

read more

Aethra Botnet Attacks WordPress Sites

Exec summary: There is currently a botnet that has been identified that is targeting WordPress websites with a password guessing attack. If you have Wordfence installed with our default settings, you are already protected against this attack. The botnet is powered by modem/router devices. ISP’s are gradually patching the devices but many are left vulnerable or infected as some ISP’s respond slowly to this issue.

Full article:

In February of this year a security researcher at Voidsec noticed brute force attacks on his personal WordPress site and he noticed a pattern in the IP addresses attacking his site. They were mostly Italian internet service providers. They were:

read more

Security Concepts: Half of all WordPress Plugin Vulnerabilities are XSS and Securing FTP

We had a lot of fun creating our WordPress Security Learning Center. One of the coolest experiences was being able to share with WordPress site administrators how attackers actually gain entry to their sites.

Our Introduction to Secure WordPress Sites is the starting point we recommend for all beginner or intermediate level WordPress administrators. In our introduction, we include a demonstration video in the section explaining why it’s important to use sFTP to manage your site and never use FTP. I’m the guy narrating the video and I demonstrate how to use Metasploit to grab FTP passwords from the network when someone uses insecure FTP. That was really fun!

read more

Announcing the WordPress Security Learning Center

Dear WordPress Community,

Today we have something amazing to share with you. Earlier this year we started a project to understand more about you and your needs. The site owners who use WordPress to run your personal and business websites.

What we discovered is that you are diverse individuals who rely heavily on WordPress and your websites to help you do the things that you are passionate about. You are also constantly learning and you have a strong desire to learn more about WordPress security to empower yourselves.

read more