Jili reward login registration form,Wow 888 slot login register.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved h299
(@h299)

1 year, 11 months ago
A site was hacked a while ago called [ gratuitous link removed ] exposing personal data, and it used md5 for encryption if I remember correctly. The problem is WordPress uses MD5 unless I’m mistaken, and I have read about it being unsecure = hackable, so is this true and if so when is WordPress going to do something about it ?
- This topic was modified 1 year, 11 months ago by Jan Dembowski.
- This topic was modified 1 year, 11 months ago by Jan Dembowski.

Viewing 2 replies - 1 through 2 (of 2 total)

Moderator Jan Dembowski
(@jdembowski)

Forum Moderator and Brute Squad

1 year, 11 months ago
and it used md5 for encryption if I remember correctly

That’s not correct and is not why sites are hacked. Plugin and Theme vulnerabilities from an unmaintained site is a much faster and simpler attack vector.

and if so when is WordPress going to do something about it ?

Never? Nothing?

Those statements from me will solicit at least a whole blog post from one or more deranged, perseverate, and frankly desperate for attention plugin “security” company.

*Drinks coffee*

I am not part of the Security Team at WordPress and none-breaking code updates to improve all the the things, including security, happen all the time.

Here’s what I mean: if someone gets a hold of your back up and it includes your wp-config.php file and your database dump as well, then yes. Game over.

Double Edit: Geez, I need more coffee. Hashes can’t be un-hashed, it’s a one way function. At best you can see if the salt+password hash matches a dictionary. Use strong passwords, “Password123” is definetly in many password dictionaries.

Secure your backups well. If your backups live on your WordPress server and an attacker got them that way then don’t worry about WordPress security. You probably have bigger problems.

There are things you can do to aid yourself in securing your system.

Use salts in your wp-config.php file.

https://api.www.ads-software.com/secret-key/1.1/salt/

This article explains that in-depth.

https://kinsta.com/knowledgebase/wordpress-salts/

Use Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA).

Disclaimer: I work for a company that sells MFA among other security items.

With 2FA or MFA you can add a component to your login that will help lots. With some 2FA is may be possible to get in via that backup and the 2FA config (probably not, I have not looked in a while) but with a cloud based MFA the authentication is configured on your site and the actual auth part is done in the cloud.

This is a good 2FA plugin and is used by many. It supports RFC time based and FIDO hardware (Yubikey) authentication.

https://www.ads-software.com/plugins/two-factor/

Does that help answer your question about MD5 and why it doesn’t matter as much as it may seem?
- This reply was modified 1 year, 11 months ago by Jan Dembowski. Reason: Added link to 2FA plugin
- This reply was modified 1 year, 11 months ago by Jan Dembowski. Reason: Updated re un-hash
- This reply was modified 1 year, 11 months ago by Jan Dembowski. Reason: Geez, I need more coffee
Thread Starter h299
(@h299)

1 year, 11 months ago

Yes, and many thanks. I think I’m going to use YubiKey and will check out the plugin you recommended.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘MD5 encryption.’ is closed to new replies.

MD5 encryption.

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics