The Symptoms you mentioned in your question and comment indicates that you might have compromised / nulled plugin or theme that deployed some sort of shell bomb. Its possible that there might be multiple malicious files in your main domain, add-on domains and subdomains. Its also possible that your default core wordpress files might also … Read more
HTTPS isn’t all about encryption alone. SSL also uses a process known as certificate verification to prevent host forgery. This is a multi-layered process, but here’s the quick overview: There exist in the world a number of Certificate Authorities (CAs). When you get a certificate for your domain name to allow it to do SSL, … Read more
You could log all attempts to get the lost password email: add_action( ‘retrieve_password’, ‘log_password_requests’ ); function log_password_requests( $user_name_or_email ) { // save the user name or email plus the IP address in an option }
First: You will need a plugin that acts as an intermediary for your cloud storage. Cloud storage innately (if setup properly) will protect your files. I have used the CDN Vault plugin and it works great. It’s a premium plugin that depends on Amazon S3 storage. It does some really great obfuscation and encryption so … Read more
My (managed) dedicated server, with several sites (not all of which use WP) has been hacked. OK, it happens. Not the end of the world. Today, I find permissions changed to 200 – which I suspect might have been done by my service provider (although I’ve not received notification, nor yet an answer to my … Read more
WordPress is also an XML-RPC server. So I guess these bots tried to gain access through the XML-RPC protocol via the xmlrpc.php file in your WordPress root directory. It’s possible to login and most likely your security plugin is picking up failed login attempts when wp_authenticate() is called and the wp_login_failed hook is activated. Here’s … Read more
XMLRPC is as secure as the rest of WordPress. All of the requests need to be authenticated with username and password credentials that exist on your site already. That means, if someone has a login for your site, they can use the XMLRPC interface (if it’s turned on). But anonymous users can’t get in. The … Read more
I would convert the site to a subsite on a multi-site instance, you can then have an approved list of plugins and themes. This answer might help more. You could also create a new user type that does not have access to the plugins/themes areas and only publish those details.
Not out of the box, but you could implement it by: Adding a user meta on user create. Dropping that meta on user password update. Redirecting the user to his profile page, from anywhere else, if the user meta is around.
You can use the auth_cookie_expiration filter to change the expiration time of the cookie WordPress sets to remember you. The user won’t be logged out unless they change browser or clear their cookies (normally part of clearing history). The problem is that you can’t set a cookie to never expire, so you have to set … Read more