but I would like to hide all the other information as much as possible since I feel like the more information those hackers know, the less security my site is. 99.999999% of attacks you get will be fully automated bots. Actual humans trying to break in are very rare, and when they do they’ll either … Read more
This is very common, it is a malicious query string most likely (99% time) done by a bot, I think option=com_simpledownload is actually a Joomla plugin, so obviously it won’t effect WordPress. You can see the detials here, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2122
Yes, it is possible. You can name this file whatever you want. In this case, you should use get_template_part instead of get_header to include this file in other templates. Or you can name it header-something.php and then use get_header(‘something’). PS. I hope I haven’t misunderstood your question.
It is indeed a security issue to have those left as the defaults, but it is not an extremely serious issue. To mitigate the problem of known default salts, WordPress intentionally recognizes when those values are left as “put your unique phrase here” and will not use that phrase as a key/salt. Instead, it generates … Read more
Sorry, if your username isnt admin (older versions) you really dont need to do that. What i would reccomend is for you to install 2-3 plugins ordered here by their importance: wordpress firewall 2 Limit Login attempts Wp Security Scan WordPress Firewall should stop must hack attempts directly on your site, Limit login should end … Read more
All the database upgrades can be seen in the code, in the wp-admin/includes/upgrade.php file. And yes, some of the point releases (including 3.5.2) contained “database upgrades”. Now, it is only very rarely that the actual database schema changes, but there are minor bugfixes in every point release, and sometimes they require a little database action. … Read more
TimThumb has never been bundled with WordPress, it is/was entirely a third-party theme/plugin issue.
If the “attack” is distributed, the only thing you can do is to change the url of the login endpoint. This should be easy to do with web server config (block /login and friends, map some other “slug” to wp-login.php). This will also break the automatic redirect from /wp-admin to /login which is a good … Read more
Is WordPress MultiSite secure & how much can it scale? WordPress.com — single best example of WordPress Multisite at a large scale. Period. As for the expertise to be able to maintain and manage the cluster — which you should question yourself — it’s a different story. By creating admins for each subdomain, what security … Read more
Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?