Advanced WordPress Security Book
This book goes beyond the basics and dives into more advanced defenses. I’ll show you how to surgically replace WordPress PHP code with a deceptive modification. The attacker can brute force every possible password, and never know which one is correct. You don’t need to be a developer; I’ll show you step by step. I’ll show you how to hide your username from common enumeration techniques, so the attacker won’t even know which user’s password to attack.
I’ll show you how to stop ongoing attacks then blacklist the attacker. For a more secure approach, use whitelists, user-agent strings combinations, and a 2FA plugin. Plugins are like trojan horses, they provide functionality for you and the attacker. I’ll show you how to use free tools that perform static and dynamic application security testing (aka SAST & DAST) on the plugins, so you can avoid installing risky plugins that compromise your WordPress site.
Have you ever wagered on the Kentucky Derby? If you have, then you might be familiar with the online advanced deposit wagering platform, twinspires.com. That website and mobile application will accept your money, allow you to place your bets, and pays you when you are a winner. On Derby Day, tens of thousands of registrations, deposits, and wagering transactions happen every minute leading up to the big race. There is a lot riding on that application (pun intended).
I was a member of the Information Security Team (aka InfoSec) at Churchill Downs Inc. focused on application security for twinspires.com. Before moving into that role, I was a software developer for twinspires.com. So, I have a deep understanding of what it takes to secure web applications on multiple levels from the code itself, the servers it runs on, the networks that are traversed, all the way out to the Web Application Firewall. I’m giving you my application security experience in this book.