WordPress Hacking Prevention

[AnniePot]

Just Found this post: Fighting Blog Hacks: Preventing and Eliminating Intruders. Thought it would be useful to many

[philwiley]

Here's a plugin that does all, or most of,the anti hacking work for you

WordPress Firewall Plugin » SEO Egghead

I've been using it since early this year when my philwiley.com blog got hacked twice, and I've had no problems on any blogs since then. Here's a piece I wrote about using it, along with screenshots. I got hacked – TWICE

phil

[AnniePot]

Thanks Phil - even better

What's even better is changing the coding on wordpress.. Using a plugin or some article that says do this or tthat will not protect your blog. It is open source code and the only way to protect it (nothing is 100% secure) is to change the coding so the hackers have no idea what to do or how to do it.

James

[Steve Powers]

That's really appreciated.But the method and skill of prevent hacking is really challenge.It requires you have a excellent skill on network and communication.

[philwiley]

I'm not saying just using a plugin is going to stop all attacks. If someone wants to get you they probably will.

My ozemedia.com forum got un-repairably corrupted a few years ago by a persistent attacker (maybe attackers) who kept at it for months until all my time was being spent fixing problems and I eventually closed it.

And it's the same with blogs. If someone with the skills wants to make things bad for you, they will.

However, at least if you're taking some preventative measures like adding a security plugin, and making coding changes, you're doing more than 99.9 percent (guess) of other blog owners, so you should be safe from drive-by attacks.

phil

[Abledragon]

Thanks AnniePot!

Another thing you can do is to use SFTP rather than FTP when uploading/downloading WordPress files (new themes, plugins, etc).

With FTP your details are transmitted in clear across the Internet and can be picked up by eavesdroppers. Once they have your FTP details they can access your WordPress installation via FTP.

SFTP encrypts your details, securing that potential entry point.

Cheers,

Martin.

[mello]

Thanks everyone, this is useful to know. I had a hack which took me offline (host policy). Anything I can do to miniise the risk again (without becoming a techhead) is great to know.

[rosterling]

Quote:

Originally Posted by philwiley

I'm not saying just using a plugin is going to stop all attacks. If someone wants to get you they probably will.

My ozemedia.com forum got un-repairably corrupted a few years ago by a persistent attacker (maybe attackers) who kept at it for months until all my time was being spent fixing problems and I eventually closed it.

And it's the same with blogs. If someone with the skills wants to make things bad for you, they will.

However, at least if you're taking some preventative measures like adding a security plugin, and making coding changes, you're doing more than 99.9 percent (guess) of other blog owners, so you should be safe from drive-by attacks.

phil

I am going to try that plugin, Phil. I use WP for most of my sites. I remember when that happened to your forum and you had to shut it down. Your's was the first forum I joined when I started in IM!

[xiaophil]

Quote:

Originally Posted by TheRichJerksNet

It is open source code and the only way to protect it (nothing is 100% secure) is to change the coding so the hackers have no idea what to do or how to do it.

James, while I agree that many of these so-called 'security' and audit plugins may do little to harden an installation, I doubt that security through obscurity is an effective countermeasure either.

I will stick my neck out and hazard a guess that most blog break-ins on up-to-date software are the result of brute-force password attacks, where the attacker simply keeps rapidly trying variations of common passwords and random combinations.

A powerful defense against this common attack is:

1) Use a good password - i.e not a word from the dictionary, and bonus points for including upper and lower case, numbers and punctuation.

2) Don't transmit the password in clear text - use a plugin that will encrypt the password on the client before passing it to the server, such as Chap Secure Login

3) Temporarily lock out an IP address that appears to be trying lots of failed passwords i.e looks like an attack: Login LockDown

If you have those covered, an attacker will most likely move on to easier pickings.

[Quentin]

Having to administer many hundreds of blogs I used to get a few attacks however noticed many were from within so I offer these suggestions.

1. Use good antivirus software. Free is good but the latest Wordpress attacks came from a malware problem that most of the free programs were not picking up.

2. I found that FileZilla and many other FTP software was compromised so never store your passwords in them. Use something like Keypass to store your passwords and then enter as needed.

Key Pass Security for your Business. | Website Marketing For Better Results

3. Keep your wordpress and plugins up to date and keep away from poorly supported plugins.

Quentin

Quote:

Originally Posted by xiaophil

James, while I agree that many of these so-called 'security' and audit plugins may do little to harden an installation, I doubt that security through obscurity is an effective countermeasure either.

