Protect your site with the fastest firewall plugin for WordPress: BBQ Pro »
Welcome to Perishable Press!
Home Page

Stop User Enumeration in WordPress

This tutorial explains how to block user-enumeration scans in WordPress. As explained in greater depth here, user enumeration happens when some malicious script scans a WordPress site for user data by requesting numerical user IDs. For example, requests for ?author=1 through some number, say, ?author=1000, may reveal the usernames for all associated users. With a simple enumeration script, an attacker can scan your site and obtain a list of login names in a matter of seconds. Read more »

WordPress Performance Issue Revisited

Following up on my recent performance report with essentially some conclusive results. Turns out that the reported issue is related more directly to the version of PHP than to the version of WordPress. So in other words, WordPress runs a bit faster on newer versions of PHP. As explained previously, after I upgraded my sites to WordPress 4.4, Googlebot reported slightly longer load times for my pages. The slower loading average was seen across numerous sites, and it looked like the WordPress 4.4 update was to blame. Read more »

They’re Scanning for Your Backup Files

Just a reminder to keep your backup files offline. Do not store them in any publicly accessible space. It’s just not worth the risk man. And if you’re working online, you should know this already. If not, then continue reading to learn why it’s absolutely mission critical. Read more »

Brute-Force Login Drip Attack

I’ve been noticing a new strategy for brute-force login attacks: the slow, incremental “drip” attack. Instead of slamming a login page with hundreds or thousands of brute-force login attempts all within a few minutes, some attackers have been taking a more low-key approach by slowing down the rate of login attempts in order to bypass security measures. The “drip” brute-force attack is extremely annoying, and possibly dangerous if any of your registered users are using weak login credentials. Read more »

OS X TotalFinder Alternatives

For years, I enjoyed the advanced Finder functionality provided by BinaryAge’s excellent app, TotalFinder. Mac’s native Finder enables users to navigate and manage their files, similar in concept to Windows File Explorer. Unfortunately, as explained in my rant about things that suck about Mac, TotalFinder no longer is compatible with Mac 10.11+. Fortunately there are plenty of decent alternatives to TotalFinder, even if you’re running the latest version of Mac OS X. Read more »

WordPress Plugin: Dashboard Widgets Suite

1 Plugin. 9 Widgets. Awesome Dashboard. Over the years, I’ve assembled a collection of Dashboard widgets that I use frequently on various sites. I find the WordPress Dashboard to be a convenient location for posting notes, viewing debug and error logs, and displaying social media icons, RSS feeds, and other useful information. I find these widgets essential, but I was spending way too much time installing and managing them on all of my sites. To help streamline workflow and boost productivity, I decided to bundle together my favorite Dashboard widgets into a single, easy-to-manage plugin. So today I’m pleased to […] Read more »

Stop RSSing.com from Framing Your Content

This quick post explains how to stop the notorious site scrapers, RSSing.com, from stealing your content. In fact, this technique can be used to stop virtually any site that uses HTML frames to scrape your pages. Once again, the solution is one line of .htaccess to the rescue. Read more »

Use Strong Usernames for Better Security

Image courtesy of eChunks.com Here is a quick security tip for people using popular apps on the Web. That is, apps like WordPress that may be widely used and targeted by bad actors and/or automated scripts. It’s all about adding another layer of security by hardening admin-level usernames.. Read more »

Things that kinda suck about Apple/Mac

I dove into the world of Apple/Mac over five years ago. Overall I think it’s a huge step up from anything Windows related, but there are some things that I feel kinda suck about Mac OS X and Apple products in general. This post rounds up some of my thoughts, hopefully to help promote discussion and encourage some much-needed improvement. Read more »

How to Block Baidu Bot

A user of my 6G Firewall recently asked how to block the “baidu” bot from accessing their site. This post explains why Baidu is not blocked in 6G and provides a quick .htaccess technique to deny it (or anything claiming to be it) access to your site. Read more »

What Chrome Predictive URLs Look Like on the Server

Awhile ago, I was confused by repetitive 404 “Not Found” errors in my server logs. The 404 requests look like someone is typing out various words, a few letters at a time. This post shows what these weird 404s look like from the server’s perspective, and then goes on to explain why they happen and why there is no practical way of preventing them. Read more »

WordPress Performance Issue?

Just wanted to share a mysterious trend reported for my sites by Google Webmaster Tools, and ask if anyone else is seeing the same pattern. It looks like it’s related to the WordPress 4.4 update, but I’m not 100% sure, so putting the data out there in hopes that others can help shed some light on the issue.. Read more »

Example of a Spoofed Search Engine Bot

While solving the recent search engine spoofing mystery, I came across two excellent examples of spoofed search engine bots. This article uses the examples to explain how to identify any questionable bots hitting your site. Read more »

Coda 2 Lessons Learned

I recently switched over to Panic’s Coda 2 for code editing and SFTP functionality. After using my previous editor/FTP software for over 10 years, I was surprised that learning Coda 2 happened so easily. It literally took me like two days of using it before I was back up to full development speed. In the process of learning, I discovered numerous questions and concerns that weren’t covered in the Coda 2 documentation or anywhere online. This post rounds up these issues and provides solutions or answers for each of them. For experienced Coda users, most of this article may seem […] Read more »

Analyzing Weird 404 Search Engine Requests

Lately I’ve been getting a significant number of really weird 404 requests for one of my sites. At first I ignored them. Then upon closer inspection, I realized that the requests were reporting user agents like Googlebot, Bingbot, and other top search engines. So there was cause for concern. You don’t want legitimate search engines tripping over endless 404 requests that are completely unrelated to your site content. That gets into “negative SEO” territory, and should be investigated and resolved asap. This article explains what I was dealing with, how I investigated, and what I did to resolve the issue. Read more »

Block D-Bag Database Exploits

Some douchebag has been scanning my sites for a variety of potential database exploits. My sites are secure, so there is no real security threat, but the scans are extremely annoying and waste my server resources. Resources like bandwidth and memory that I would rather use for legitimate visitors. So after collecting some data and experimenting a bit, I wrote a simple .htaccess snippet to block a vast majority of these pathetic database-exploit scans. Read more »

Latest Tweets How to secure against user-enumeration scans in WordPress: perishablepress.com/stop-user-… #WordPress #security pic.twitter.com/0WupOBGvnA