Security Knowledge Base

Discovering that your WordPress website has been hacked can be an incredibly stressful experience. Whether your site is redirecting to shady URLs, displaying strange pop-ups, or has been blacklisted by Google, the panic is completely understandable. However, you need to act quickly and methodically. This step-by-step guide will walk you through the process of cleaning…

When it comes to WordPress security, file permissions are often overlooked by beginners. However, configuring them correctly is one of the most fundamental steps in protecting your website from hackers and malware. If your permissions are too loose, anyone can modify or delete your critical site files. If they are too strict, your site might…

Securing your WordPress website is more important than ever. Passwords alone are no longer enough to protect your site from brute-force attacks, data breaches, and unauthorized access. This is where Two-Factor Authentication (2FA) comes in. By adding an extra layer of security, 2FA ensures that even if a hacker guesses your password, they won't be…

You've spent weeks (or months) designing your new WordPress site. The content is polished, the plugins are configured, and you are finally ready to hit "Publish" and share it with the world. Stop. The moment your website goes live and the DNS propagates, automated bots will begin scanning it within hours. If you haven't locked…

There is a hard truth in WordPress security: You cannot fix a bad host with security plugins. If your web server is fundamentally insecure—if it runs outdated software, lacks user isolation, or leaves critical ports wide open—no amount of firewall plugins or strong passwords will keep your site safe. Your hosting provider is the foundation…

WordPress powers over 43% of the entire internet. From personal blogs to Fortune 500 companies, it is the operating system of the web. But with great popularity comes a great target on your back. Hackers do not target your site because they hate you; they target it because it is WordPress. They use automated bots…

When you think about securing your WordPress site, you probably think about strong passwords, plugins, and firewalls. But there is a hidden layer of security that operates every time a visitor loads your page: HTTP Security Headers. Most WordPress sites do not use these headers by default. This leaves them vulnerable to a wide range…

A Brute Force Attack is the simplest yet most effective method hackers use to break into WordPress websites. The concept is straightforward: an automated script (bot) attempts to log in to your site by guessing thousands of username and password combinations every minute. Because WordPress is the most popular CMS in the world, its default…

What FunSentry Scans (and What It Doesn't) Before we dive in, it's important to understand FunSentry's approach. What It Does FunSentry performs passive security scanning — it only accesses publicly available information. Think of it as checking all the doors and windows of your house from the outside, without ever entering. Specifically, it checks 15…

If you've ever run a security scan on your WordPress site — say, using a tool like FunSentry — you may have seen a warning flag next to something called XML-RPC. The recommendation is almost always the same: disable it. But what exactly is XML-RPC? Why does WordPress include it? And why do security professionals…

Since WordPress 4.7, the REST API has been enabled by default. It powers the Block Editor (Gutenberg), allows "Headless" WordPress setups, and lets plugins communicate with external services. However, by default, the REST API is also publicly accessible. Anyone—including hackers and bots—can query your site’s API endpoints (/wp-json/) to extract data about your users, posts,…

In 2025, having an SSL certificate is not a "bonus" feature—it is the absolute baseline for running a website. If your WordPress site still loads over HTTP instead of HTTPS, browsers like Chrome and Safari will explicitly label your site as "Not Secure" in the address bar. This destroys user trust immediately. Furthermore, Google uses…