Category: Internet

21 Tips for Using Google Search Console to Effectively Grow Your Website Traffic

Do you want to use Google Search Console to grow your website traffic?

Google Search Console is a powerful free tool created by Google to help website owners understand how Google sees their website. Unfortunately, most businesses don’t know how to effectively use the full power of Google Search Console to increase their website traffic.

In this article, we will show you how to properly use Google Search Console to improve your website SEO and get more visitors.

Using Google Search Console to grow your website

What is Google Search Console?

Google Search Console is a free tool offered by Google to help website owners monitor and maintain their site’s presence in Google search results.

It provides essential marketing data that you need to start tracking from day one. It also alerts you about errors, security issues, and indexing problems that may affect your website’s search rankings.

You can use all this information in your WordPress SEO strategy to increase your website traffic.

The sad part is that most businesses don’t utilize the full power of Google Search Console because most of them think that just adding their website to Google Search Console is enough.

There’s so much more that you can do with the tool.

If you’re not leveraging all of the powerful features that Google Search Console offers, then you’re missing out.

Luckily, we’re here to help. We have created this ultimate Google Search Console guide to help you grow your website like a Pro.

Note: Since this is a comprehensive guide, we have added a table of contents for easier navigation.

Setting up Google Search Console

Fixing Crawling Issues

Growing Your Website

Useful Google Search Console Tools

1. Adding Your Website to Google Search Console

If you haven’t already done so, then you need to go ahead and add your website to Google Search Console. It is really simple and will only take a few minutes.

Simply go to Google Search Console website and click on the Start Now button.

Click the start now button

You’ll be asked to sign in using a Google / Gmail account. Once logged in, you will need to enter your website URL.

Google Search Console offers 2 methods for site verification, including domain name or URL prefix. We recommend using the URL Prefix method as it provides more flexibility.

Choose a property type

Do remember that Google considers HTTP and HTTPS as two different protocols. It also considers https://www.example.com and https://example.com as two different websites.

You’ll need to make sure that you enter the correct URL of your website.

If you are unsure, then simply login to your WordPress admin area and go to Settings » General page. There you will see your website’s URL in the site address field.

Site address

After entering your website address, click on the ‘Continue’ button.

Next, you will be asked to verify ownership of your website. There are several ways to do that, but we will show the HTML tag method because it is the easiest one.

Verify ownership

Click on the HTML tag to expand it and then copy the code inside it.

Next, you’ll need to add the code to your WordPress website so that Google can verify the ownership. However, this requires coding, which can be tricky for beginners.

An easier way of adding Google Search Console to WordPress is by using All in One SEO (AIOSEO). It’s the best SEO tool for WordPress and used by over 3 million users.

First, you’ll need to install and activate the AIOSEO Lite plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you can go to AIOSEO » General Settings page and then click the ‘Webmaster Tools’ tab. Next, select the ‘Google Search Console’ option under Webmaster Tools Verification.

Webmaster tools in AIOSEO

After that, go ahead and enter the code you copied earlier from Google Search Console into the ‘Google Verification Code’ box.

Enter Google verification code

Don’t forget to click on the ‘Save Changes’ button to store your changes.

You can now go back to Google Search Console settings and click on the ‘Verify’ button.

Click the verify button

Google Search Console will now look for the HTML tag in your website code and show you a success message.

Verification success

That’s all. You have successfully added your site to Google Search Console. You can now click on the ‘Go to Property’ link to visit your Google Search Console dashboard.

Note: if Google Search Console cannot verify your website after you have added the code in Insert Headers and Footer plugin, then you need to make sure to clear your WordPress cache and try again.

2. Adding an XML Sitemap

An XML sitemap is a way for website owners to tell search engines about all the pages that exist on their website. It also tells search engines which links on your website are more important than others.

Adding an XML sitemap to your website helps search engines better crawl your website. While it doesn’t give you a boost in search rankings, it can definitely help search engines index your content more efficiently.

The best part is that if you installed All in One SEO (AIOSEO) in the first step, then the plugin automatically adds an XML sitemap to your site.

To see the sitemap, you can head over to All in One SEO » Sitemaps and make sure that the toggle for ‘Enable Sitemap’ is switched on.

Enable sitemap

The plugin will automatically generate an XML sitemap for your website, and you can find it at the URL that looks like this:

http://example.com/sitemap_index.xml

Don’t forget to replace example.com with your own domain name. You can now submit this URL in Google Search Console.

Next, head over to the Google Search Console dashboard and then click on the ‘Sitemaps’ option from the left column. After that, you can paste the URL and click the ‘Submit’ button.

Add a new sitemap

Google Search Console will now check your sitemap and use it to improve your website’s crawling. You can go through our guide on how to add a sitemap page in WordPress for more details.

3. Connect Google Search Console to Google Analytics

Connecting Google Search Console to your Google Analytics account helps you analyze search console data in Google Analytics. This provides you with a new perspective on your top-performing content and keywords.

If you haven’t already done so, then you will need to install Google Analytics on your WordPress website.

We recommend using MonsterInsights for that. It is the best Google Analytics plugin for WordPress, and it will automatically show your top keywords from Google Search Console in your WordPress admin area.

Search console report

To connect Google Search Console to your Analytics account, you need to head over to Google Analytics dashboard for your website. From the bottom left corner of the screen, click on the ‘Admin’ button.

Click the admin settings button

Google Analytics will now switch to the admin view. From here, you need to click on the ‘Property Settings’ section and then click on the ‘Adjust Search Console’ button.

Adjust console

On the next screen, you need to click on the Add button to select your website.

Add search console

Analytics will now take you to the Google Search Console website showing you the list of all websites you have added to the search console. Select the property you want to link to Google Analytics from the dropdown menu.

Select a property

After that, you’ll need to select the Google Analytics property you’d like to connect with Search Console and click the ‘Continue’ button.

Choose associated Analytics property

You’ll now see a popup window showing that you’ve successfully connected Google Analytics and Search Console.

Confirm association between analytics and search console

That’s all. You have successfully connected your Google Search Console data to your Analytics account. You can go back to the Google Analytics Search Console settings page to see the connected Search Console and click the ‘Save’ button.

See search console and analytics connection

You can now view the newly unclocked Search Console reports in your Google Analytics account under Acquisition reports. It also helps unlock keywords not provided in Google Analytics.

Landing page report in analytics

The first report you will find there is the ‘landing pages’ report.

For each landing page, you’ll see the impressions (number of times a page appeared in search results), clicks, click-through rate (CTR), and average position in the search results. Combined with that page’s analytics parameters like bounce rate, sessions, and pages per session.

Clicking a landing page will show you the actual keywords that brought users to this landing page.

Search query report

Next, you can Switch to the ‘Countries’ report, and you will see countries listed in the same order. This helps in creating content and geolocation marketing campaigns for people from different regions.

Countries report in search console

The devices report will show you how your site performed in desktop, mobile, and tablet search results.

Devices report in search console

Next, Queries are the most important of all reports among this data. It shows you the keyword data missing from your Google Analytics reports. You can see which search terms are driving traffic to your site.

Queries report in search console

4. Finding and Fixing Search Indexing Issues

The most helpful feature of Google Search Console is that you can troubleshoot indexing errors.

These errors can affect your search rankings by stopping the search engine from crawling and indexing the pages on your website.

You can easily locate these errors under the Coverage report.

It shows you which pages from your website are indexed by Google and which pages resulted in an error or a warning.

Coverage report

Next, scroll down, and you will see the detailed list of all the errors. Clicking on a link will open the detailed view, where you will also find the link to learn more about the error and how to fix it.

Following are a few common indexing errors you may see:

  • 404 error – This error means that the crawler followed a URL and saw a 404 error.
  • Soft 404 error – This error occurs when the crawler sees a 404 error page, but the page’s status code is sending a 200 (success) message to the browser.
  • Server error – This means that your website server timed out or didn’t respond. This could happen if your website were under heavy traffic, was under maintenance, or unavailable for any other reason.
  • Not followed – This error occurs when Google is not able to follow a content type. This could be a flash, javascript, iframe, or other resources that the crawler cannot fetch.

Now let’s take a look at how to fix some of these crawl errors.

5. Fixing 404 Errors in Google Search Console

First, you need to keep in mind that not all 404 errors are equal. You can safely ignore some of them and only fix those that are actually an error.

For example, if you deleted a blog post and don’t want to redirect users to a newer post, then it is ok to let Google see a 404 error page. Google will eventually deindex that page if it keeps seeing the 404 error.

However, the reason Google wants you to look at those 404 errors is that you may not be aware of them. For example, you accidentally deleted something or forgot to redirect users to the new updated version.

Simply click on the error in the Index Coverage report, and it will show you all the pages displaying that error. Carefully review the pages and if you see a page that shouldn’t be there, then copy its URL and open it in a new browser window.

If you see a 404 error page in your browser, then this means that you need to fix this page.

Now, if it is a page that no longer exists but you have a newer or similar version of it, then you would want to redirect users to that page. See our guide on how to set up redirects in WordPress.

However, sometimes 404 errors may occur due to a misconfiguration in WordPress permalink structure. To fix this, simply visit Settings » Permalinks and then click on the ‘Save Changes’ button without changing anything.

