XML RPC in WordPress

Attackers quite frequently try to exploit xml-rpc.php, a built-in file for WordPress which provides access to external services, such as JetPack, marketing services, etc. Most sites don’t need this functionality, so it can be blocked. I found this article listing a couple of ways to do it, and it’s one of the services we’ll add to our site this year, as part of the security checkup.

Two Ways to Fully Disable WordPress XML-RPC

You have to be careful, sure that nothing is using it. I wonder if there’s a plugin already out there which helps determine if it’s being used on a site. Will check and update if I find something.

New serious vulnerabilities – Spectre and Meltdown

Two hardware vulnerabilities have been recently revealed, and they affect the CPUs (brains) of most modern computers and electronic devices. The only permanent fix is replacing the affected hardware but there isn’t anything available just yet. It’s going to take some serious work by hardware vendors to come up with a solution. That being said, software patches are being made available, so go ahead and perform any updates that become available for your computer, phone, tablet, and all other electronic devices as soon as possible.

Since this affects pretty much all computers, your website may also be rebooted during the patching process. Contact your web host with any questions.

Full details, in human-readable form (!) are on the Defiant blog: The Impact of Meltdown and Spectre Vulnerabilities

Huge password database found on the dark web

One of my newsletters had an interesting article in it today. It talked about a database of login credentials that is open and available for cybercriminals to download, if they know how to find it. They also provided an email address where you can check to see if your email is in the database.

How to See if Your Email is in The Database

Send an email to verification@4iq.com with the subject line Password Exposure Check, and they will send you back an email if they find the sending email address in the database.

I did this with three of my email addresses, and two came back with one password each. They were very old passwords, I think, because I now use a scheme to make it different for every site but follows a pattern so I know what the password should be.

Never Reuse Passwords

Yes, it’s a hassle to keep track of passwords. You really should use a different password for every site because if you use the same one all the time, if one site gets compromised, it could potentially compromise any and all other accounts where you use the same password. This is especially true for email passwords. Think of all the information to be had if someone is able to log in to your email.

How to Keep Your Passwords Unique

One idea is to use a simple phrase that also includes a couple of different characters depending on the website where it’s being used. For example, you could use something like:

Hello world! 29#WE

Where WE is the first two or three letters of the name of the website. The only thing that would vary is the letters at the end (or in the middle, wherever you decide to put them). This strategy has worked well for me, though I do encounter some sites that don’t allow spaces or other weird characters, so it’s not always possible to follow the scheme for every site. But then I just remove the spaces and if that doesn’t work, I remove the special characters. And if those things don’t work, I just request a new password and then write it down in my password notebook.

Another thing I do, to vary them just a little more, is to use a different number for personal use websites (like AllRecipes.com or Facebook) versus business websites.

Stay safe out there!