Why protect the admin login URL

You might ask, why it's needed to protect my login URL if my account is already protected with password? There are many reasons for that - we have brought out 5 for you!

1. Protection against brute force attacks

By default, the WordPress login page is accessible straight through the "/wp-admin" or "/wp-login.php" URLs. Attackers are well aware of these default URLs, making it easier for them to launch brute-force attacks by repeatedly attempting to guess your username and password combinations. Protecting the default login URL adds an additional layer of security, as it makes it much harder for attackers to find the correct URL and target your site.

2. Mitigation of automated hacking attempts

Many hacking attempts on WordPress websites are automated, utilizing bots that scan the internet for vulnerable targets. These bots often look for standard login URLs, exploiting known vulnerabilities or weak credentials. By protecting the login URL, you effectively reduce the risk of your website being targeted by these automated hacking attempts, as the bots won't easily locate the login page.

3. Enhanced protection of administrator accounts

The administrator account in WordPress holds the highest level of access and control over your website. Therefore, it is crucial to safeguard it from unauthorized access. Changing the login URL adds an extra layer of defense against malicious actors attempting to gain access to your administrator account. It also reduces the likelihood of targeted attacks against specific accounts by making it more challenging for hackers to locate the login page associated with the administrator account.

4. Improved website performance

Another benefit of changing the login URL is improved website performance. When hackers or bots repeatedly attempt to access the default login URLs, they generate unnecessary traffic and place an additional load on your server resources. This increased traffic can slow down your website and potentially disrupt its normal operation. By protecting the login URL, you can mitigate this issue, reducing the strain on your server and improving the overall performance of your WordPress site.

5. Prevention of unauthorized user enumeration

Default login URLs in WordPress can enable unauthorized users to easily enumerate valid usernames associated with a website. By simply accessing the default login page, they can attempt to log in with various usernames and identify valid ones by the system's response. Protecting the login URL effectively eliminates this vulnerability, making it harder for potential attackers to gather information about valid usernames on your site.

How most plugins protect the login URL

There's a common issue with plugins that claim to protect the login URL by allowing you to change it easily. The problem is that these modified URLs can still get leaked quite easily.

In WordPress, the login URL is displayed in multiple places, making it vulnerable to exposure. It's no surprise that the hacking scripts still find a way to the log in page.

How Patchstack protects the WordPress login URL

Patchstack is an amazing tool that can help you safeguard your default login URL by blocking all traffic to the /wp-admin URL. But if you want to access your site from a specific IP, you can simply whitelist it by visiting the secret login URL that you provided on the Login Protection page.

In addition to login protection, Patchstack protects your websites 24/7 from all the attacks targeted at WordPress specifically. We use a technology called vPatching in addition to custom hardening rules to protect your WordPress applications.

Getting started with Patchstack is a breeze!
Create a user and add login protection by following this:

1. First, create an account on the Patchstack App and sign up for the Developer plan. Once you've done that, add your domain to the Patchstack App. Afterward, all you need to do is download and install the connector plugin onto your WordPress application, and you're good to go!
2. Download and install the Patchstack plugin onto your WordPress application
3. Connect it with Patchstack App by inserting your API key to the plugin
4. Go to Patchstack App, open up your domain and go to Hardening > Login Protection
5. Toggle the "Block access to wp-login.php"
6. Enter your new URL to the according input and Save
7. Now when you visit /wp-admin, you get blocked, but when you visit the URL you gave, you gain access to wp-admin again.

If you're curious about how our Login Protection feature works, we have a handy article that you can check out. Just follow this link: Login Protection with Patchstack.

Protecting your login directory is essential for WordPress security

The security of your WordPress website should be a top priority. Blocking traffic to the default login URL is a simple yet effective method to enhance the security posture of your site. By implementing this security measure, you can protect your website from brute force attacks, automated hacking attempts, unauthorized access to administrator accounts, and the unnecessary strain on server resources. Ultimately, taking proactive steps to secure your WordPress login page contributes to a more robust and reliable website, providing peace of mind for both website owners and visitors.

Don't hesitate to reach out if you have any questions or need further assistance.
Just type a message to our live chat. We're here to help!

The post How to Secure WordPress Login URL appeared first on Patchstack.

In 2022 alone we added 4,528 new known security bugs to our WordPress vulnerability database.

Keeping the number of plugins on your WordPress installation as low as possible is highly recommended, as each installed plugin raises the risk of having a vulnerable component in your site.

What is a plugin vulnerability?

Plugin vulnerability refers to a weakness or flaw in plugin code, that can be exploited by attackers. When a vulnerable plugin is found it should be either removed or updated to a newer, safe version.

Why would I care about plugin vulnerabilities?

The purpose of hackers exploiting these plugin vulnerabilities is to gain unauthorized access to your website, inject malicious code, and steal sensitive information. In that way, they can also gain access to your server, or perform other types of malicious actions.

There are lots of different types of vulnerabilities that researchers and hackers find across different plugins and themes. We have listed the 21 most common WordPress vulnerabilities in this article.

Mostly, the reason why vulnerabilities come to exist in plugins or themes is that the developers have not paid enough attention to basic security rules. And no one checks the code before it's pushed live to the WordPress plugins repository.

How do I check WordPress plugin vulnerabilities?

To see if your site currently hosts vulnerable software versions, try Patchstack. Installing Patchstack is quick and easy. You'll get an overview of which of the current plugin and theme versions found on your site(s) are vulnerable, based on our vulnerability database.

Set up Patchstack in 3 simple steps:

1. Create a Patchstack account
2. Add your website's URL inside the Patchstack App
3. Install the Patchstack plugin on your WordPress site

After installing the Patchstack plugin, it's easy to keep an eye on your software - and every time a vulnerability is found in any of the components your WordPress uses, you'll get an email notification.

On the screen below, you'll see an example of what the Patchstack App shows you about your site's security:

What to do if I find vulnerable plugins on my site?

Your best option is to enable the Patchstack firewall. It protects your site from all attacks targeting vulnerable components, so you don't have to worry about constantly keeping an eye on the software versions.

Patchstack protects your WordPress sites with automatically applied vPatches, as well as OWASP's top 10 firewall rules.

In case you do feel like you want to stay on the free plan, then you can simply follow this routine:

• Update the vulnerable software always as quickly as possible. You can do it straight through the Patchstack App by selecting the component and clicking "Actions" > "Update". You can also have Patchstack send you notification emails when vulnerable components appear on your site(s).

• If no update is available for the vulnerable component, we strongly urge you to replace the plugin or component in general or remove it completely ASAP.

Please note that regardless of having protection, it is generally a sensible practice to keep all your software up to date, if possible.

Keep an eye on vulnerable plugins

It is completely normal that vulnerabilities are found in the software we use on our WordPress websites. By paying attention to the tools you use, you can prevent bad stuff from happening.

If you have any questions about WordPress security, feel free to start the live chat. Click on the green chat circle on the bottom right corner of this page!

The post How To Find Out If My WordPress Site Has Vulnerable Plugins? appeared first on Patchstack.

Hey there! Sander here - you might recognize me from the Patchstack support channel.

In this article, I'll share a bit about how I started using Patchstack, and how I am building my little side hustle using Patchstack to sell WordPress care plans. I'll also include little tips & tricks on how you could do it, too!

I have been a customer of Patchstack since 2018 when the product first launched. Because I had been developing WordPress websites for a few years, I saw Patchstack as an excellent tool for protecting my clients' websites.

I'd had several occasions where the sites got mysteriously hacked - once, I even needed to clean up one server where hackers had uploaded an online bank phishing page. The server had a text file with over twenty people's credit card numbers. Yikes!

How I first started to sell WordPress care plans using Patchstack

Selling website protection to my clients was initially difficult because people usually have no idea how big of a target their website is. The most common answer I got after the initial sales pitch was: "But who would want to hack my website? I run a small business; what do the hackers get out of it? I have nothing valuable to hide".

Most of the sales I did manage to make were to people whose sites had already been hacked - i.e. people who already understood the risk.

I'm not a good salesman, but I eventually convinced some clients that security is essential. I even sold a few very basic security plans, but I also agreed to do all the version updates themselves. This, however, was not a complete solution because these website owners didn't actively do the needed updates, and I still ended up doing it for them from time to time.

Building the sales pitch to sell WordPress care plans

I started working for Patchstack in 2022 and during my time here I got to learn more about different security topics. It was actually this experience that inspired me to start this little side-project - my very own website care plan service.

Selling care plans becomes much easier once you understand the potential risks in the WordPress ecosystem because you'll be able to explain these risks to your customers so they are easy to understand.

Here are some steps I go through to get my customers on care plans:

Step 1: Have clear arguments about why security is important

These are the arguments I use to support the idea of why site owners need a care plan:

• Your site doesn't have to be popular to be targeted by attackers - WordPress itself is popular, which makes the platform a target. It is used on over 40% of websites today, and hacker bots target all WordPress installations equally. Thousands of attacks can be carried out with just one click.
• The more plugins your WordPress site uses, the greater the likelihood of having a vulnerable plugin in there that could be exploited.
• The most successful hackers hide signs that a site is hacked, so no one even knows there's a problem. A hacked website may keep doing damage in the background - silently. Day to day it may leak data, damage SEO, maintain phishing sites, etc.
• WordPress plugins and themes get constant security patches from their developers. If these components are not updated regularly (and quickly), then the security bugs may be exploited, making your website a threat to both your business and your visitors.

If you want to learn more about WordPress security you can read our 2022 security whitepaper - it should give you a better understanding of what is (or isn't) a threat, which in turn will help you explain them better to potential clients.

