Slightly off-topic, but do WordPress extensions such Wordfence Security offer any serious protection?
BURN ALL BLOGS! WordPress has a critical cross-site scripting flaw
Wordpress has warned users of a “cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site” and urged all users “to update your sites immediately.” Installations that auto-upgrade should already be patched. The patch comes in the form of WordPress 4.2.3, which fixes …
COMMENTS
-
-
Friday 24th July 2015 07:42 GMT Anonymous Coward
Wordfence fends off brute-forcers quite well (and there's a lot of them about) and the live view is quite good to have. It also turns off the user listing page (which if your username and 'screen name' are the same leaves brute-forcers only needing to guess the password). You can also have 2FA if you cough up the money.
Wordfence and All-In-On Wordpress Security and firewall together cover a lot of common flaws and play quite nicely together.
It's mainly to stop brute-forcers and obvious/common attacks/flaws. Like having a burglar alarm really - ups the skill level required, but if someone skilled enough really wants you they'll find a way in.
-
-
Friday 24th July 2015 15:34 GMT Anonymous Coward
Add Google authenticator
If you add Google Authenticator to it and use the "All in one WP Security change" of the admin login URL it becomes quite hard for an outside to breach a WP site, especially if you have a read-only one (a number of breaches are privilege escalations).
Of course, avoid installing anything you do not absolutely need. You will see in the All in One "Firewall" logs of 404 errors just what gets thrown at a site, and helps identifying plugins worth avoiding :).
Last but not least, you may also want to install "IQ Block Country" - my sites seem to get most hacking from China and Ukraine, with that plugin I just bar any access from those countries instead of building a massive blacklisting file..
-
-
-
-
Friday 24th July 2015 06:35 GMT Nate Amsden
doesn't seem too bad
the main bug seems to specifically refer to users with special rights being able to compromise the site not just any random anonymous user.
I would wager most of the wordpress blogs out there probably have just a single account for the one person there(like mine), or have only trusted users (like the wordpress blog for my company, I think all of the users that contribute content have admin access already)
-