Save changes in permalink

6. Fixing Soft 404 Errors in Google Search Console

Soft 404 errors are a bit tricky to troubleshoot.

Basically, these errors occur when the Google bot sees what looks like a 404 error document instead of content. However, your server is sending a 200 (success) code. Normally, your server sends a 200 success code when a page is displayed without an error or redirect.

Soft 404 errors

To resolve soft 404 errors, go ahead and click on the errors in the Coverage report to view the list of affected pages.

Now, you need to open the page in a new browser tab to see what’s happening. If the page displays correctly, then you can safely ignore the error.

On the other hand, if the page is showing a 404 error document, then you may want to investigate further.

Start by clicking the ‘Submitted URL seems to be a Soft 404’ link from the Coverage report. Next, you can open the link in a new tab to check if it’s not a false alarm.

If the page is valid and you want it to appear in the search results, then simply click the ‘VALIDATE FIX’ button. Google will then recrawl the page and change the status error.

Fix soft 404 error

If the WordPress search function causes the soft 404 errors you are seeing, then the easiest solution is to stop the Google bot from crawling search URLs.

To do that you need to add the following lines to your robots.txt file.

123User-agent: *Disallow: /?s=Disallow: /search/

Usually, Google Bot doesn’t crawl search URLs. However, some spammers might try to spam Google search console reports by linking to search URLs with random strings. This way, they hope you will see their link in your Search Console report and click on it.

If the affected URLs are not searched queries, then you may want to redirect them to a proper page on your site.

7. Fixing Server Error in Google Search Console

Server Errors in Google Search Console are caused by a number of reasons. The most common of them is when your server times out during a crawl, throws an unexpected error or does not appear to be online.

Use the ‘URL inspection’ tool to make sure that the affected URL is working.

If it is working, then you can ignore the error. If you are on a reliable WordPress hosting provider, then most server errors would disappear automatically.

However, if you can confirm the error by visiting the URL, then there are several things you can do to fix it. See our list of most common WordPress errors guide to find a fix for the specific error message you are seeing.

8. Finding and Fixing Security Issues

Security issues

Security issues not only stop Google from crawling your website, but they could also cause a sudden drop in search traffic. Google may temporarily remove affected pages, show a warning to users, and drop a page’s ranking.

Security issues will be highlighted on the overview screen as you login to your Google Search Console account. The most common security issue is websites affected by malware and trojans.

To fix this, see our guide on how to clean a hacked WordPress website for step by step instructions.

For more details, see our article on how How to fix a website after getting de-indexed by Google and ultimate WordPress security guide.

9. Finding Manual Actions and Requesting Review

While security issues are automatically triggered, manual actions are the penalties that are imposed by human staff from the Google Search team after a careful review. If a manual action is taken against your website, then this is pretty significant and can immediately take away all your search traffic.

These manual actions usually occur when a website is involved in illegal activities, spamming, and other fraudulent or fishy activities.

Manual actions

Clicking on the Manual Actions link will show you the actions in your search console report. You will also find detailed information about the issue that triggered it and how to clean it up.

Once you have removed the objectionable content, you can click on the request review button. Your website will now be reviewed and reconsidered by the Google Search team, and they can decide on removing the penalty.

10. Using Google Search Console To Grow Traffic

Now that we have covered the technical bits, let’s get to the fun part of growing your website traffic by utilizing the data available in Search Console.

Google Search Console helps you uncover keyword data, find out your top-performing keywords, and discover hundreds of potential keywords where you can easily rank and get more traffic.

We will also look at links and how to use them to improve search rankings.

Ready? Let’s get started.

11. Mining Keyword Data in Google Search Console

Keywords are the search terms users type in search engines to find information.

Marketers and website owners can optimize their content to target desired keywords and improve their chances of appearing on top in search results.

Previously, keyword data was available in website stats and analytics reports in Google Analytics. However, Google encrypted that information in 2013 when they switched to HTTPS.

As a result, if you try to view search queries in Google Analytics, you’ll most likely see ‘not provided’ keywords. A simple solution to this issue is connecting Google Analytics with Search Console.

You can also view the keyword data in your Google Search Console reports.

It gives you a full view of the keywords your website is ranking for, average position, clicks, and impressions (number of times your site appears for that keyword).

You can see this information in your Google Search Console reports under the ‘Performance’ tab.

Performance report

On the top, you will see a graph of your website’s performance in search results. Below that, you will see the keywords data, which you can filter by position, impression, and click-through rate.

Top keyword in search console

You can sort this data by clicking on any column or using the filter option to narrow down the results.

Filter top keywords

You can also switch to the Pages tab to see the performance of your pages in search results.

Clicking on any page in the list will filter the results for that page. You can then switch to the ‘Queries’ tab to see the keywords that bring the traffic to that particular page.

Now that we have covered how to browse and view this data, let’s see how actually to use this in your SEO and content planning.

12. Finding Low-hanging Keywords That You Can Easily Rank

A lot of your pages may be ranking on page 2 or 3 of Google search results for different keywords. These are the keywords that you can quickly work on to rank higher and get more traffic.

Let’s find out those keywords.

In your Performance report, click on the filter icon and then select the ‘Position’ option. Next, you’ll be looking for keywords where the average position is higher than 7.

Use filter by position

Search Console will now only show the keywords where your site appears on an average position of 7 or higher. Now, click twice on the position column to sort the list in ascending order.

Sort positions

As you scroll down, you will find tons of keywords that rank between 7 and 30. All these keywords are low-hanging fruits where you can easily rank higher.

To view more results, scroll to the bottom and select a higher number for ‘Rows per page.’

Rows per page

When choosing the keywords to work on, you would want to choose keywords based on their number of impressions. Higher impressions mean more search traffic for those keywords.

To do that, you can export the data in CSV format and then open it in spreadsheet software.

download data

Now that you have mined the low-hanging keywords with higher impressions, the question is how do you improve your rankings for those keywords?

Here are some tips to help you improve your rankings for those keywords.

1. Improve the content by adding more useful information

The #1 reason your page isn’t ranking for a keyword is that Google finds other content more valuable. To counter that, you need to review your article or blog post and add helpful content.

Look at the articles ranking on top five positions for that keyword and cover all the information that your article is missing in more detail.

We are not saying that you should just add more text to it. You need to make it more useful, informative, and comprehensive.

2. Evaluate On-page SEO

Use All in One SEO (AIOSEO) to improve the on-page SEO score for that article. It gives practical tips on improving a page by analyzing the content, keyword density, title, readability, links, and more.

AIOSEO page analysis

You can also check out our guide on the SEO audit checklist to boost your rankings.

3. Increase time users spend on that page

Google considers it a success when users click on a search result and spend time viewing it. This means your content needs to be highly engaging and instantly provide users with the information they were looking for.

Here are some crazy simple things you can do to increase user engagement.

  • Use images – users find images much easier to look at than text. Adding more images makes it easier for users to scan the information and keeps them engaged.
  • Use videos – Videos are the most engaging form of content available. Adding video to a page significantly increases the time users spend viewing that page.
  • Make text more readable – Use smaller paragraphs, lots of white space, simpler sentences, and keep your style casual and conversational. All these things make reading easier for users.

For more tips, see this article on how to increase time users spend on your site.

13. Using Link Reports in Google Search Console

Links play an important role in WordPress SEO. Search engines use them as a metric to determine how important a page is and where it should rank in search results.

The Links report in Google Search helps you see your website’s performance in terms of links.

It shows you external links, internal links, top linking sites, and top linking text. More importantly, it shows top linking sites, how often they link to your site, and how many pages they link to.

Let’s see how you can use these reports to get more backlinks, improve internal links, and boost your rankings.

Search console shows third-party websites that have linked to your site in the ‘Top linking sites’ report. You can expand the report by clicking on the ‘More’ link at the bottom.

Top linking sites

If you click on a domain name to expand the report, you will see all the pages they have linked to. Next, click on each page to get the exact URL linked to that particular page.

You can now use this data to get more backlinks for your site. Simply visit the website and see how they have linked to you. After that, see what other content they have where your site can be linked from.

Next, simply reach out to the website via email or contact form on their website.

First, thank them for linking to your article and then politely mention that they may want to include a link to an article of yours.

Now, this direct approach may not always work. In that case, you need to be creative. You can offer them to write a guest post for their blog, leave comments on their articles, follow them on social media, or retweet their articles.

Repeat the process for all important external links on your website. With consistent effort, you can get proper backlinks without spending any money.

15. Improving Internal Links to Boost Rankings

It is harder to get third-party websites to link to your content. However, it is way easier to link to your own content from your own site. This practice is called internal linking.

Internal linking helps search engines understand the context and relationships among different pages on your website. It also helps them understand which pages are important based on how often you have linked to them.

This is why you should make internal linking a habit when writing new content on your website or blog.

Now let’s see how to use the links reports in Search Console to help you build internal links.

In Google Search Console, click on the Links report and then click on the ‘More’ link under the ‘Internal Links’ column. The report shows how often you have linked to other pages on your site.

Go ahead and click the filter icon and then select the ‘Target page’ option.

