A note on automated security attacks

  • Plugin Author te_taipo

    (@te_taipo)


    6 years, 10 months ago

    Most attacks on WordPress websites begin with automated reconnaissance usually via an automated app that scans for vulnerabilities. Scanners typically look for:

    • websites, plugins and themes that have not been updated
      Remedy: Keep WordPress core, themes and plugins fully updated
    • the existance of website and database backups
      Remedy: Remove all old backups of the site/database from your website
    • administrators with weak passwords
      Remedy: Use a strong password for your administrators account
    • vulnerabilities in the host server itself
      – the ability to traverse an attack from another website on the same server to your website
      – the ability to traverse an attack from your website to another website on the same server
      – the ability to access the webservers root user credentials via your website
      Remedy: Stay clear of free hosting, try not use shared servers. If possible install your website on a virtual private server (VPS) to maximise the chances of isolation between websites. Hosting your website/websites on your own VPS often presents too small a target for attackers to care about. The resources needed to breach a shared servers security where there are 1000s of websites is the bigger payoff for attackers, versus your VPS which is too small a payoff

    One of the other functions Pareto Security is *very good* at is breaking the scanning abilities of these automatic attacker tools.

    • This topic was modified 6 years, 10 months ago by te_taipo.
  • The topic ‘A note on automated security attacks’ is closed to new replies.