Wordpress Security
Shield Security
Wordfence
https://wordpress.org/plugins/wordfence/
WORDFENCE FINDS CHANGES IN PLUGIN README.TXT FILE (mostly version numbers)
OK found it. He/she checked in code into the 5.5.2 tag after the release:
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=826766%40events-manager&old=794571%40events-manager&sfp_email=&sfph_mail=
So what I would do if I were you (and anyone else suffering from a plugin developer who checks code into their tags) just do a repair on files which have changed. This will have the same effect as if you were to uninstall the plugin and reinstall the newer version 5.5.2 while retaining any settings or data that might be removed on uninstall.
Sound good?
Instrux. on various htaccess modifications for security:
http://www.creativebloq.com/wordpress/protect-your-wordpress-site-htaccess-4122793
Instrux. on using htaccess redirect to stop recurring hacking attempts:
http://wordpress.org/support/topic/plugin-wordfence-security-stopping-recurring-hacking-attempts
How to change to default WP login page via htaccess:
http://www.limecanvas.com/how-to-change-the-default-wordpress-login-url/
Instrux. on htaccess file redirect =
http://kb.mediatemple.net/questions/242/How+do+I+redirect+my+site+using+a+.htaccess+file%3F
http://www.htaccessredirect.co.uk/
(Make copy of .htaccess file at top level; add this line at the very top of file, above the WordPress language: Redirect 301 / http://www.mynewwebsite.com)
https://wordpress.org/plugins/sucuri-scanner/
https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
Prevent XML-RPC Abuse
To stop your WordPress website from being misused, you will need to disable the XML-RPC (pingback) functionality on your site.
***You can do this by removing the file, xmlrpc.php, or you can disable notifications in your settings. The biggest challenge you’ll find with removing the file is that on an update it’ll come right back, annoying, I know. Some preliminary tests are showing that we’re able to bypass the disable notification setting but we are still investigating.
Update: A better way to block it is by creating a plugin that adds the following filter:
NOTE: add this to functions.php file:
add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods[‘pingback.ping’] );
return $methods;
} );
LOGIN ATTEMPTS
https://wordpress.org/support/topic/still-have-login-attempts
http://www.blogaid.net/disable-xml-rpc-in-wordpress-to-prevent-ddos-attack
http://www.blogaid.net/brute-force-attacks-via-xml-rpc-rise-sharply
Use this plugin - https://wordpress.org/support/view/plugin-reviews/disable-xml-rpc
OR Manually add Blogaid's code to htaccess:
# START XML RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# FINISH XML RPC BLOCKING
WP Beginner's code to Block WordPress xmlrpc.php requests
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
******* BLOG AID INSTRUX ********
Step 1. There is a filter that can be added to the bottom of the wp-config.php file that will turn XML-RPC completely off. I’ve extensively tested it on multiple sites and have experienced zero issues with other plugin functionality including:
Blubrry PowerPress and SoundCloud podcast plugins
Popular social share button plugins with counters displayed
Popular post and related post plugins that actively create internal logs
Tracking plugins for analytics and internal redirects and the logs they create
Gallery plugins that pull from external sources
Social media plugins that pull from external sources
NOTE: DO NOT go poking around in your wp-config file unless you know what you’re doing. Me and every other site geek would prefer that you hire us to do it right the first time. And we’ll all charge you WAY less than cleaning up any mess you may have made of your site. You’ll also want to test all of the above potential conflicts, and any other plugin/widget/function that may be using XML-RPC on your site BEFORE you make this change. And then retest afterward.
The code to add below the last ABSPATH statement is:
add_filter('xmlrpc_enabled', '__return_false');
Step 2. Block XML-RPC in the .htaccess file
Input the following code near the top of your .htaccess file:
# START XML RPC BLOCKING
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
# FINISH XML RPC BLOCKING
Step 3. Turn off trackbacks and pingbacks
From your WordPress Dashboard, go to Settings > Discussion.
In the top section you will see the following checkboxes. Turn them both off.