Is this necessary with WP ver 3.9.x ???

do they fix any of this stuff so we don’t need dozens of plugins to secure our websites?

All confirmed security issues in WordPress core are fixed asap.

Specifically, are recent versions of WP (e.g., 3.9.x) vulnerable to bad queries?

There are no known issues with the current version of WordPress. whether there are issues with your theme or any of your plugins, I couldn’t say.

When I browse the web, I find hundreds of recommendations on how to harden WordPress, but little in the way of info about what is current and what is just legacy stuff that would be a time waster to kludge my way through as a non-expert.

Stick to Hardening_WordPress.

Hello guys

In fact, this plugin does not patch anything for WordPress, but as esmi said, it depends on plugins.

Let’s imagine you install a plugin you need, a famous one, like a Jetpack or another huge downloaded plugin.
A day or another, a vulnerability is discovered by someone, a hacker, a black hat.
He won’t tell anyone about this and will try to hack websites.
Let’s imagine he needs to call a specific URL on you site like :
– “?param=../../wp-config.php” to download your config file.
– Or he needs to perform a SQL injection like “?param=1 or UNION SELECT…”
– Or why not a RCE with a “?param=eval(0xfoobar)…”

Whatever, this plugin protects you from strange and considered harmful queries on your website. This kind of script can be use on any website and any CMS.
This version is just a WordPress plugin one.

Thank you for reading ??

Julio – Web Security Consultant – WordPress Expert – BBQ Co-author.

Julio and esmi, thanks so much for clarifying. So, this is essentially a website security thing… Apologies for disparaging WordPress alone. And sounds like every person with a website should be doing this. Rather surprising, really, after how many years? But whatever, I’ll do it regardless of WordPress version etc.
Thanks, MTN

“All confirmed security issues in WordPress core are fixed asap.”

So then, why does the WordPress website even have the Hardening WordPress page? This seems to be a contradiction. When a person installs WordPress, it should automatically implement all known hardening routines and methods. There should be no need to go in and do anything manually. For example, if I install software, perhaps Google Chrome, do I have to go to a “Hardening Google Chrome” website and spend hours doing mods on Google Chrome, some of which require access to core files?

https://codex.www.ads-software.com/Hardening_WordPress

‘best, MTN

Please, read the page.
You have to read it to understand why this page exists and why all this can not be included in WordPress.

Hi Julio, yes, there are things on that page that require user intervention. Thanks for pointing that out. On the other hand, WordPress could and should install:

1. With file editing disabled from the start.

2. Without the Readme file in root that displays version number to the world.

3. With a login URL designated by user, instead of the standard wp-login.php.

4. With PHP file execution disabled in appropriate folders such as Uploads, using .htaccess.

5. With the version number set to be obscured, overall.

6. With an initial “Admin” account with user name chosen by installer, never “Admin” or anything else standardized.

7. Button option to turn OFF automatic updates.

8. Password reset disabled, with option to enable.

9. Login attempt limiter, built into core, preset to strict settings.

10. Strong passwords default enforced, option to turn of enforcement.

I could make a list of probably 20 things that could be done during the install to increase security. They are not done in my opinion because of a fundamental flaw in web developer culture, e.g., hobby developers who are more concerned with the colors and menu structure on the admin theme than they are with serious matters. And now with 20% of the web created by WordPress, we wait for the first hack of the automatic updates.

I love your list (almost), tell me more it’s really good ideas.

Yeah, probably some stuff on there that’s wrong. But then, I’m just a writer who spends more time trying to make WordPress work well than I do writing (groan).

Number 11 would be built-in 2-part authentication for logins, with on/off button in admin. I’m sick of plugins that half the time don’t work. Build it into the core, so we know it works and we can move on to bigger and more important things — like actually writing a blog post now and then.

Seriously, once I’ve been studying WordPress security the situation looks like a vaudeville amature hour. Sure, the developers are volunteers, but even volunteers should seek excellence. For example, we don’t expect our volunteer firefighters to be incompetent.

Thanks, MTN

“I’m just a writer who spends more time trying to make WordPress work well than I do writing”
yeah, this is the way of life of every WP dev i think x)

Do not hesitate to open a ticket and submit a core patch!

See you

Well, I’m looking forward to new colors in the admin, anyway.

Thanks for the conversation and infos.

MTN

Gonna go ahead and close this thread. Feel free to follow-up with any new infos.