36 articles
Knowledge Base
WordPress Security
36 articles in the WordPress Security category · page 1 of 2.
- Preventing PHP execution inside wp-content/uploads The single most common WordPress RCE pathway is a PHP file living inside uploads. Here is the nginx and Apache config to block it, and the plugin upload patterns that violate it.
- Sucuri Security plugin on WordPress: when it adds value The Sucuri WordPress plugin is free, popular, and frequently the wrong tool for the job. When the plugin actually helps, and when the paid Sucuri WAF behind it is what you really need.
- Rate-limiting wp-login, xmlrpc, and the REST API Three endpoints absorb 90% of WordPress brute-force and abuse traffic. Here is the layered limit_req + Cloudflare rate-limit + fail2ban configuration that survives a coordinated campaign.
- Rotating WordPress salts correctly on cPanel How to rotate the WordPress salts in wp-config.php on a cPanel-hosted site — why you do it, when you do it, and the order of operations that keeps sessions clean.
- WordPress GDPR and Law 25 compliance: what the platform must support WordPress GDPR and Quebec Law 25 compliance is not a plugin. The platform requirements behind the consent banner, the data-subject request, and the audit trail that proves the work.
- WordPress recovery from ransomware: rebuild path without paying A WordPress install with all PHP files encrypted and a ransom note in wp-content is rare but happens. The recovery path that does not involve paying, the database backup that saves you, and the offline-replica-first principle.
- WordPress with Solid Security (iThemes): what is worth enabling A WordPress Solid Security install offers forty toggles, half of which break the front-end if you flip them all at once. The five settings that earn their place and the ones to leave alone.
- Cleaning a malware-infected WordPress install on cPanel How to actually clean a malware-infected WordPress install on cPanel — what to scan, what to replace, what to rotate, and how to know you finished.
- WordPress audit logs: what to log and how to read it A WordPress audit log that records every page view is useless. The events that justify the storage cost, the plugin choices that produce a real audit trail, and the query that turns the log into evidence.
- Protecting wp-login.php from brute-force attacks on cPanel Layered defenses against brute-force attacks on WordPress wp-login.php on a cPanel server — rate limiting, IP allowlists, fail2ban, and the WAF rules that actually help.
- WordPress security mistakes that are everywhere A WordPress audit across twenty inherited sites finds the same configuration mistakes on most of them. The ten patterns that show up everywhere and the quick fix for each one.
- Fixing mixed content warnings on WordPress after enabling SSL on cPanel How to find and fix mixed content warnings on a WordPress site on cPanel after enabling SSL — the database sweep, the theme audit, and the third-party assets that need manual handling.
- WordPress vulnerability scanning: WPScan, Patchstack, and the workflow that catches issues A WordPress fleet without vulnerability scanning relies on plugin authors disclosing in their changelog. WPScan and Patchstack feeds, the WP-CLI integration, and the weekly workflow that turns CVE data into actual patches.
- Disabling theme and plugin editing inside WordPress admin Why DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS are the easiest WordPress hardening wins on cPanel, what each one blocks, and how to choose between them.
- WordPress recovery from defacement: the cleanup that sticks A WordPress homepage replaced by an attacker's message is the visible part of the compromise. The cleanup that removes the defacement and the backdoor that lets the attacker do it again.
- Wordfence on WordPress: setup baseline and the alerts that matter A WordPress Wordfence install left on defaults emails you about everything and tells you about nothing important. The baseline configuration and the three alert classes that justify the inbox traffic.
- WordPress 2FA rollout for admins on a multi-site fleet A WordPress 2FA rollout for the admin role across a fleet of forty sites is not the same problem as a single-site rollout. Plugin choice, enforcement, and the fleet-wide audit query that keeps you honest.
- WordPress login URL hiding: when it actually helps Renaming the WordPress login URL is the most-recommended security tweak that does the least. When the change actually reduces real attack surface, and when it just hides the noise without changing risk.
- Locking the WordPress admin area to specific IPs on cPanel How to restrict access to wp-admin and wp-login.php by IP on a cPanel server using .htaccess, plus the trade-offs against plugin-based and Cloudflare-based approaches.
- WordPress plugin audit: finding the abandoned plugins on a fleet A WordPress plugin that has not been updated in 24 months and still runs in production is a vulnerability waiting to be assigned a CVE. The audit query that finds the abandoned plugins across a fleet and the triage that retires them.
- WordPress with Cloudflare WAF: useful rule patterns WordPress sites behind Cloudflare often run the managed rules and call it done. The custom rule patterns that actually move the WAF block rate, written against real WordPress attack signatures.
- WordPress REST API: restricting unauthenticated access The WordPress REST API exposes user data and post metadata to unauthenticated requests by default. What the API leaks, the filter that locks it down, and the endpoints you cannot fully close without breaking the public site.
- WordPress security headers: CSP, HSTS, X-Frame-Options that actually deploy WordPress security headers are easy to add and hard to keep in a working state. The header set that produces a useful trust score without breaking the block editor, and the rollout that catches CSP violations before they ship.
- wp-config.php hardening checklist for production The seven constants that separate a hardened wp-config.php from one that ships defaults to production — with reasoning on what each one actually changes at runtime.