Filter internal links

Search Console will now show you how many pages are linking to this page. You can now compare it with other pages and see whether pages with more internal links are ranking higher than posts with many internal links.

If that’s the case, then go ahead and start adding internal links to pages that you want to rank higher. Make sure you are only linking to the article when it makes sense. Adding links where they don’t make sense would create a bad user experience.

16. Using Core Web Vitals in Search Console

Did you know that Google now considers your website loading speed as a ranking factor?

In 2020, Google introduced Core Web Vitals that measures how fast your website is and help the search engine measure your site’s user experience.

In Google Search Console, you can view the ‘Core Web Vitals’ report under the Experience menu on your left. It provides a complete report about your site’s speed score for mobile and desktop.

The best part is that you also get recommendations on how to improve your Core Web Vitals score and improve your site’s load time.

Core web vitals report

For more information, please refer to our guide on how to boost WordPress speed and performance.

17. Create Rich Snippets for Your WordPress Pages

Rich snippets or schema markup allows Google to display additional information in its search results. These include star ratings, prices, reviews, and more.

Rich snippets make your page more noticeable in the search results. As a result, you get more clicks and website traffic.

Rich snippet preview

Many WordPress themes automatically include some basic structured data. If you publish recipes, run a reviews site, or an online store, then rich snippets can give your site an SEO boost.

Google Search Console makes it very easy to find pages that are displaying rich snippets. It also shows the type of rich snippets for your website.

You can view them by going to ‘Overview’ and then scrolling down to the ‘Enhancements’ section.

Enhancements section in search console

The real useful part is that the report allows you to quickly look at pages that have errors while displaying rich snippets so that you can fix them.

If you want to learn more about setting up rich snippets, then please see our guide on how to add schema markup in WordPress and WooCommerce.

18. Using Search Console to Improve Mobile Usability

Nearly 63% of all Google searches in the United States come from mobile devices. That’s why Google gives an SEO bump to mobile-friendly websites in the search results.

Google has a Mobile-Friendly test tool that allows you to quickly examine a page. The Mobile Usability report in Search Console tells you how Google sees your entire website in mobile performance.

Mobile usability

If you see errors on this page, then this means that these issues may affect your site’s rankings.

To see the affected pages, you can scroll down to the ‘Details’ section and click on the error.

Mobile errors in search console

Poorly coded WordPress themes or plugins cause most mobile usability issues. The easiest way to fix those issues is by using a better responsive WordPress theme.

19. Use URL Inspection Tool in Search Console

The URL Inspection tool in Google Search Console provides information about a page if it’s on Google search results or not.

You can check the status of a page and also request Google to recrawl a page. To start, simply enter a URL in the top search bar.

URL inspection tool

Google Search Console will then show you the status of the page is indexed by Google. If it’s not indexed, then you’ll see a message saying ‘URL is not on Google.’

You can click the ‘Requesting Indexing’ button and request Google to manually fetch the page from your website.

Besides that, you can scroll down and see more details in the ‘Coverage’ report. It will show information about sitemaps, crawl history, and indexing.

Detailed coverage report

You can also live test a URL and see if there is an indexable version available. If there is, then simply click the ‘Request Indexing’ option.

Live test URL

20. Removing URLs from Google Search

So far, we have focused on using Search Console to get your content indexed and improve rankings in Google Search. However, sometimes you may want to remove content from Google Search as well.

One way to do this is to add a noindex meta tag to the page you want to remove from search results. However, depending on how often Google crawls your website, this could take some time before your page actually disappears from search results.

Search Console’s Remove URL tool allows you to request a URL to be removed from the search results. Simply click on ‘Removals’ under Index in the menu on your left.

Removals requests

Now click on the ‘New Request’ button, and a popup window will appear. Go ahead and enter the URL you want to remove, select whether you want to remove this URL only or with this prefix, and click the ‘Next’ button.

New removal request

Google will now block the URL from its search results for about six months. You can add as many URLs as you want and see them in the Removals section in the Search Console.

21. Adding Users to Access Google Search Console

If you have a marketing team or you have hired someone to help you with SEO, then those users may need access to Google search console data.

Search Console allows you to easily add users and give them access to view all reports without sharing your Google account credentials with them.

To add a new user, simply click on the Settings » Users and permissions option under Property settings and then click on ‘Add User’ button.

Add new user

Next, you need to provide the user’s valid Google account email address and select permission to grant them.

Enter user email

There are two types of permission levels. The full permission level will give them access to everything, including the ability to add new users. Restricted permissions will allow them to view the data but not add new users.

After choosing a permission level, click on the ‘Add’ button to save your changes.

The user you added will now receive an email notification, so they can login and view Google Search Console data for your website.

Helpful Resources

Following helpful resources on WPBeginner will help you further improve your website’s performance in search engines.

  • Ultimate WordPress SEO Guide – Our complete step by step WordPress SEO guide will walk you through complete WordPress SEO setup like a pro.
  • WordPress Performance Guide – Step by step guide to improve your WordPress speed and performance for higher search rankings and better user experience.
  • WordPress Security Guide – Keep your WordPress site secure with this complete WordPress security guide for beginners.
  • Tracking User Engagement – This guide helps you learn how to track user activity on your website and use it to plan your growth strategy.
  • Convert visitors into Customers – If you run an online store, then this guide will show you how to convert search traffic into paying customers.

We hope this article gave you some good tips on using Google Search Console more effectively to grow your site. You may also want to see our guide on the best managed WordPress hosting and how to move WordPress from HTTP to HTTPS.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Source :
https://www.wpbeginner.com/beginners-guide/google-search-console-ultimate-guide/

The Ultimate Guide to Boost WordPress Speed & Performance

Do you want to speed up your WordPress site? Fast loading pages improve user experience, increase your pageviews, and help with your WordPress SEO. In this article, we will share the most useful WordPress speed optimization tips to boost WordPress performance and speed up your website.

How to improve WordPress speed and performance

Unlike other “X best WordPress caching plugin” lists or generic “X tips to speeding up WordPress” tutorials, this article is a comprehensive guide to WordPress performance optimization.

We tried to cover everything from why speed is important, what slows down your WordPress site, and actionable steps that you can take to improve your WordPress speed immediately.

To make it easy, we have created a table of contents to help you navigate through our ultimate guide to speeding up your WordPress site.

Table of Contents

Basics of WordPress Performance

Speeding Up WordPress in Easy Steps (No Coding)

WordPress Performance Optimization Best Practices

Fine-Tuning WordPress for Speed (Advanced)

Why Speed is Important for Your WordPress Site?

Studies show that from 2000 to 2016, the average human attention span has dropped from 12 seconds to 7 seconds.

What does this mean for you as a website owner?

You have very little time to show users your content and convince them to stay on your website.

A slow website means users will potentially leave your website before it even loads.

According to a StrangeLoop case study that involved Amazon, Google, and other larger sites, a 1 second delay in page load time can lead to 7% loss in conversions, 11% fewer page views, and 16% decrease in customer satisfaction.

How speed affects your website

On top of that, Google and other search engines have already started penalizing slower websites by pushing them down in the search results which means lower traffic for slow websites.

To sum it all up, if you want more traffic, subscribers, and revenue from your website, then you must make your WordPress website FAST!

How to Check Your WordPress Website Speed?

Often beginners think that their website is OK just because it doesn’t feel slow on their computer. That’s a HUGE mistake.

Since you frequently visit your own website, modern browsers like Chrome store your website in the cache and automatically prefetch it as soon as you start typing an address. This makes your website load almost instantly.

However, a normal user who is visiting your website for the first time may not have the same experience.

In fact, users in different geographical locations will have a completely different experience.

This is why we recommend that you test your website speed using a tool like IsItWP’s WordPress speed test.

It is a free online tool that allows you to test your website’s speed.

IsItWP speed test tool

After you run your website speed test, you might be wondering what’s a good website speed that I should aim for?

A good page load time is under 2 seconds.

However, the faster you can make it, the better it is. A few milliseconds of improvements here and there can add up to shaving off half or even a full second from your load time.

[Back to Top ↑]

What Slows Down Your WordPress Website?

Your speed test report will likely have multiple recommendations for improvement. However, most of that is technical jargon which is hard for beginners to understand.

Learning what slows down your website is the key to improving performance and making smarter long-term decisions.

The primary causes for a slow WordPress website are:

  • Web Hosting – When your web hosting server is not properly configured it can hurt your website speed.
  • WordPress Configuration – If your WordPress site is not serving cached pages, then it will overload your server thus causing your website to be slow or crash entirely.
  • Page Size – Mainly images that aren’t optimized for web.
  • Bad Plugins – If you’re using a poorly coded plugin, then it can significantly slow down your website.
  • External scripts – External scripts such as ads, font loaders, etc can also have a huge impact on your website performance.

Now that you know what slows down your WordPress website, let’s take a look at how to speed up your WordPress website.

Importance of Good WordPress Hosting

Your WordPress hosting service plays an important role in website performance. A good shared hosting provider like Bluehost or Siteground take the extra measures to optimize your website for performance.

However, on shared hosting you share the server resources with many other customers. This means that if your neighboring site gets a lot of traffic, then it can impact the entire server performance which in turn will slow down your website.