I will stick my neck out and hazard a guess that most blog break-ins on up-to-date software are the result of brute-force password attacks, where the attacker simply keeps rapidly trying variations of common passwords and random combinations.

A powerful defense against this common attack is:

1) Use a good password - i.e not a word from the dictionary, and bonus points for including upper and lower case, numbers and punctuation.

2) Don't transmit the password in clear text - use a plugin that will encrypt the password on the client before passing it to the server, such as Chap Secure Login

3) Temporarily lock out an IP address that appears to be trying lots of failed passwords i.e looks like an attack: Login LockDown

If you have those covered, an attacker will most likely move on to easier pickings.

All the more reason to change the coding and stop updating with wp updates. Those cool little new features do not mean much if your business is suffering, do they ??

Sorry but there is no plugin, no little article tips, that are going to stop the hacking. Hackers have access to all those plugins and articles and wp updates. If you change the coding and the hacker does not know what was changed then they have a very hard time hacking...

Just being real and after dealing with well over 3,000 customers I think I know a few things...

James

[UBotBuddy]

James is correct. When you have the resources to "Change the Tumblers" themselves then you are Hardening your site to a new level. Also, IF you are doing this kind of coding then it makes sense to NOT perform updates because it will simply undo what you have done.

If you are married to your plugins then the best thing you can do it not advertise what you are using. Some plugin are more of an exposure than others.

But if you are like me then staying current is the best option and watching your log file and stats. BUT be prepared to react. Do your backups religiously and KNOW that you can restore from them at a moments notice (you must practice recovery just as you perform Backups). Most failures from a restore occur because the backup was not done correctly.

James sounds like he dreams in PHP (I used to dream in Assembler...aaaahhhh...the good ole days). I think he might be in the same club as another friend of mine that dreams in PHP. My friend can flat out produce PHP code. Shame he works in a corporate environment.

Sorry I digressed.

If your site is important enough to you then do not ignore securing it. However, if you are in marketing programs similar to Google's A (I won't mention it because the Mods will push this thread to another part of the forum) then just know how to recreate your site in a fast way and change your passwords.

Be Security smart with what you want to protect.

[mattlloyd]

These are useful stuff. Thanks, everyone.

[creativentrepreneur]

Quote:

Originally Posted by philwiley

Here's a plugin that does all, or most of,the anti hacking work for you

WordPress Firewall Plugin » SEO Egghead

I've been using it since early this year when my philwiley.com blog got hacked twice, and I've had no problems on any blogs since then. Here's a piece I wrote about using it, along with screenshots. I got hacked – TWICE

phil

Thanks Phil,

Very useful indeed.

Andy

Quote:

Originally Posted by SiteBlaster

J

James sounds like he dreams in PHP (I used to dream in Assembler...aaaahhhh...the good ole days). I think he might be in the same club as another friend of mine that dreams in PHP. My friend can flat out produce PHP code. Shame he works in a corporate environment.

I think that is about right since 100% of all my sites I have coded in Php ...lol

James

[Marcus Paul]

My best hack prevention is my automated backup. At worst I lose 4 hours of data. I can be up and going in 15 mins again after an attack.

The bottom line is that a hacker wants to get you he will if he tries hard enough, particularly if you use WP. You just need to have a disaster recovery plan in place.

[Kezz]

I have a standard lineup of three security plugins that I install with every Wordpress site.

'AskApache Password Protect' - blocks spam, hackers and password protects your site (several folders). WordPress › AskApache Password Protect WordPress Plugins

'Login Lockdown' - adds extra security to the admin login page. WordPress › Login LockDown WordPress Plugins

'Secure Wordpress' - takes care of a series of tweaks that remove some Wordpress vulnerabilities. WordPress › Secure WordPress WordPress Plugins

To make installing these easy, the first plugin I always install is Plugin Central, which lets you paste in a list of standard plugins and then installs those plugins for you automatically.

The addresses to include in your Plugin Central list for those three are:

HTML Code:

http://downloads.wordpress.org/plugin/secure-wordpress.zip
http://downloads.wordpress.org/plugin/login-lockdown.1.5.zip
http://downloads.wordpress.org/plugin/askapache-password-protect.4.6.5.2.zip

[xiaophil]

Quote:

Originally Posted by TheRichJerksNet

All the more reason to change the coding and stop updating with wp updates.

Ahhhh, I just noticed you are selling a Wordpress "security" product in your sig. That explains a lot.