Step 2: Figure out what you offer in your care plans

Security is not just about turning on a firewall and calling it a day. Aside from protection, a care plan should provide additional layers of security and service.

What I went with - and that is also what most such service providers offer - is this:

• Monthly updates for themes, plugins, and WordPress core version
• Firewall protection and hardening rules
• Monthly PDF reports about the state of their site's security
• Monthly backups
• 1-2 hours of development time or content management per month

Depending on where your clients live, you can charge approximately $100-$200 per month per client - though the actual price will also depend on any additional services you may want to offer.

Step 3: Educate your current customers

Whether you prefer cold calling or emailing, it is vital to discuss security openly. You can use the arguments from Step 1 to tell them why keeping their sites up-to-date and secure is essential.

Before making a pitch, you can also install Patchstack on a client's website to monitor its current situation. The free Patchstack plan shows you how many of the site's components are vulnerable to exploits. These are potentially dangerous and need updating as soon as possible. You can use that information to illustrate the potential risks with actual, relatable examples to a potential client.

You can sign up to try it out and check the vulnerable components. We also have complete instructions for signing up and connecting the plugin here.

Step 4: Do basic marketing

To onboard more customers, it is crucial to market your service well. Here are some steps you can take to keep your marketing funnel active:

• Have a website where that clearly communicates your care plan offer
• Make sure the SEO is done well; you can also publish blog articles about different security topics to stand out from the crowd. Find ways to write creatively.
• Join different Facebook groups related to WordPress and web development topics - for example, The Admin Bar Community. We also have a Patchstack WordPress Security community where you can ask even more advanced security-related questions. You can help people out and make excellent connections in such groups.
• Some hosting providers are looking for partnerships with agencies and freelancers who offer care plans. Remember that it's also beneficial for them to keep the hosted environments secure.

Do you want to sell WordPress care plans?

I hope my story has inspired you to take the first steps toward selling WordPress care plans. If you have any questions about setting up your care plans, about using Patchstack, or about security in general, you can always find me in the support chat box on our home page - so hope to see you there!

The post How I Started Selling WordPress Care Plans To My Clients appeared first on Patchstack.

In December, we released a public leaderboard and profiles for the top security researchers who contribute to making WordPress and the open-source web more secure.

You can see the November WordPress bug-hunting winners and profiles here: https://patchstack.com/database/leaderboard?monthly=2

December prize pool is $4300 in cash rewards

On each Monday, we’ll announce the scope for the weekly WordPress bug-hunting focus. With 4 weeks of challenges and monthly prizes on top, we pay out $4300 in cash rewards!

Each week has a special vulnerability that needs to be hunted in any publicly available WordPress themes, plugins, or even in the core itself.

The top 3 researchers with the most points from each week will get cash rewards (1st place - $300, 2nd - $200, and 3rd - $100). All points will also be used for the monthly Patchstack Alliance competition, with an additional $1900 prize pool.

The first week (Dec. 5-11) - Cross-Site Request Forgery (CSRF) - finished!

1st place ($300 bounty) - Lana Codes reported 58x vulnerabilities (349.4 points)
2nd place ($200 bounty) - Muhammad Daffa reported 9x vulnerabilities (129 points)
3rd place ($100 bounty) - Cat reported 25x vulnerabilities (125.3 points)

The second week (Dec. 12-18) - Cross-Site Scripting (XSS) - finished!

1st place ($300 bounty) - minhtuanact reported 8x vulnerabilities (50.4 points)
2nd place ($200 bounty) - pilvar reported 1x vulnerabilities (31.5 points)
3rd place ($100 bounty) - Muhammad Daffa reported 2x vulnerabilities (21.5 points)

The third week (Dec. 19-25) - SQL injection (SQLi) - finished!

1st place ($300 bounty) - Le Ngoc Anh reported 2x vulnerabilities (16.8 points)
2nd place ($200 bounty) - minhtuanact reported 10x vulnerabilities (14.6 points)
3rd place ($100 bounty) - Lucio Sá reported 1x vulnerability (7.5 points)

The fourth week (Dec. 26-31) - Remote Code Execution (RCE) - finished!

1st place ($300 bounty) - minhtuanact reported 1x vulnerability (9 points)
2nd place ($200 bounty) - Le Ngoc Anh reported 1x vulnerability (8.5 points)
3rd place ($100 bounty) - none

More details on the Patchstack Alliance Discord

Claim your CVEs

Patchstack is an official CNA authorized by MITRE to assign CVE IDs to vulnerabilities reported through the Patchstack Alliance bug bounty program. We make sure the reports get to the developers and that all ethical hackers get credit for their research and contribution.

Join the community

Patchstack Alliance is a community of ethical hackers who contribute to making the entire web more secure. It’s a great place to learn new skills, make friends and create a portfolio of your security research.

For more information & rules, join our Discord server here: https://patchstack.com/bug-bounty/

The post December WordPress Bug-Hunting Challenge appeared first on Patchstack.