I’ve created an RSA keypair that I used for SSH, and it includes my email address. (At the end of the public key.) That part of an ssh key is just a comment. You can change it to anything you want at any time. It doesn’t even need to be the same on different servers. … Read more
In today’s internet this is quite normal sadly. There are hordes of botnets trying to login to each server they find in whole IP networks. Typically, they use simple dictionary attacks on well-known accounts (like root or certain applications accounts). The attack targets are not found via Google or DNS entries, but the attackers just … Read more
First, before freaking out, be sure that you understand whether or not this vulnerability actually applies to you. If you have a server, but have never actually had any applications using TLS, then this is not a high-priority thing for you to fix. If, on the other hand, you have ever had TLS-enabled applications, well … Read more
When deciding what permissions to use, you need to know exactly who your users are and what they need. A webserver interacts with two types of user. Authenticated users have a user account on the server and can be provided with specific privileges. This usually includes system administrators, developers, and service accounts. They usually make … Read more
It’s really, really, really hard. It requires a very complete audit. If you’re very sure the old person left something behind that’ll go boom, or require their re-hire because they’re the only one who can put a fire out, then it’s time to assume you’ve been rooted by a hostile party. Treat it like a … Read more
It’s hard to give specific advice from what you’ve posted here but I do have some generic advice based on a post I wrote ages ago back when I could still be bothered to blog. Don’t Panic First things first, there are no “quick fixes” other than restoring your system from a backup taken prior … Read more
First, DON’T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I’m assuming the audit is for since it’s a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to … Read more
Most of the time you should not modify core by yourself – it will get overwritten after update and it may cause some conflicts. Of course, if you know what you’re doing and the vulnerability is really serious, then you can update given library and test everything by yourself. As for awareness. Most of the … Read more
If you follow the guidelines of the Codex for Themes (start here: https://codex.wordpress.org/Theme_Development ), and ensure that any user-supplied input (if any) is sanitized, then a theme will be secure. This also assumes that you have done basic security on your install. For instance: strong passwords on all accounts create an admin account without the … Read more
The professional way would be for them to work on a copy of your website set up in their own servers. This means that you should give them all the ftp files + the related DB. Then they work on their website and when the work is done you can update your website. If you … Read more