I was having a great laugh reading your parody "security" site before realizing you are actually trying to be serious.

From the sales page:

Quote:

Close and block all exploits that hackers know about

Priceless! Rather a sweeping statement there don't you think?

Quote:

Stop any and all SQL injection attacks

Wow that's amazing! Hardening WordPress explains how to prevent some of them by changing the database table prefix, but I can see you are well ahead of the core development team on this one.

Quote:

Block all folders that are open to a hacker's attack

Really? So instead of of just making them read-only (chmod 755) and invisible (Options -Indexes in .htaccess) we can actually "block" them from "hackers" (whatever that means). This is great news.


Just think of all the time myself and countless others have wasted keeping WP blogs up to date with the latest official security patches, when all along we could have just bought a "secure" system for the cheap one-off price of $39.97.


Even the WordPress Firewall Plugin mentioned above states "Its purpose is not to replace prompt and responsible upgrading", but I see your apparently impervious product requires no such disclaimer.


Infosec and digital forensic skills are in high demand by Fortune 500s, have you considered consulting? Maybe you already are, or perhaps scaring blog owners into spending $39.97 is more lucrative?


On the topic of credentials, "15 years of Internet industry experience" sounds way too modest for such groundbreaking achievements in computer security. Don't be shy, tell us how you did it. I am sure there are heaps of web-monkeys out there looking to make the leap into the lucrative world of digital forensics.

Quote:

Sorry but there is no plugin, no little article tips, that are going to stop the hacking.

Except yours, right?

Quote:

Just being real and after dealing with well over 3,000 customers...

Is "dealing with" a euphemism for "misleading"?

Quote:

I think I know a few things...

A very revealing statement, as one of the hallmarks of unconscious incompetence is the inability to recognize a deficit.

Quote:

It is open source code and the only way to protect it (nothing is 100% secure) is to change the coding so the hackers have no idea what to do or how to do it.

In my opinion, claiming that Open Source software is inherently insecure because it isn't obscure indicates an overall lack of understanding of the causes of software vulnerabilities.

Whether software is open or closed source is largely irrelevant. It's security is dependent primarily on the quality of the code.

There are numerous Open Source cryptographic and other security oriented software in widespread use with very few issues. On the other hand there are also very popular closed source operating systems that regularly announces patches for newly discovered vulnerabilities.

Some people may consider it disturbing when a "secure" software vendor appears to have little grasp of the subject. The tragedy is that their customers are most likely unaware of this, and in their search for some peace of mind, put their faith in the snake oil.

[UBotBuddy]

xiaophil

I would be very careful how you tread on this subject. It is easy to sit back and punch holes in security comments. I've been there. I have also been on the other side of the table when comments like yours are directed towards people in jobs like I had just so they could protect a little bit of knowledge they thought was correct. Ultimately, it was the wrong logic.

The advice given up to this point has been VERY good and very much on the mark.

As I have said in the past, there are good plans and there are bad plans.

What is your experience in auditing and security? I can tell you after 10 years of working in that business I know what I am talking about. I was the most hated auditor of them all only because I was right. As far as James is concerned, IMHO he is a much knowledgeable about this subject as any other that I have heard and it does not give me any reason to doubt him or his ebook. But if any of his comments in here are a prelude to it then he will be on the mark as well.

I do wish you well in your endeavors, I just hope it is not in auditing or security!

[GuerrillaIM]

Quote:

Originally Posted by SiteBlaster

xiaophil

I would be very careful how you tread on this subject. It is easy to sit back and punch holes in security comments. I've been there. I have also been on the other side of the table when comments like yours are directed towards people in jobs like I had just so they could protect a little bit of knowledge they thought was correct. Ultimately, it was the wrong logic.

The advice given up to this point has been VERY good and very much on the mark.

As I have said in the past, there are good plans and there are bad plans.

What is your experience in auditing and security? I can tell you after 10 years of working in that business I know what I am talking about. I was the most hated auditor of them all only because I was right. As far as James is concerned, IMHO he is a much knowledgeable about this subject as any other that I have heard and it does not give me any reason to doubt him or his ebook. But if any of his comments in here are a prelude to it then he will be on the mark as well.

I do wish you well in your endeavors, I just hope it is not in auditing or security!

From my experience working in software industry and also my training company providing security certification like the CISSP, CEH and the Security+ I think that xiaophil has some very valid points here.

