You can also run your website on top of Sucuri (requires changing your DNS) which implements lots of different vulnerability patches and has the benefits of DDOS protection along with a speedy CDN.

Nice post! I can't get wpscan to install and run. I've tried following their docs and also the docs on Digital Ocean, but I keep running into errors. I'm on MacOS. Any ideas where to turn? Happy to post errors here.. or somewhere else??

Nice article, thanks!

Hi Iain, Great post! I run a Penetration Testing company out of Toronto and your article is spot-on. Two additional tools we recommend include nikto and dirb. While these are not specific to Wordpress they offer a lense into potentially overlooked areas including third-party vulnerabilities outside of Wordpress and exposed directories (we've found wp-config.php.bak and full website backups with dirb). Nikto Nikto is an open source web server scanner that identifies technologies used by a web server, checks for outdated server components, misconfigurations, default/weak credentials and unusual items. It can be used to identify dangerous files/programs and has been known to find backdoors/malware installed on websites. Frequent updates and third-party created plugins help to support new web server technologies and frameworks. Nikto supports multiple file output types including plain-text, HTML and CSV which can generate easy to read reports. Not every item Nikto reports is a vulnerability or security issue but most are. There are many command line options such as HTTP authentication, cookies, proxy settings and items to fine-tune the scanner. At its core it can be given a just a target URL and perform it’s checks without any further options. nikto -host https://mysite.dev/ Dirb Dirb is a great tool that can be used to discover hidden content and pages within web applications that may not be linked or referenced within the site by launching a dictionary based brute force attack and analyzing responses. Unreferenced or hidden content in web applications often include administrative login pages, documentation, file shares, scripts, and even backups which may contain sensitive information such as configuration settings and even login credentials. Dirb uses its own wordlists to discover content, supports custom wordlists and can search for specific file extensions. Dirb can take as little as one parameter, the target website and scan for interesting and hidden content. dirb https://mysite.dev/ More technical tools which help improve the configuration of your web server include SSL Labs (Qualys) and Security Headers (Sophos). The output of these tools help configure TLS, validate resistance to SSL related vulnerabilities and various client-side attacks which may require the implementation of various headers. SSLLabs: www.ssllabs.com Security Headers: www.securityheaders.com

If you write code for WordPress and would like to take step closer to "unbreakable" use my package: https://packagist.org/packages/szepeviktor/phpstan-wordpress Static analysis is like having 100 eyes.

Tim’s talk sounds like it must have been a real eye-opener! I’ve been managing a few WordPress sites myself, and honestly, I never realized how crucial it is to go beyond just basic security measures. The idea of penetration testing, especially using tools like WPScan, is something I now know I need to explore further.

On a related note, when I was setting up a new project environment, I found this incredibly helpful guide on <a href="https://docs.vultr.com/how-to-install-apache-airflow-on-ubuntu-24-04">installing Apache Airflow on Ubuntu</a>. I was initially stuck on getting everything configured properly, but this post cleared things up perfectly. Thanks again for sharing such insightful tips here—truly valuable stuff!