On the other hand, using a managed WordPress hosting service give you the most optimized server configurations to run WordPress. Managed WordPress hosting companies also offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website.

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

Speeding Up WordPress in Easy Steps (No Coding)

We know that making changes to your website configuration can be a terrifying thought for beginners, especially if you’re not a tech-geek.

But don’t worry, you’re not alone. We have helped thousands of WordPress users improve their WordPress performance.

We will show you how you can speed up your WordPress site with just a few clicks (no coding required).

If you can point-and-click, then you can do this!

Install a WordPress Caching Plugin

WordPress pages are “dynamic.” This means they’re built on the fly every time someone visits a post or page on your website.

To build your pages, WordPress has to run a process to find the required information, put it all together, and then display it to your user.

This process involves a lot of steps, and it can really slow down your website when you have multiple people visiting it at once.

That’s why we recommend every WordPress site use a caching plugin. Caching can make your WordPress site anywhere from 2x to 5x faster.

Here’s how it works.

Instead of going through the whole page generation process every time, your caching plugin makes a copy of the page after the first load, and then serves that cached version to every subsequent user.

Page caching

As you can see in the graphics above, when a user visits your WordPress site, your server retrieves information from a MySQL database and your PHP files. It then puts it all together into HTML content which is served to the user.

It’s a long process, but you can skip a lot of it when you use caching instead.

There are a lot of good WordPress caching plugins available, but we recommend using either WP Rocket (premium) or WP Super Cache (free) plugin.

Check out our step by step guide on how to install and setup WP Super Cache on your WordPress site. It’s not difficult to set up, and your visitors will notice the difference.

Many WordPress hosting companies like Bluehost and SiteGround offer caching solutions as well.

SiteGround SG Optimizer

If you are using SiteGround, then your WordPress site will come pre-installed with their SG Optimizer. This plugin has all the powerful features that you’d get with a premium WordPress caching plugin like WP Rocket.

Turn on caching in SiteGround

The best part is that it’s specially optimized for the SiteGround Google Cloud servers to give you superior performance results.

Aside from caching, you also get various other performance settings, WebP image conversion in WordPress, database optimization, CSS minification, GZIP compression, and more.

It also has dynamic caching features to help you speed up your eCommerce website.

Bluehost Caching

If you are using Bluehost, then go to My Sites » Performance section to turn on caching.

Turning on Caching in Bluehost

If you’re using a managed WordPress hosting provider, then you don’t need a caching plugin because it is built-in and turned on by default.

Bonus: You can combine caching plugins with a web application firewall like CloudFlare or Sucuri for maximum performance boost.

[Back to Top ↑]

Optimize Images for Speed

Optimizing images for speed

Images bring life to your content and help boost engagement. Researchers have found that using colored visuals makes people 80% more likely to read your content.

However, if your images aren’t optimized, then they could be hurting more than helping. In fact, non-optimized images are one of the most common speed issues that we see on beginner websites.

Before you upload a photo directly from your phone or camera, we recommend that you use photo editing software to optimize your images for the web.

In their original formats, these photos can have huge file sizes. But based on the image file format and the compression you choose in your editing software, you can decrease your image size by up to 5x.

At WPBeginner, we only use two image formats: JPEG and PNG.

Now you might be wondering: what’s the difference?

Well, PNG image format is uncompressed. When you compress an image it loses some information, so an uncompressed image will be higher quality with more detail. The downside is that it’s a larger file size, so it takes longer to load.

JPEG, on the other hand, is a compressed file format which slightly reduces image quality, but it’s significantly smaller in size.

So how do we decide which image format to choose?

  • If our photo or image has a lot of different colors, then we use JPEG.
  • If it’s a simpler image or we need a transparent image, then we use PNG.

The majority of our images are JPEGs.

Below is a comparison chart of the file sizes and different compression tool that we could have used for the StrangeLoop image used above.

Image speed chart

As you can see in the chart, the image format you use can make a HUGE difference in website performance.

For details on exactly how to optimize your images using Photoshop and other popular editing tools, without sacrificing quality, see our step by step guide on how to save images optimized for web.

[Back to Top ↑]

WordPress Performance Optimization Best Practices

After installing a caching plugin and optimizing your images, you’ll notice your site will start loading a lot faster.

But if you really want to keep your website as fast as possible, you’ll need to use the best practices listed below.

These tips aren’t too technical, so you don’t need to know any code to implement them. But using them will prevent common problems that will slow down your website.

Keep Your WordPress Site Updated

Keep WordPress updated

As a well maintained open source project, WordPress is updated frequently. Each update will not only offer new features but it will also fix security issues and bugs. Your WordPress theme and plugins may have regular updates, too.

As a website owner, it’s your responsibility to keep your WordPress site, theme, and plugins updated to the latest versions. Not doing so may make your site slow and unreliable, and make you vulnerable to security threats.

For more details on the importance of updates, see our article on why you should always use the latest WordPress version.

[Back to Top ↑]

Optimize Background Processes

Background processes in WordPress are scheduled tasks that run in the background of your WordPress site. Following are some examples of background tasks that run on a WordPress site:

  • WordPress Backup plugin tasks
  • WordPress cron jobs to publish scheduled posts
  • WordPress cron jobs to check for updates
  • Search engines and other crawlers trying to fetch content

Tasks like cron jobs for scheduled posts and updates have minimal impact on website performance.

However, other background processes like backup plugins and excessive crawling by search engines can slow down a website.

For backup plugins, you need to make sure that your WordPress backup plugin only run during low traffic time on your website. You also need to adjust the frequency of backups and data that needs to be backed up.

For example, if you are creating a complete daily backup while you only publish new content twice a week, then you need to adjust that.

If you want more frequent backups such as real-time backups, then we recommend using a SaaS solution so you’re not taxing your server.

As for crawling, you need to keep an eye on your crawl reports in Google Search console. Frequent crawls that are ending up in errors can cause your website to slow down or become unresponsive.

See our complete Google Search Console guide for beginners to learn how to adjust crawl rate.

[Back to Top ↑]

Use Excerpts on Homepage and Archives

Using excerpts

By default, WordPress displays the full content of each article on your homepage and archives. This means your homepage, categories, tags, and other archive pages will all load slower.

Another disadvantage of showing full articles on these pages is that users don’t feel the need to visit the actual article. This can reduce your pageviews, and the time your users spend on your site.

In order to speed up your loading times for archive pages, you can set your site to display excerpts instead of the full content.

You can navigate to Settings » Reading and select “For each article in a feed, show: Summary” instead of “Full Text.”

Display excerpts instead of full text to boost WordPress speed

For more details on the pros and cons of displaying summaries, see our article on full post vs summary (excerpt) in your WordPress archive pages.

[Back to Top ↑]

Split Comments into Pages

Paginate comments

Getting lots of comments on your blog posts? Congratulations! That’s a great indicator of an engaged audience.

But the downside is, loading all those comments can impact your site’s speed.

WordPress comes with a built-in solution for that. Simply go to Settings » Discussion and check the box next to the “Break comments into pages” option.

Break comments in pages

For more detailed instructions, see our guide on how to paginate comments in WordPress.

[Back to Top ↑]

Use a Content Delivery Network (CDN)

Remember how we mentioned above that users in different geographical locations may experience different loading times on your site?

That’s because the location of your web hosting servers can have an impact on your site speed.

For example, let’s say your web hosting company has its servers in the United States. A visitor who’s also in the United States will generally see faster loading times than a visitor in India.

Using a Content Delivery Network (CDN), can help to speed up loading times for all of your visitors.

A CDN is a network made up of servers all around the world. Each server will store “static” files used to make up your website.

These static files include unchanging files such as images, CSS, and JavaScript, unlike your WordPress pages which are “dynamic” as explained above.

When you use a CDN, every time a user visits your website they are served those static files from whichever server is closest to them. Your own web hosting server will also be faster since the CDN is doing a lot of the work.

You can see how it works in this infographic.

What is a CDN?

We use recommend using SucuriBunny CDN, or Cloudflare.

It works well with WordPress websites and compliments your existing WordPress caching plugins for even faster loading times.

[Back to Top ↑]

Don’t Upload Audio/Video Files Directly to WordPress

Use video hosting services like YouTube

You can directly upload audio and video files to your WordPress site, and it will automatically display them in an HTML5 player…

But you should NEVER do that!

Hosting audio and videos will cost you bandwidth. You could be charged overage fees by your web hosting company, or they may even shut down your site altogether, even if your plan includes “unlimited” bandwidth.

Hosting large media files also increases your backup sizes tremendously, and makes it difficult for you to restore WordPress from backup.

Instead, you should use an audio and video hosting service like YouTube, Vimeo, DailyMotion, SoundCloud, etc., and let them take care of the hard work. They have the bandwidth for it!

WordPress has a built-in video embed feature, so you can copy and paste your video’s URL directly into your post and it will embed automatically.

Find out more details on how it works in our guide on embedding videos in WordPress.

If you are making a podcast website with WordPress, then we recommend podcast hosting service Blubrry for the best performance.