Good security points for your wordpress blog in my opinion are:

- Dont have username "admin"
- Set your server to deny access to IP and log attempt after so many wrong logins, this will help you defend against brute force. Setting your server up to send a SMS to your phone when alarm is triggered is something we have done for mission critical system before.
- Change the prefix of the wordpress database.
- Dont use shared hosting. In most of the cases my clients have been hacked it is usually because they are on shared hosting. We have kept their site secure but another site that shares the same server is vulnerable and allowed access. Shared hosting means your website shares a server with literally thousands of other websites.

Underground hacker and bot networks can do a lot of damage with 0day exploits before they are patched. Making your self "hacker proof" in most cases is not practical, but making sure you are not an easy target is essential, and usually enough to keep you out of trouble.

Usually though the entry point for hacks are keyloggers distributed through P2P or bit-torreent sites. The hacker takes out your weak home system and then gains access passwords to all your accounts. This happens more than you could believe and the fall out of something like this can be nasty. Virus scanners are not real security, they just stop the noobs that dont know how to make viruses themselves.

[troy23]

Kezz
"I have a standard lineup of three security plugins that I install with every Wordpress site."

I would like to ask if it is difficult to configure these plug ins? I have a Wordpress site, but I am a novice when it comes to the admin side.

[HomeBizNizz]

I made a blogpost some back:
http://blog.homebiznizz.net/access-c...s-in-htaccess/

[xiaophil]

Siteblaster,

Thanks for your response.

I certainly have no beef with the legitimate security auditing industry.

What does get my heckles up is seeing self-proclaimed experts preying on the uneducated, and the sure signs of a charlatan are broad, sweeping generalizations linked to cure-all claims and the conspicuous lack of credentials.

That may not be happening here, but the warning signs are evident.

As I am not positioning myself as a security expert, my credentials are perhaps not as important as someone who is.

"Computer security" is a huge and varied business, what aspect of it were you involved in specifically?

And seeing as you are the one with the hands-on experience, could you explain how specifically did you validate the claims of the product in question?

After all, as a professional security auditor, surely you didn't just base your conclusions on whether the vendor sounds like they know what they are talking about, did you?

Quote:

Originally Posted by SiteBlaster

I would be very careful how you tread on this subject. It is easy to sit back and punch holes in security comments. I've been there. I have also been on the other side of the table when comments like yours are directed towards people in jobs like I had just so they could protect a little bit of knowledge they thought was correct. Ultimately, it was the wrong logic.

I am always receptive to new ideas, as well as corrections and feedback from a domain expert. Unfortunately you have provided nothing more here than some kind of vague warning and a lot of finger waving.

Quote:

As I have said in the past, there are good plans and there are bad plans.

I'll write that down for future reference.

Quote:

I can tell you after 10 years of working in that business I know what I am talking about. BLAH BLAH BLAH BLAH BLAH....

Well then, respectfully, perhaps you could contribute to this thread by actually sharing some of your knowledge instead of just telling us how big it is.

Quote:

I do wish you well in your endeavors, I just hope it is not in auditing or security!

Your tone is not all that sincere, but my endeavors are doing fine, thanks.

Like I said, If you are willing to explain things, I am happy to listen, but this attitude of "I know lots and you're wrong, and what do you know anyway" just doesn't cut it I'm afraid.

[Chris Kent]

- update regularly.
- don't use a ton of obscure plugins, a handful of well known (updated) ones is OK.

[GuerrillaIM]

Quote:

Originally Posted by ProductCreator

- don't use a ton of obscure plugins, a handful of well known (updated) ones is OK.

Exploits can be found even in popular plugins (it's the popular ones that are most dangerous, exploits in unkown programs often go without reprisal)

Follow advice with caution.

[Kezz]

Quote:

Originally Posted by troy23

Kezz
"I have a standard lineup of three security plugins that I install with every Wordpress site."

I would like to ask if it is difficult to configure these plug ins? I have a Wordpress site, but I am a novice when it comes to the admin side.

Not difficult at all, easy peasy. All you need to do is install them and activate them and you're good. There are some options available for each, but I've found the default settings to be just fine.

Quote:

Originally Posted by xiaophil

Ahhhh, I just noticed you are selling a Wordpress "security" product in your sig. That explains a lot.

I was having a great laugh reading your parody "security" site before realizing you are actually trying to be serious.

From the sales page:

Priceless! Rather a sweeping statement there don't you think?

Wow that's amazing! Hardening WordPress explains how to prevent some of them by changing the database table prefix, but I can see you are well ahead of the core development team on this one.

Really? So instead of of just making them read-only (chmod 755) and invisible (Options -Indexes in .htaccess) we can actually "block" them from "hackers" (whatever that means). This is great news.


Just think of all the time myself and countless others have wasted keeping WP blogs up to date with the latest official security patches, when all along we could have just bought a "secure" system for the cheap one-off price of $39.97.


Even the WordPress Firewall Plugin mentioned above states "Its purpose is not to replace prompt and responsible upgrading", but I see your apparently impervious product requires no such disclaimer.


Infosec and digital forensic skills are in high demand by Fortune 500s, have you considered consulting? Maybe you already are, or perhaps scaring blog owners into spending $39.97 is more lucrative?


On the topic of credentials, "15 years of Internet industry experience" sounds way too modest for such groundbreaking achievements in computer security. Don't be shy, tell us how you did it. I am sure there are heaps of web-monkeys out there looking to make the leap into the lucrative world of digital forensics.

Except yours, right?

Is "dealing with" a euphemism for "misleading"?

A very revealing statement, as one of the hallmarks of unconscious incompetence is the inability to recognize a deficit.

In my opinion, claiming that Open Source software is inherently insecure because it isn't obscure indicates an overall lack of understanding of the causes of software vulnerabilities.

Whether software is open or closed source is largely irrelevant. It's security is dependent primarily on the quality of the code.

There are numerous Open Source cryptographic and other security oriented software in widespread use with very few issues. On the other hand there are also very popular closed source operating systems that regularly announces patches for newly discovered vulnerabilities.

Some people may consider it disturbing when a "secure" software vendor appears to have little grasp of the subject. The tragedy is that their customers are most likely unaware of this, and in their search for some peace of mind, put their faith in the snake oil.

First off I highly suggest reading the rules and especially rule #1...

With that said nothing in my sales copy is wrong or misleading.. Nothing I say is misleading and if you knew me as many of my customers do you would understand that.

I have no "plugin" ... I have a system that has been recoded and the security added into it. You do not need all these plugins and patches and articles and everything.

I have been custom building sites for over 15 years and yes I do know what I talk about. I do not hype anything or lie to get sales.

I find it funny though that you choose to attack a well respected member of this forum and a well respected website developer. That tells us a whole great deal right there..

If you want to mislead people into using useless crap then be my guest. As one well respected forum member told me before I even released v1 of my product. "If they want to be cheap and not protect their business then let them be hacked and when they come running charge them twice".

James

[UBotBuddy]

Good luck to you xiaophil! And I do mean that.

I do not engage in pointless arguments. I know a snake oil salesman when I see the talk and so far James has yet to even come close to being that and his comments have been right on.

So, I will not be cutting and pasting excerpts from posts to try and debunk what they have said, it's just not worth it. So we will just have to Agree to Disagree.

[zerofill]

There is only one way to completely stop any chance of being hacked...

Unplug the computer running the blog form the internet

Other than that...I don't care if it is open source or a custom designed application...someone good wants in...their getting in...period...

[UBotBuddy]

I agree zerofill! lol

I don't secure or backup ALL of my sites. Just the ones I care about.

[xiaophil]

Hello James,

Thanks for the response.

In the past, I have seen some of your posts and sometimes even agreed with what you said.

What bothered me in this thread is that you adopted a stance which attempted to discredit what are actually some quite effective measures for the sole purpose of promoting your product.

Quote:

Originally Posted by TheRichJerksNet

First off I highly suggest reading the rules and especially rule #1...

I have read the rules and am aware of rule #1. I have no problems with you as a person and have not tried your "security" product. If you think I am in violation of the rules then simply report my post and have a moderator assess it. Easy.

Quote:

With that said nothing in my sales copy is wrong or misleading.. Nothing I say is misleading...

James, look at the language of some of the claims you are making, for example:

Quote:

Close and block all exploits that hackers know about

That statement is a minefield. Let me know if you can't figure out why.

And there are plenty more, like this gem:

Quote:

It is open source code and the only way to protect it... is to change the coding

This statement is saying that the software is inherently insecure because it is Open Source. That is inaccurate and misleading.

And while we're on the subject of Open Source:

Quote:

I have no "plugin" ... I have a system that has been recoded and the security added into it.

So you are saying you have forked the Wordpress code and rewritten ("recoded") it into a "secure" version. Is that right?

Wordpress is licensed under the GPL, the terms of which would oblige you to make any changes available as source code along with the your new product.

