Security and Your MODX Articles Blog

Last Updated on Saturday, 11 May 2013 06:14 Written by Bob Ray Tuesday, 14 May 2013 12:00

There’s serious security problem with the default installation of the Articles blog extra: It exposes your MODX username — the one you use to log in to the Manager — on every page. This opens you up to a brute-force attack that could allow miscreants to gain complete control of your site. This vulnerability may be fixed in future versions of Articles, but for now, it’s a good idea to make some changes to your Articles Templates and Chunks.

Site hackers have bots that are visiting hundreds of thousands of web sites. They try common Administrator usernames like “admin” “root” and “webmaster” and attempt to log in with both selected passwords (e.g., dates between 1900 and the current year, common names for humans and pets, dictionary words, etc.) and random passwords generated in code. For a fairly reasonable price, you can now buy a computer designed just for this task and capable of trying millions of passwords per second.

[WordPress Security] Serious Security Hole in WP Super Cache and W3 Total Cache

Last Updated on Tuesday, 30 April 2013 01:54 Written by TJ Marsh Sunday, 5 May 2013 12:00

A security hole that allows anyone to execute any command on your WordPress server has been discovered in the WP Super Cache and W3 Total Cache plugins.

WHAT TO DO:

[WHMCS] Whitelisting IP Addresses

Last Updated on Saturday, 27 April 2013 09:39 Written by Alex Ali Saturday, 4 May 2013 12:00

It is a good idea to whitelist your home or office IP address from being banned for failed login attempts. This prevents yourself from being locked out in the admin area should you fail to login

1. Login your admin control panel

[WHMCS] Admin Failed Login Ban Settings

Last Updated on Saturday, 27 April 2013 09:39 Written by Alex Ali Thursday, 2 May 2013 12:00

By default WHMCS will ban any IP address for a period of 15 minutes if they fail to login the admin area (invalid username and / or password) 3 times. This prevents people from being able to use multiple login combinations until they find one that actually works. You can alter the ban settings (minutes & the number of failed login attempts) by:

Defending Against the WordPress Brute Force Flood

Last Updated on Tuesday, 23 April 2013 04:21 Written by Scott White Saturday, 27 April 2013 12:00

There has been a massive distributed brute force attack being launched the past few days against every WordPress based website at every hosting provider in the world.

Well over 150,000 different IP addresses are currently attempting to gain access to the admin user’s password in every WordPress site.  By default, WordPress cannot protect itself against this type of attack, but you can protect yourself by following the tips in this email.

Here are the most important ones: