Category: WordPress Hardening
About custom login URLs
We have added a new feature under Advanced Hardening. You can now change your default login URL to a custom login URL. This will mitigate bot attacks on default WordPress login URLs. This features come with another, background process, that is also important to note: Email notifications. The setting for email notifications can be found under General. If you ever forget the login URL, you can use a parameter as explained below to receive an email with your custom login
Renaming a WordPress database prefix
Changing the WordPress database prefix is not a direct solution for certain vulnerabilities, however it can be categorised as ‘Security through Obscurity”. Changing the defaults in your WordPress configuration, from disabling certain features, removing unnecessary data like feedback on login attempts and software versions, will help in making your website less vulnerable if WordPress as a platform is targeted. In reality, websites are rarely specific targets. What is mostly targeted are flaws and vulnerabilities in popular frameworks. And WordPress is
Debug.log has been relocated, but where?
By default the debug.log file is written to a standard folder and filename: /wp-content/debug.log This standard will be available on 99% of the websites. And because /wp-content/ is a publicly accessible folder (It also has your uploads folder with images, for example), the debug.log might be an interesting file for anyone with malicious intent, if accessible. But why? The debug.log might contain important or confidential information. If it extends to plugins that handle more sensitive data like usernames, passwords, emails, payment credentials,
What to do if you’re locked out after renaming the ‘admin’ username
When attacking WordPress websites, guessing usernames and passwords is still a commonly used method to gain access to a WordPress back-end. It goes without saying, that using easy to guess passwords like ‘12345’ or ‘Welcome2022’ will make it really easy for attackers to login to your administrator account. The same goes for usernames; using easy to guess usernames like ‘Admin’ will make it too easy for attackers. This is why Really Simple SSL allows you to prevent usage of the
Locked out after renaming the admin username
When attacking WordPress websites, guessing usernames and passwords is still a commonly used method to gain access to a WordPress back-end. It goes without saying, that using easy to guess passwords like ‘12345’ or ‘Welcome2022’ will make it really easy for attackers to login to your administrator account. The same goes for usernames; using easy to guess usernames like ‘Admin’ will make it too easy for attackers. This is why Really Simple SSL allows you to prevent usage of the