Please explain how you can simultaneously have a product that relies upon security through obscurity and is released under an Open Source license. A few of us are very keen to hear how this works.

Quote:

I have been custom building sites for over 15 years and yes I do know what I talk about. I do not hype anything or lie to get sales.

Your skills as a web developer are not an issue here, and you haven't been accused of lying, so I am not sure why you feel the need to mention that.

Quote:

I find it funny though that you choose to attack a well respected member of this forum and a well respected website developer. That tells us a whole great deal right there..

James, I am not attacking you. I don't know you. You may very well be a nice guy. Am I attacking your methods in this particular instance? Absolutely.

Quote:

If you want to mislead people into using useless crap then be my guest.

Having an up to date system with a handful of sensible security measures is a simple and effective way to secure a blog against the majority of attacks.

I would rather focus on raising awareness and education rather than pushing a magical cure-all for the purpose of extracting forty bucks from someone.

The fact is that by implementing a handful of best practices, many of which have been mentioned, people can achieve pretty good security on their blogs.

Dude I am not going to waste my time to argue with you .. Matter fact I did not even read your entire post.. I did not post in here to promote my product .. Heck "DONT BUY MY PRODUCT".... What I posted was the truth and I have over 15 years to back me up...

Go get some off the wall plugins, be my guest.. It's not my website/blog...

James

P.S. And the ignore list gets bigger....

[theimdude]

James, James, James are you at it again ................ I am a bit confused here as in all your post here you knock all methods and security plugins and even wordpress as being bad news but you sell a plugin for wordpress in your signature.

Wordpress GPL or not rocks. Just keep it updated and you will be ok.

Quote:

Originally Posted by theimdude

James, James, James are you at it again ................ I am a bit confused here as in all your post here you knock all methods and security plugins and even wordpress as being bad news but you sell a plugin for wordpress in your signature.

Wordpress GPL or not rocks. Just keep it updated and you will be ok.

Not knocking it .. it's more of a warning.. Regardless of what anyone says most website developers know open source code is a target because it is open source. Otherwise many wannabe hackers would not be able to hack it.

I do not sell any plugins...

There are far too many people that are mislead until it is too late. Keeping something up-to-date does not always correct the problem. Matter fact search the post here and see how many lost everything due to updating so fast, because trust me there are many.

I will say it again nothing is 100% secure but fact is if you take your business serious then I suggest you take your security secrious and not just depend upon some plugin or some update.

James

[theimdude]

Quote:

Originally Posted by TheRichJerksNet

Not knocking it .. it's more of a warning.. Regardless of what anyone says most website developers know open source code is a target because it is open source. Otherwise many wannabe hackers would not be able to hack it.

I do not sell any plugins...

There are far too many people that are mislead until it is too late. Keeping something up-to-date does not always correct the problem. Matter fact search the post here and see how many lost everything due to updating so fast, because trust me there are many.

I will say it again nothing is 100% secure but fact is if you take your business serious then I suggest you take your security secrious and not just depend upon some plugin or some update.

James

Problem is James I read what you selling and it is public. So once what you selling is out then what?

Will the owners of your method be told there was a hacker better than you.

Anycase I always wonder why you come into a wonderful thread which offer good advice (the link from the OP is very good) and seem to stir................

Just my observation

Eza Articles
Duplicate content
Now Wordpress security

[xiaophil]

Quote:

Originally Posted by SiteBlaster

Good luck to you xiaophil! And I do mean that.

Yes you keep saying that. Good luck with what, precisely?

Quote:

I do not engage in pointless arguments.

Glad to hear it.

Quote:

...I will not be cutting and pasting excerpts from posts to try and debunk what they have said...

Why would your objective be to debunk things? I thought this thread was about sharing ideas on improving Wordpress security.

You claim to have extensive commercial experience of software security, but so far we have yet to hear a single iota of practical advice from you.

It's not too late though, you can still chose to share some of the wealth of experience you claim to have.

You don't even need to cut and paste excerpts, just answer the simple questions put to you, if you can.

For your convenience I will reiterate one here:

"How specifically did you validate the claims of the product in question?"

If you didn't, just say so.

Quote:

Originally Posted by SiteBlaster

I don't secure or backup ALL of my sites. Just the ones I care about.

In my opinion, that doesn't sound like something a computer security professional would say.

[AnniePot]

A good friend of mine who makes a living managing WP blogs has also just recommended WordPress Exploit Scanner to me.

Anne