How to block your WordPress site from being scanned by WPScan with Nginx

Hello! First and foremost, why would you want to block WPScan from probing your site? Well we all know that security through obscurity is a bad practice. That said the risks of malicious activity on your site is undoubtedly heightened through many points of information disclosure that is freely available to parse and organize to make an accurate security risk assessment of your WordPress site. This type of information is easily attainable through automated scanners like WPScan. Tools like this scan for version tags in readme files, file size fingerprints and meta tags to determine not only the version of WordPress you are running but the version of each of the plugins you have installed. Why is information disclosure bad? Some would argue its not bad. Others would also point out that a 0-day WordPress core or plugin vulnerability could mean that minutes and hours of circumvention or lowered risk […]

WordPress plugin to remotely manage and automate multiple WordPress sites

Hello! Being a Toronto based web design and development agency means that we interact with a significant number of WordPress sites. This tends to happen when a project starts (obviously), but often continues after a site is launched. This is something that we offer along the lines of “post launch maintenance”. By no means once a site is launched is our job done, and I’m sure a lot of other people in the industry can relate. If you follow the WP Vulnerability database notifications (if you don’t, you should), then you will see many notifications per day with various plugin or core vulnerability announcements. For this reason, among many others, we found ourselves struggling to automate and streamline the management of many client websites. We’re a fan of automation and have published articles on our efforts to integrate WordPress with Jenkins. With that particular plugin, we were able to automate […]