Wednesday, 2 August 2017

WordPress security myths

Hide or move wp-admin to prevent brute force attacks If you search on WordPress security, moving or hiding the wp-admin is one common tip, and there are many plugins that can do this for you. Bots and scanners are activity looking for WordPress-installations and attempting a brute password attack on /wp-admin
This is method is what’s called "security by obscurity". Relying on this is not real security and cannot see as a good solution.
A big downside of this method is that many plugins depend on the exact location of /wp-admin. You are risking of breaking plugins.
Besides this, the most of the attacks are using vulnerabilities in XML-RPC, and hiding wp-admin are useless.
However, I highly recommend a password attempt plugin to prevent a brute-force attack.
Changing wp-prefix of all tables
Another common tip is to change the wp_ -prefix of the WordPress-tables. The theory is that this will make an SQL-injection harder. In reality, this does not matter; it is just a waste of time.
If an attacker can query against information_schema.tables, he or she will get all info about tables, whatever fancy prefix you put in front of the names, again "security by obscurity".


No comments:

Post a Comment