[Back to Top ↑]

Use a Theme Optimized For Speed

Choose a theme optimized for speed

When selecting a theme for your website, it’s important to pay special attention to speed optimization. Some beautiful and impressive-looking themes are actually poorly coded and can slow your site way down.

It’s usually better to go with a simpler theme than to choose a theme that’s bloated with complex layouts, flashy animations, and other unnecessary features. You can always add those features using quality WordPress plugins.

Premium WordPress theme shops like StudioPressThemifyCSSIgniter, and Astra offer themes that are well coded and optimized for speed. You can also check out our article on selecting the perfect WordPress theme for advice on what to look for.

Before you activate your new theme, see our guide on how to properly switch your WordPress theme for a smooth transition.

[Back to Top ↑]

Use Faster Plugins

Choose faster plugins for your website

Poorly coded WordPress plugins often load too much bloat whether your site needs it or not. This increases your page load speed and slows down your site.

To help you choose the best plugins, we often publish our expert pick of best WordPress plugin showcases. We pay special attention to ease of use, user experience, and most importantly performance.

Following are some of our picks for the most common WordPress plugin categories.

  • WPForms – Fastest and most beginner friendly contact form plugin for WordPress.
  • All in One SEO – Powerful WordPress SEO plugin that puts extra emphasis on website performance to help you get higher SEO rankings.
  • MonsterInsights – Best Google analytics plugin for WordPress that doesn’t slow down your site. Even includes options to load gtag.js locally to speed up your Google Core Web Vitals score.
  • Shared Counts – Social media plugins load additional scripts and not so gracefully. Shared Counts is one of the fastest Social media plugins for WordPress.
  • SeedProd – drag & drop WordPress landing page plugin that helps you build blazing fast landing pages.

Apart from our own recommendations, you can run your own tests. Simply run speed tests before and after installing a plugin to compare its impact on performance.

[Back to Top ↑]

Fine-Tuning WordPress for Speed (Advanced)

By using the WordPress optimization best practices and basic speed tips listed above, you should see a big improvement in your site’s loading times.

But every fraction of a second counts. If you want to get the very fastest speed possible, then you’ll want to make a few more changes.

The following tips are a little more technical, with some requiring you to modify your site files or have a basic understanding of PHP. You’ll want to make sure to backup your site first just in case.

Split Long Posts into Pages

Split long posts in pages

Readers tend to love blog posts that are longer and more in-depth. Longer posts even tend to rank higher in search engines.

But if you’re publishing long-form articles with lots of images, it could be hurting your loading times.

Instead, consider splitting up your longer posts into multiple pages.

WordPress comes with built-in functionality to do that. Simply add the <!––nextpage––> tag in your article where you want to split it into next page. Do that again if you want to split the article on to the next page as well.

For more detailed instructions, see our tutorial on post pagination – how to split WordPress posts into multiple pages.

[Back to Top ↑]

Reduce External HTTP Requests

Reduce cross-domain HTTP requests

Many WordPress plugins and themes load all kinds of files from other websites. These files can include scripts, stylesheets, and images from external resources like Google, Facebook, analytics services, and so on.

It’s ok to use a few of these. Many of these files are optimized to load as quickly as possible, so it’s faster than hosting them on your own website.

But if your plugins are making a lot of these requests, then it could slow down your website significantly.

You can reduce all these external HTTP requests by disabling scripts and styles or merging them into one file. Here’s a tutorial on how to disable your plugins’ CSS files and JavaScript.

[Back to Top ↑]

Reduce Database Calls

Reduce database calls

Note: This step is a little more technical and will require basic knowledge of PHP and WordPress template files.

Unfortunately, there are a lot of poorly coded WordPress themes out there. They ignore WordPress standard practices and end up making direct database calls, or too many unnecessary requests to the database. This can really slow down your server by giving it too much work to do.

Even well-coded themes can have code that makes database calls just to get your blog’s basic information.

In this example, every time you see <?php, that’s the start of a new database call:

1234<html xmlns="http://www.w3.org/1999/xhtml" dir="<?php language_attributes(); ?>"><head profile="http://gmpg.org/xfn/11"><meta http-equiv="Content-Type" content="<?php bloginfo('html_type'); ?> charset=<?php bloginfo('charset'); ?>" />

You can’t blame theme developers for that. They simply have no other way to find out what language your site is in.

But if you are customizing your site using a child theme, then you can replace these database calls with your specific information in order to reduce all those database calls.

123<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr"><head profile="http://gmpg.org/xfn/11"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

Review your parent theme for instances like this that can be easily replaced with static information.

[Back to Top ↑]

Optimize WordPress Database

WordPress database optimization

After using WordPress for a while, your database will have lots of information that you probably don’t need any more. For improved performance, you can optimize your database to get rid of all that unnecessary information.

This can be easily managed with the WP-Sweep plugin. It allows you to clean your WordPress database by deleting things like trashed posts, revisions, unused tags, etc. It will also optimize your database’s structure with just a click.

See our guide on how to optimize and clean up your WordPress database for improved performance.

[Back to Top ↑]

Limit Post Revisions

Limit post revisions in WordPress

Post revisions take up space in your WordPress database. Some users believe that revisions can also affect some database queries run by plugins. If the plugin doesn’t specifically exclude post revisions, it might slow down your site by searching through them unnecessarily.

You can easily limit the number of revisions WordPress keeps for each article. Simply add this line of code to your wp-config.php file.

1define( 'WP_POST_REVISIONS', 4 );

This code will limit WordPress to only save your last 4 revisions of each post or page, and discard older revisions automatically.

[Back to Top ↑]

Disable Hotlinking and Leaching of Your Content

Prevent image theft in WordPress

If you’re creating quality content on your WordPress site, then the sad truth is that it’ll probably get stolen sooner or later.

One way this happens is when other websites serve your images directly from their URLs on your website, instead of uploading them to their own servers. In effect, they’re stealing your web hosting bandwidth, and you don’t get any traffic to show for it.

Simply add this code to your .htaccess file to block hotlinking of images from your WordPress site.

123456#disable hotlinking of images with forbidden or custom image optionRewriteEngine onRewriteCond %{HTTP_REFERER} !^$RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wpbeginner.com [NC]RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Note: Don’t forget to change wpbeginner.com with your own domain.

You may also want to check our article showing 4 ways to prevent image theft in WordPress.

Some content scraping websites automatically create posts by stealing your content from your RSS feed. You can check out our guide on preventing blog content scraping in WordPress for ways to deal with automated content theft.

[Back to Top ↑]

Use Lazy Loading if Needed

Use lazy loading in WordPress

If you add many images, multiple video embeds, and photo galleries to your blog posts, then your site can benefit from lazy loading.

Instead of loading all your images and videos at once, lazy loading downloads only those that will be visible on the user’s screen. It replaces all other images and video embeds with a placeholder image.

As a user scrolls down, your website loads images that are now visible in the browser’s viewing area. You can lazy load images, videos, and even WordPress comments and gravatars.

For images, iframes, and videos, you can use the Lazy Load by WP Rocket plugin. For WordPress comments see our guide on how to lazy load comments in WordPress.

[Back to Top ↑]

Use DNS Level Website Firewall

Use DNS level firewall

WordPress firewall plugin helps you block brute force attacks, hacking attempts, and malware. However, not all firewall plugins are the same.

Some of them run on your website, this means attackers are already able to reach your web server before they get blocked. This is still effective for security, but not optimal for performance.

This is why we recommend using a DNS level firewall like Sucuri or Cloudflare. These firewalls block maclious requests even before they reach your website.

[Back to Top ↑]

Fix HTTPS/SSL Errors without Plugin

Using inspect tool to fix mixed content error

If you are switching your site to HTTPS/SSL, then it is likely that you may run across mixed content errors.

The easiest way to fix this is by installing a plugin like Really Simple SSL. However, the problem is that these plugins catch all URLs first, then change them to HTTPS before sending them to user’s browsers.

This has a small but noticeable performance impact. You can reduce this by manually fixing all URLs. For more details see our article on how to fix common SSL issues in WordPress.

[Back to Top ↑]

Use Latest PHP Version

WordPress is mainly written in the PHP programming language. It is a server side language, which means it is installed and runs on your hosting server.

All good WordPress hosting companies use the most stable PHP version on their servers. However, it is possible that your hosting company is running a slightly older PHP version.

The newer PHP 7 is two times faster than its predecessors. That’s a huge performance boost that your website must take advantage of.

You can see which PHP version your site is using by installing and activating the Version Info plugin.

Upon activation, the plugin will show your PHP version in the footer area of your WordPress admin dashboard.

PHP version in WordPress admin dashboard

If your website is using a version lower than PHP 7, then ask your hosting provider to update it for you. If they are unable to do so, then it is time to find a new WordPress hosting company.

[Back to Top ↑]

That’s it! We hope this article helped you learn how to improve wordpress speed and performance.

Go ahead and try out these techniques. Don’t forget to test your website speed before and after implementing these best practices. You’ll be surprised these changes will boost your WordPress performance.

You may also want to see our ultimate WordPress SEO guide to improve your SEO rankings, and our expert pick of the best business phone services for small businesses.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Source :
https://www.wpbeginner.com/wordpress-performance-speed/

The Ultimate WordPress Security Guide – Step by Step (2022)

WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.

