I have recently had an issue where I have been unable to install the WP Smush Pro plugin because I don’t have the Manual Install or One-Click Installation options available. I came across this post which suggested tweaking the settings in wp-config.php. I added the settings suggested, however the one that seems to be the … Read more
A simple way of doing this is to use Password Based Encryption in Java. This allows you to encrypt and decrypt a text by using a password. This basically means initializing a javax.crypto.Cipher with algorithm “AES/CBC/PKCS5Padding” and getting a key from javax.crypto.SecretKeyFactory with the “PBKDF2WithHmacSHA512” algorithm. Here is a code example (updated to replace the less secure MD5-based variant): import java.io.IOException; import java.io.UnsupportedEncodingException; … Read more
Is it possible to rename the wp-admin folder? I know I could just rename it, but unless it’s supported by the code lots of things would break. If I use a custom folder name, it will make it slightly more secure, security by obscurity and all that. Unfortunately it’s not currently possible nor does there … Read more
I use WordPress for a private site where users upload files. I use the “Private WordPress” to prevent access in to the site if the user is not logged in. I would like to do the same to the files uploaded in the uploads folder. So if a user its not logged in they wont … Read more
My for-fun WordPress blog at http://fakeplasticrock.com (running WordPress 3.1.1) got hacked — it was showing an <iframe> on every page like so: <iframe src=”http://evilsite.com/go/1″></iframe> <!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd”> <html xmlns=”http://www.w3.org/1999/xhtml” xml:lang=”en” lang=”en”> I did the following Upgraded to 3.1.3 via the built-in WordPress upgrade system Installed the Exploit Scanner (lots of … Read more
I have a website for which we are trying to be discreet about the fact that we are using WordPress. What steps can we take to make it less obvious? EDIT- Important security note: Please understand that doing this perfectly is impossible as per Mark’s answer, so don’t rely on this as a security measure. … Read more
One of the most common security best practices these days seems to be moving wp-config.php one directory higher than the vhost’s document root. I’ve never really found a good explanation for that, but I’m assuming it’s to minimize the risk of a malicious or infected script within the webroot from reading the database password. But, … Read more
