Looking through my site stats I'm noticing a bunch of hits on my wordpress/xmlrpc.php file. It's not from me afaik, do I need to worry about something here, is there anyway to secure this?
I'm running multiple wordpress sites on the same apache2, and it's only one of them that this is happening to.
If you don't use the xmlrpc interface (pingbacks or blogging from external sources like android/iPhone), you can turn off this feature. Settings -> Writing -> XML-RPC
I installed "Windows Live Writer" on one of my very novice clients. It is good for posts.
It is very simple and does a good job.
It needs XML-RPC.
I've got also hits on this xmlrpc.php. But I'm not even on Wordpress! That's clearly hackers who try different addresses to gain access via this php page.
Related
I'm new with this kind of issues, and i'm pretty sure that maybe it's small issue , please any help
is your website available via http or https? Chrome does mark every http-website as dangerous automatically. You need https.
You need to configure your site to use SSL. For that you need to setup the server properly and get a SSL certificate. There are some services that allows you to create your own certificate for free, but not every hosting provider accepts them. In some cases you need to buy the certificate from your provider.
The most popular free certificate site is Let's Encrypt. You can read more on how to configure it on their site: https://letsencrypt.org.
Start with reading this: https://letsencrypt.org/getting-started/
You can read why google marked this site as Dangerous in this article click here. If you are using WordPress in your registered domain then contact your hoisting provider about this issue. But if you are using free sites then I would recommend using XAMPP (Localhost) or you can use website like Pantheon to install and use WordPress.
If you face problem on how to use this site then follow this YouTube link to learn how this site works. It will start at 5:31.
I am looking for the proper way of restricting access essentially to the management page of wordpress by IP.
Looking around, a solution i often see is using .htaccess. Even though not too bad for a solution, it doesn't look right plus it misses some actions that could be taken through xmlrpc.
There is also one plugin called "Secure Admin IP" which looks like is up for the job but it doesn't have a good number of installation.
Wordfence which is quite popular waf for wordpress doesn't seem to support this functionality. Does anyone have any suggestions for this issue? Is it something people don't frequently do, that's why there are not so many resources around it?
Also i am quite new to wordpress, so hopefully i haven't missed something very profound.
I have made the case for using WordPress as a CMS for an important project.
IT has challenged me to build out this base WP installation alongside the local (WAMP) served intranet and lock it down the best I can. They will then attack the installation with enterprise level penetration testing software.
I am only privy to a minimum amount of details however some security tools I am up against have been mentioned and will be used in conjunction with enterprise level software:
Kali.org
Tools from darknet.org.uk
Watabo
What I've done:
Wiped all basic WP out-of-the-box data such as Administrator username, changed login page URL, removed ajax calls, leveraged all options within iThemes Security plugin (which is pretty impressive) and a few of my own.
My question is for advanced advice on securing WordPress running 2015 theme and its PHP framework and Database. Proper htaccess configuration and possible pitfalls. Advice on any advanced methods of securing a website where it's likely to fail a pen test.
It's not easy to make a website completely invulnerable, especially if you have chosen Wordpress.
You should update your Wordpress website constantly. It means that you have to follow all the updates and install them immediately. Sometimes it's not easy to do, if everything is working as it should, and the database is not small. Wordpress is the most popular open source CMS in the world and many people want to crack it, write crawlers which are searching vulnerabilities online etc.
Simple steps to increase the security of any website:
Close a port if you don't use it or install firewall, tcpwrapped etc.
Don't use FTP, ever. Use SSH instead.
Don't make rights 777 on the whole folder. Make it 555 and when you need to upload some image or something else change the rights to 777 or 755 (if you do it by ssh). After doing your job change rights back to 555. Nobody couldn't upload payload or other malicious code to your website through the front end if it's not allowed for writing.
Check your website for sql injection vulnerability.
Don't use simple passwords. You could even change your passwords every month.
Don't duplicate passwords.
Regularly update your software.
For back end security you could use some IDS, for example Snort - https://www.snort.org/, but it's not easy to configure properly. Furthermore you should understand how a network works, tcp/ip, attack types and so much more.
Use OpenBSD as your server operating system if you do not understand the information security well. It was created with an emphasis on increased security.
Take some network scanner (for example nmap) and test your server for vulnerabilities.
Finally: I wouldn't recommend to use Wordpress for the reliable security :) and to say more I need to take a look at the website.
I'm looking into building database driven websites based on opensource platforms in a sandbox area rather than having them accessible via the final URL until clients have paid up.
Is anyone aware of any problems this may cause with paths or functionality, or, know of any good articles on the subject?
many thanks
Shaun
There is no bad effect on functionality just because it is in sandbox. Generally, Joomla is almost location independent (untill and unless you are driving multiple websites from same joomla installation)
For security purpose secure the URL via .htaccess file (if more security required then setup a cron to update password every X hours, and email new details to user)
I would suggest having a cut-down, less privileged or demo account for signup users that can still enjoy the overall experience of your site without the full functionality of your killer-webapp services. "Restricting" them in a Sandbox area that is not even the actual site would not be as appealing and convincing as it could be for them to go from "freemium to premium" customers.
I develop all joomla sites on a local server and then upload to the production server once approved. In Joomla, when I upload the files to the production server, I usually need to change the mysql server as well and it can all be changed from the configuration.php file
Not sure if this is the right place to ask, sorry if its not. I build a lot of Wordpress sites. My problem is, the number of them is getting big and harder to update them all when new releases come out.
I have written an app that will download the latest Wordpress release, and manually ftp the new files to all the clients, but this takes forever... need a new way.
I wanted to restructure this while I can or start a new process at least. Whats the best way to manage multiple Wordpress sites and keep them all updated? Some people have said 1 DB and modded config, others I have seen said to keep all installs separate and use plugins to automatically upgrade, but I don't know whats best to do. Ideas? Thanks :)
If these were all sites you managed on your own server, I'd recommend using a Multisite installation rather than separate instances of WordPress. This way you only have one set of themes, one set of plug-ins, and one copy of WordPress to maintain.
If these sites are on different servers (i.e. you're maintaining sites for clients remotely), I'd recommend you look in to a beta account with WP Remote. This is a service specifically built to allow you to remotely monitor and update multiple WordPress installations. It might be the best solution for you because it allows you to use the one-click update rather than manually downloading/FTP-ing the new files.
You can use this free self hosted app http://infinitewp.com
No limitation in number of sites being managed. You can update WP/plugin/themes, do backups, one click login to your WordPress admin panel.
EAMann is right, especially with the new Multi Site features in Wordpress 3.0, there is no better way to manage multiple sites under one umbrella. Being a developer myself, I know the pain of having to login to all those different accounts!
The way to set it up is create a "master domain name" that you will log into. Place this in your WP Config:
define('WP_ALLOW_MULTISITE', true);
Then login to your admin panel, navigate to TOOLS>Network.
After you've set everything up, copy/paste what it tells you to your HTAccess and WP Config file.
The next step, especially if you are putting clients on this network, is they will want their own domain name, not AIBot.com/theirname right? Thats where Domain Mapping comes in:
http://ottopress.com/2010/wordpress-3-0-multisite-domain-mapping-tutorial/
Check that out and good luck!
What you need is www.managewp.com it can do all of that for you plus a ton of other excellent features.