If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

Complete WordPress security guide

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

We have a number of actionable steps that you can take to protect your website against security vulnerabilities.

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

WordPress Security in Easy Steps (No Coding)

WordPress Security for DIY Users

Ready? Let’s get started.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

Why WordPress security is important

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

[Back to Top ↑]

Keeping WordPress Updated

Keeping WordPress updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Strong Passwords and User Permissions

Manage strong passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses which use your site’s domain name.

Many beginners don’t like using strong passwords because they’re hard to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

[Back to Top ↑]

The Role of WordPress Hosting

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like Bluehost or Siteground take the extra measures to protect their servers against common threats.

Here is how a good web hosting company works in the background to protect your websites and data.

  • They continuously monitor their network for suspicious activity.
  • All good hosting companies have tools in place to prevent large scale DDOS attacks
  • They keep their server software, php versions, and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version.
  • They have ready to deploy disaster recovery and accidents plans which allows them to protect your data in case of major accident.

On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

WordPress Security in Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners. Especially if you’re not techy. Guess what – you’re not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

Install a WordPress Backup Solution

Install a WordPress backup solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like UpdraftPlus or BlogVault. They are both reliable and most importantly easy to use (no coding needed).

[Back to Top ↑]

Best WordPress Security Plugin

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

Generate Sucuri API Key

The next thing, you need to do is click on the ‘Hardening’ tab from the settings menu. Go through every option and click on the “Apply Hardening” button.

Sucuri security hardening

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

After the hardening part, the default plugin settings are good enough for most websites and don’t need any changes. The only thing we recommend customizing is ‘Email Alerts’.

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

Set up security email alerts

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

Enable Web Application Firewall (WAF)

The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).

A website firewall blocks all malicious traffic before it even reaches your website.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.

To learn more, see our list of the best WordPress firewall plugins.

Sucuri WAF

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

Attacks blocked by Sucuri

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.

Improve your WordPress Security with the Sucuri Firewall »

Sucuri is not the only DNS level firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

[Back to Top ↑]

Move Your WordPress Site to SSL/HTTPS

SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.

How SSL works

Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.

SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.

To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.

Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your WordPress website.

If your hosting company does not offer one, then you can purchase one from Domain.com. They have the best and most reliable SSL deal in the market. It comes with a $10,000 security warranty and a TrustLogo security seal.

WordPress Security for DIY Users

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Some of these steps may require coding knowledge.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

Note: We’re talking about the username called “admin”, not the administrator role.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

Disable file editing in WordPress

You can easily do this by adding the following code in your wp-config.php file.

12// Disallow file editdefine( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

123<Files *.php>deny from all</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

Login Lockdown options

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Add Two Factor Authentication

Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.

Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.

First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.

Two Factor Authenticator settings

Next, you need to install and open an authenticator app on your phone. There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.

We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.

We will be using the LastPass Authenticator for the tutorial. However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.

Add website

You will be asked if you’d like to scan a site manually or scan the bar code. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s settings page.

That’s all, your authentication app will now save it. Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password.

Enter your two-factor auth code

Simply open the authenticator app on your phone and enter the code you see on it.

[Back to Top ↑]

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Password protect WordPress admin area

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows them to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server-side level, which will effectively block those requests.

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Disable directory browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

Because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

This is why if you’re not using XML-RPC, then we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

[Back to Top ↑]

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.

Logout idle users

Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.

[Back to Top ↑]

Add Security Questions to WordPress Login Screen

Add security question on login screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

[Back to Top ↑]

Scanning WordPress for Malware and Vulnerabilies

Malware scanning

If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.

However, if you see a sudden drop in website traffic or search rankings, then you may want to manually run a scan. You can use your WordPress security plugin, or use one of these malware and security scanners.

Running these online scans is quite straight forward, you just enter your website URLs and their crawlers go through your website to look for known malware and malicious code.

Now keep in mind that most WordPress security scanners can just scan your website. They cannot remove the malware or clean a hacked WordPress site.

This brings us to the next section, cleaning up malware and hacked WordPress sites.

[Back to Top ↑]

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

[Back to Top ↑]

Bonus Tip: Identity Theft & Network Protection

As small business owners, it’s critical that we protect our digital and financial identity because failure to do so can lead to significant losses. Hackers and criminals can use your identity to steal your website domain name, hack your bank accounts, and even commit crime that you can be liable for.

There were 4.7 million identity theft and credit card fraud incidents reported to the Federal Trade Commission (FTC) in 2020.

This is why we recommend using an identity theft protection service like Aura (we’re using Aura ourselves).

They offer device & wifi network protection through their free VPN (virtual private network) which secures your internet connection with military-grade encryption wherever you are. This is great for when you’re traveling or connecting to your WordPress admin from a public place like Starbucks, so you can work online safely and privately.

Their dark web monitoring service constantly monitors the dark web using artificial intelligence and alert you if your passwords, social security number, and bank accounts have been compromised.

This allows you to act faster and better protect your digital identity.

[Back to Top ↑]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

You may also want to see our ultimate WordPress SEO guide to improve your SEO rankings, and our expert tips on how to speed up WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Source :
https://www.wpbeginner.com/wordpress-security/

Microsoft April 2022 Patch Tuesday fixes 119 flaws, 2 zero-days

Today is Microsoft’s April 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 119 flaws.

Microsoft has fixed 119 vulnerabilities (not including 26 Microsoft Edge vulnerabilities) with today’s update, with ten classified as Critical as they allow remote code execution.

The number of bugs in each vulnerability category is listed below:

  • 47 Elevation of Privilege Vulnerabilities
  • 0 Security Feature Bypass Vulnerabilities
  • 47 Remote Code Execution Vulnerabilities
  • 13 Information Disclosure Vulnerabilities
  • 9 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 26 Edge – Chromium Vulnerabilities

For information about the non-security Windows updates, you can read about today’s Windows 10 KB5012599 and KB5012591 updates and the Windows 11 KB5012592 update.

Two zero-days fixed, one actively exploited

This month’s Patch Tuesday includes fixes for two zero-day vulnerabilities, one publicly disclosed and the other actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited zero-day vulnerability fixed today is a bug that security researcher Abdelhamid Naceri discovered that Microsoft previously tried to fix twice after new patch bypasses were discovered.

  • CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability

The publicly exposed zero-day is a privilege elevation bug discovered by CrowdStrike and the US National Security Agency (NSA).

  • CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Now that Microsoft has issued patches for these vulnerabilities, it should be expected for threat actors to analyze the vulnerabilities to learn how to exploit them.

Therefore, it is strongly advised to install today’s security updates as soon as possible.

Recent updates from other companies

Other vendors who released updates in April 2022 include:

The April 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the April 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

TagCVE IDCVE TitleSeverity
.NET FrameworkCVE-2022-26832.NET Framework Denial of Service VulnerabilityImportant
Active Directory Domain ServicesCVE-2022-26814Windows DNS Server Remote Code Execution VulnerabilityImportant
Active Directory Domain ServicesCVE-2022-26817Windows DNS Server Remote Code Execution VulnerabilityImportant
Azure SDKCVE-2022-26907Azure SDK for .NET Information Disclosure VulnerabilityImportant
Azure Site RecoveryCVE-2022-26898Azure Site Recovery Remote Code Execution VulnerabilityImportant
Azure Site RecoveryCVE-2022-26897Azure Site Recovery Information Disclosure VulnerabilityImportant
Azure Site RecoveryCVE-2022-26896Azure Site Recovery Information Disclosure VulnerabilityImportant
LDAP – Lightweight Directory Access ProtocolCVE-2022-26831Windows LDAP Denial of Service VulnerabilityImportant
LDAP – Lightweight Directory Access ProtocolCVE-2022-26919Windows LDAP Remote Code Execution VulnerabilityCritical
Microsoft Bluetooth DriverCVE-2022-26828Windows Bluetooth Driver Elevation of Privilege VulnerabilityImportant
Microsoft DynamicsCVE-2022-23259Microsoft Dynamics 365 (on-premises) Remote Code Execution VulnerabilityCritical
Microsoft Edge (Chromium-based)CVE-2022-26909Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-1139Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch APIUnknown
Microsoft Edge (Chromium-based)CVE-2022-26912Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-26908Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1146Chromium: CVE-2022-1146 Inappropriate implementation in Resource TimingUnknown
Microsoft Edge (Chromium-based)CVE-2022-26895Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-26900Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-26894Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1232Chromium: CVE-2022-1232 Type Confusion in V8Unknown
Microsoft Edge (Chromium-based)CVE-2022-26891Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1125Chromium: CVE-2022-1125 Use after free in PortalsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1136Chromium: CVE-2022-1136 Use after free in Tab StripUnknown
Microsoft Edge (Chromium-based)CVE-2022-24475Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1145Chromium: CVE-2022-1145 Use after free in ExtensionsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1135Chromium: CVE-2022-1135 Use after free in Shopping CartUnknown
Microsoft Edge (Chromium-based)CVE-2022-1138Chromium: CVE-2022-1138 Inappropriate implementation in Web CursorUnknown
Microsoft Edge (Chromium-based)CVE-2022-1143Chromium: CVE-2022-1143 Heap buffer overflow in WebUIUnknown
Microsoft Edge (Chromium-based)CVE-2022-24523Microsoft Edge (Chromium-based) Spoofing VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-1137Chromium: CVE-2022-1137 Inappropriate implementation in ExtensionsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1134Chromium: CVE-2022-1134 Type Confusion in V8Unknown
Microsoft Edge (Chromium-based)CVE-2022-1127Chromium: CVE-2022-1127 Use after free in QR Code GeneratorUnknown
Microsoft Edge (Chromium-based)CVE-2022-1128Chromium: CVE-2022-1128 Inappropriate implementation in Web Share APIUnknown
Microsoft Edge (Chromium-based)CVE-2022-1133Chromium: CVE-2022-1133 Use after free in WebRTCUnknown
Microsoft Edge (Chromium-based)CVE-2022-1130Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTPUnknown
Microsoft Edge (Chromium-based)CVE-2022-1129Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen ModeUnknown
Microsoft Edge (Chromium-based)CVE-2022-1131Chromium: CVE-2022-1131 Use after free in Cast UIUnknown
Microsoft Graphics ComponentCVE-2022-26920Windows Graphics Component Information Disclosure VulnerabilityImportant
Microsoft Graphics ComponentCVE-2022-26903Windows Graphics Component Remote Code Execution VulnerabilityImportant
Microsoft Local Security Authority Server (lsasrv)CVE-2022-24493Microsoft Local Security Authority (LSA) Server Information Disclosure VulnerabilityImportant
Microsoft Office ExcelCVE-2022-24473Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2022-26901Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointCVE-2022-24472Microsoft SharePoint Server Spoofing VulnerabilityImportant
Microsoft Windows ALPCCVE-2022-24482Windows ALPC Elevation of Privilege VulnerabilityImportant
Microsoft Windows ALPCCVE-2022-24540Windows ALPC Elevation of Privilege VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2022-24532HEVC Video Extensions Remote Code Execution VulnerabilityImportant
Microsoft Windows Media FoundationCVE-2022-24495Windows Direct Show – Remote Code Execution VulnerabilityImportant
Power BICVE-2022-23292Microsoft Power BI Spoofing VulnerabilityImportant
Role: DNS ServerCVE-2022-26815Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26816Windows DNS Server Information Disclosure VulnerabilityImportant
Role: DNS ServerCVE-2022-24536Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26824Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26823Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26822Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26829Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26826Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26825Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26821Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26820Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26813Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26818Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26819Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26811Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26812Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-22008Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-24490Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-24539Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-26785Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-26783Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-24537Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-23268Windows Hyper-V Denial of Service VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-23257Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-22009Windows Hyper-V Remote Code Execution VulnerabilityImportant
Skype for BusinessCVE-2022-26911Skype for Business Information Disclosure VulnerabilityImportant
Skype for BusinessCVE-2022-26910Skype for Business and Lync Spoofing VulnerabilityImportant
Visual StudioCVE-2022-24767GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user accountImportant
Visual StudioCVE-2022-24765GitHub: Uncontrolled search for the Git directory in Git for WindowsImportant
Visual StudioCVE-2022-24513Visual Studio Elevation of Privilege VulnerabilityImportant
Visual Studio CodeCVE-2022-26921Visual Studio Code Elevation of Privilege VulnerabilityImportant
Windows Ancillary Function Driver for WinSockCVE-2022-24494Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityImportant
Windows App StoreCVE-2022-24488Windows Desktop Bridge Elevation of Privilege VulnerabilityImportant
Windows AppX Package ManagerCVE-2022-24549Windows AppX Package Manager Elevation of Privilege VulnerabilityImportant
Windows Cluster Client FailoverCVE-2022-24489Cluster Client Failover (CCF) Elevation of Privilege VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-24538Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-26784Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-24484Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Common Log File System DriverCVE-2022-24521Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows Common Log File System DriverCVE-2022-24481Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows DefenderCVE-2022-24548Microsoft Defender Denial of Service VulnerabilityImportant
Windows DWM Core LibraryCVE-2022-24546Windows DWM Core Library Elevation of Privilege VulnerabilityImportant
Windows Endpoint Configuration ManagerCVE-2022-24527Windows Endpoint Configuration Manager Elevation of Privilege VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26917Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26916Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26918Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Feedback HubCVE-2022-24479Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityImportant
Windows File ExplorerCVE-2022-26808Windows File Explorer Elevation of Privilege VulnerabilityImportant
Windows File ServerCVE-2022-26827Windows File Server Resource Management Service Elevation of Privilege VulnerabilityImportant
Windows File ServerCVE-2022-26810Windows File Server Resource Management Service Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2022-24499Windows Installer Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2022-24530Windows Installer Elevation of Privilege VulnerabilityImportant
Windows iSCSI Target ServiceCVE-2022-24498Windows iSCSI Target Service Information Disclosure VulnerabilityImportant
Windows KerberosCVE-2022-24545Windows Kerberos Remote Code Execution VulnerabilityImportant
Windows KerberosCVE-2022-24486Windows Kerberos Elevation of Privilege VulnerabilityImportant
Windows KerberosCVE-2022-24544Windows Kerberos Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2022-24483Windows Kernel Information Disclosure VulnerabilityImportant
Windows Local Security Authority Subsystem ServiceCVE-2022-24487Windows Local Security Authority (LSA) Remote Code Execution VulnerabilityImportant
Windows Local Security Authority Subsystem ServiceCVE-2022-24496Local Security Authority (LSA) Elevation of Privilege VulnerabilityImportant
Windows MediaCVE-2022-24547Windows Digital Media Receiver Elevation of Privilege VulnerabilityImportant
Windows Network File SystemCVE-2022-24491Windows Network File System Remote Code Execution VulnerabilityCritical
Windows Network File SystemCVE-2022-24497Windows Network File System Remote Code Execution VulnerabilityCritical
Windows PowerShellCVE-2022-26788PowerShell Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26789Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26787Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26786Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26796Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26790Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26803Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26802Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26794Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26795Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26797Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26798Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26791Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26801Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26793Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26792Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows RDPCVE-2022-24533Remote Desktop Protocol Remote Code Execution VulnerabilityImportant
Windows Remote Procedure Call RuntimeCVE-2022-26809Remote Procedure Call Runtime Remote Code Execution VulnerabilityCritical
Windows Remote Procedure Call RuntimeCVE-2022-24528Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows Remote Procedure Call RuntimeCVE-2022-24492Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows schannelCVE-2022-26915Windows Secure Channel Denial of Service VulnerabilityImportant
Windows SMBCVE-2022-24485Win32 File Enumeration Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-26830DiskUsage.exe Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-21983Win32 Stream Enumeration Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-24541Windows Server Service Remote Code Execution VulnerabilityCritical
Windows SMBCVE-2022-24500Windows SMB Remote Code Execution VulnerabilityCritical
Windows SMBCVE-2022-24534Win32 Stream Enumeration Remote Code Execution VulnerabilityImportant
Windows Telephony ServerCVE-2022-24550Windows Telephony Server Elevation of Privilege VulnerabilityImportant
Windows Upgrade AssistantCVE-2022-24543Windows Upgrade Assistant Remote Code Execution VulnerabilityImportant
Windows User Profile ServiceCVE-2022-26904Windows User Profile Service Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-24474Windows Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-26914Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-24542Windows Win32k Elevation of Privilege VulnerabilityImportant
Windows Work Folder ServiceCVE-2022-26807Windows Work Folder Service Elevation of Privilege VulnerabilityImportant
YARP reverse proxyCVE-2022-26924YARP Denial of Service VulnerabilityImportant

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2022-patch-tuesday-fixes-119-flaws-2-zero-days/

Microsoft: New malware uses Windows bug to hide scheduled tasks

Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.

The Hafnium threat group has previously targeted US defense companies, think tanks, and researchers in cyberespionage attacks.

It is also one of the state-sponsored groups linked by Microsoft to last year’s global scale exploitation of the ProxyLogon zero-day flaws impacting all supported Microsoft Exchange versions.

Persistence via Windows registry value removal

“As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors,” the Microsoft Detection and Response Team (DART) said.

“Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates ‘hidden’ scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.”

This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from “schtasks /query” and Task Scheduler by deleting the associated Security Descriptor registry value.

The threat group used these “hidden” scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control (C2) infrastructure.

While the Hafnium operators could have removed all on-disk artifacts, including all registry keys and the XML file added to the system folder to delete all traces of their malicious activity, it would have removed persistence across restarts.

Deleting Security Descriptor to hide a scheduled task
Deleting Security Descriptor to hide a scheduled task (Microsoft)

How to defend against Tarrask attacks

The “hidden” tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD (security descriptor) Value within their Task Key.

Admins can also enable the Security.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs to check for key events linked to tasks “hidden” using Tarrask malware.

Microsoft also recommends enabling logging for ‘TaskOperational’ within the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and monitoring for outbound connections from critical Tier 0 and Tier 1 assets.

“The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure,” DART added.

“We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”

Source :
https://www.bleepingcomputer.com/news/security/microsoft-new-malware-uses-windows-bug-to-hide-scheduled-tasks/

Microsoft: Windows Server now supports automatic .NET updates

Microsoft says Windows admins can now opt into automatic updates for .NET Framework and .NET Core via Microsoft Update (MU) on Windows Server systems.

