I’m not particularly into either npm (the JavaScript dependency library and installer) or cryptocoins (approximately “Bitcoins”), but I was talking some fellow WordPress developers and this pretty interesting and complex security story came up. The summary is this:

In this Quick Guide, we’ll walk you through how to reset a WordPress user’s password using cPanel and phpMyAdmin. To change WordPress passwords from cPanel is simple (it takes less than a minute front-to-back) and it’s a very useful trick to know—one we use at least a couple times every single month in our work with our clients.

While writing WordPress Security with Confidence last year, I spent a lot of time waiting for the latest revision of the OWASP Top Ten, the 2017 version. They ended up taking too much too long to publish, and I made the course focusing on the 2013 version, which was the most-recent-finalized iteration at the time the course went live. I don’t regret that choice, but I wanted to make sure I was well acquainted with the 2017 iteration.

As a part of WordPress Security with Confidence, I built a feature that I felt a lot of people were hungry for. It’s a comparison table of WordPress security plugins. It starts to take people along the journey from “security is a serious topic that I have no idea how to handle” and toward “security is a set of problems I can solve in a variety of ways.” That transition is my motivation for the course, and it’s also the motivation for something I just made free: WPSecurityCompared.com. Which, well, makes it easy to compare WordPress security plugins.

Your first million dollars. The game-winning catch. A guest post in Smashing Magazine. These are life’s moments of pure success, and David had one of them this week. We’ll keep you posted on the other two.

We all know the importance of taking WordPress security seriously. Yet, from choosing the right plugin to HTTPS, from to Equifax to GDPR, from “secure enough” to “absolutely secure,” the world of WordPress security is confusing, obfuscated, and difficult to navigate.

I’ve been thinking hard about two-factor authentication in the last few months. I think it’s great, but you can’t deny the hassle. So while I’ve enabled it on small number of my most valuable accounts, I admit that I’ve not put it everywhere. I don’t have it on my WordPress sites–partly from avoidance of the (admittedly, relatively minor) hassle it represents, more just out of inertia. Helpfully, I just found this solid article from the folks over at WP WhiteSecurity about what options exist for turning on two factor for WordPress.

In an effort to make sure I miss nothing for my forthcoming security course (which may or may not be coming in November…), I’ve been watching a lot of WordPress.tv talks tagged with “security”. Many of the talks are very very good, but this one has an added interesting trait: it’s got little to do with WordPress.

Security is a very important topic. To secure WordPress, you must have responsible users making use of an instance of WordPress that is only executing secure code (maybe helped by some extra “hardening”) on a secured server. But a compromise of any part of that can invalidate on all your work on any other part. There is no single solution to having a secure WordPress site.

Many people are worried about WordPress security. The core project is secure (if updated) but that doesn’t stop people form worrying. That said, it doesn’t mean that there is no benefit from taking steps to harden the base configuration. I personally dislike most “security” plugins–they feel too big to me and the benefits they confer are small or unknown.