The new option has started rolling out today, and once you opt-in, it will add .NET Core 3.1, .NET 5.0, and .NET 6.0 to the Automatic Updates channel as a third option on top of Windows Server Update Services (WSUS) and Microsoft Update Catalog.

“We’re excited to announce that starting April 2022, we will be making monthly updates for modern .NET (.NET Core) available for server operating systems via Microsoft Update (MU) on an opt-in basis,” explained Jamshed Damkewala, a .NET Principal Engineering Manager at Microsoft.

“If you do not want to have your servers updated automatically for you no action is required. There is no change for client operating systems which will continue to receive updates via Automatic Updates, WSUS, and MU Catalog as earlier.”

This new option has been added for customers asking for a way to install .NET updates without using a deployment tool, just as on Windows client platforms.

Making it an opt-in change will allow admins to choose their preferred method of keeping server operating systems up to date, depending on their deployment approach.

How to enable .NET automatic updates

You can opt-in for .NET automatic updates on Windows Server by setting registry keys listed in the table below (manually or with the help of Group Policy as detailed here).

.NET VersionRegistry KeyNameValue
ALL[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET]“AllowAUOnServerOS”dword:00000001
.NET 6.0[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET6.0]“AllowAUOnServerOS”dword:00000001
.NET 5.0[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET5.0]“AllowAUOnServerOS”dword:00000001
.NET 3.1[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET3.1]“AllowAUOnServerOS”dword:00000001

“We’re excited to start delivering updates for modern .NET to server operating systems via Microsoft Update on an opt-in basis and look forward to your feedback on this experience,” Damkewala added.

In December 2020, following customer requests, Microsoft first started delivering .NET and .NET Core updates on Windows via Microsoft Update (via WSUS and MU Catalog for server OS and Automatic Updates for client OS).

In early April 2022, the company reminded customers that multiple .NET Framework versions (i.e., 4.5.2, 4.6, and 4.6.1) signed using the insecure Secure Hash Algorithm 1 (SHA-1) will reach their end of life at the end of the month.

Redmond is also planning to roll out in July 2022 a new Windows Autopatch service that will automatically keep Windows and Office software up to date for Microsoft customers with a Windows 10/11 Enterprise E3 or above license.

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-now-supports-automatic-net-updates/

Raspberry Pi removes default user to hinder brute-force attacks

An update to Raspberry Pi OS Bullseye has removed the default ‘pi’ user to make it harder for attackers to find and compromise Internet-exposed Raspberry Pi devices using default credentials.

Starting with this latest release, when installing the OS, you will first be prompted to create an account by choosing a username and password (before this change, the OS installer would only ask for a custom password).

You can no longer skip this step since the setup wizard will be launched when first booting the device (previously, you could hit Cancel to use the default pi/raspberry credentials).

While you can still choose to use a ‘pi’ username and ‘raspberry’ as your password, you will be warned that it’s not a wise choice.

“We are not getting rid of the ‘pi’ user on existing installs. We are not stopping anyone from entering ‘pi’ and ‘raspberry’ as the username and password on a new install,” said Simon Long, Senior Principal EngineerSenior at Raspberry Pi.

“All we are doing is making it easy for people who care about security to not have a default ‘pi’ user – which is something people have been requesting for some time now.”

Raspberry Pi OS account creation wizard
Raspberry Pi OS account creation wizard (Raspberry Pi ​​​​​)

When booting the image for the first time, Raspberry Pi OS Lite image users will also be asked to create a new account via command line text prompts.

If you want to run Raspberry Pi headless, you can create the user before booting into the OS by setting a username and a password via the Settings dialog before writing the image or adding a userconf file to the boot partition containing a username:encrypted-password pair.

Existing installations are not affected by this change. However, users can still switch to non-default credentials by updating their existing image and running the sudo rename-user command.

“This isn’t that much of a weakness – just knowing a valid user name doesn’t really help much if someone wants to hack into your system; they would also need to know your password, and you’d need to have enabled some form of remote access in the first place,” Long explained.

“But nonetheless, it could potentially make a brute-force attack slightly easier, and in response to this, some countries are now introducing legislation to forbid any Internet-connected device from having default login credentials.”

For instance, the UK wants to enforce new regulations asking that IoT devices no longer come with default usernames and passwords but, instead ask customers to choose custom credentials, “not resettable to any universal factory default value.”

Source :
https://www.bleepingcomputer.com/news/security/raspberry-pi-removes-default-user-to-hinder-brute-force-attacks/

Luxury fashion house Zegna confirms August ransomware attack

The Italian luxury fashion house Ermenegildo Zegna has confirmed an August 2021 ransomware attack that resulted in an extensive IT systems outage.

The disclosure came in today’s filing of an SEC Form 424B3 that updates their investment prospectus to alert investors of business disruption and data breach risks resulting from sophisticated cyberattacks.

To highlight the potential investment risks, the report provides an example of a ransomware attack that hit the firm in August 2021, impacting most of its IT systems and causing a large-scale interruption.

Zegna underlines that they did not engage with the ransomware actors in negotiating a ransom payment, so they had to restore from backups in the weeks that followed the incident.

While Zegna had previously disclosed unauthorized access to their systems at the time, it was not until today’s SEC filing that they confirmed it was a ransomware attack.

“In August 2021, we were subject to a ransomware attack that impacted the majority of our IT systems. As we refused to engage in discussions relating to the payment of the ransom, the responsible parties published certain accounting materials extracted from our IT systems,” reads Zegna’s SEC filing.

“We publicly announced the IT systems breach and gradually restored our IT systems from secure backup servers during the weeks following the breach.”

As the filing updates the prospectus to address risks to investors, it also warns:

“A malfunction that results in a wider or sustained disruption to our business could have a material adverse effect on our business, results of operations, and financial condition. In addition to supporting our operations, we use our systems to collect and store confidential and sensitive data, including information about our business, our customers and our employees.

Any unauthorized access to our information systems may compromise the privacy of such data and expose us to claims as well as reputational damage. Ultimately, any significant violation of the integrity of our data security could have a material adverse effect on our business, results of operations, and financial condition.”

RansomEXX claimed the attack

Last year, the RansomEXX operation claimed responsibility for the attack, where data was published as a way to further extort the victim into paying a ransom.

The leaked data was stolen from Zegna’s systems and was published by the ransomware gang on the day of the firm’s announcement of their attack.

Zegna's entry on the RansomEXX leak portal
Zegna’s entry on the RansomEXX leak portal (Bleeping Computer)

As part of the attack, the threat actors claim to have copied 20.74 GB of data where they offered it in password-protected ZIP files. At this time, Zegna’s listing on the leak portal has allegedly received 483,000 visits.

List of files still offered on the RansomEXX Tor site
List of leaked files (BC)

Unfortunately, Zegna’s filing confirms the authenticity of the leaked data, but they did not comment on the impact on clients and partners.

This is the same ransomware group that has hit corporate giants such as Konica Minolta in August 2020, GIGABYTE in August 2021, and more recently, Hellmann Worldwide.

Source :
https://www.bleepingcomputer.com/news/security/luxury-fashion-house-zegna-confirms-august-ransomware-attack/

CISA warns orgs of WatchGuard bug exploited by Russian state hackers

The Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal civilian agencies and urged all US organizations on Monday to patch an actively exploited bug impacting WatchGuard Firebox and XTM firewall appliances.

Sandworm, a Russian-sponsored hacking group, believed to be part of the GRU Russian military intelligence agency, also exploited this high severity privilege escalation flaw (CVE-2022-23176) to build a new botnet dubbed Cyclops Blink out of compromised WatchGuard Small Office/Home Office (SOHO) network devices.

“WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access,” the company explains in a security advisory rating the bug with a critical threat level.

The flaw can only be exploited if they are configured to allow unrestricted management access from the Internet. By default, all WatchGuard appliances are configured for restricted management access.

Federal Civilian Executive Branch Agencies (FCEB) agencies must secure their systems against these security flaws according to November’s binding operational directive (BOD 22-01)

CISA has given them three weeks, until May 2nd, to patch the CVE-2022-23176 flaw added today to its catalog of Known Exploited Vulnerabilities.

Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations to prioritize fixing this actively abused security bug to avoid having their WatchGuard appliances compromised.

Malware hit 1% of WatchGuard firewall appliances

Cyclops Blink, the malware used by the Sandworm state hackers to create their botnet, has been used to target WatchGuard Firebox firewall appliances with CVE-2022-23176 exploits, as well as multiple ASUS router models, since at least June 2019.

It establishes persistence on the device through firmware updates, and it provides its operators with remote access to compromised networks.

It uses the infected devices’ legitimate firmware update channels to maintain access to the compromised devices by injecting malicious code and deploying repacked firmware images.

This malware is also modular, making it simple to upgrade and target new devices and security vulnerabilities, tapping into new pools of exploitable hardware.

WatchGuard issued its own advisory after US and UK cybersecurity and law enforcement agencies linked the malware to the GRU hackers, saying that Cyclops Blink may have hit roughly 1% of all active WatchGuard firewall appliances.

The UK NCSC, FBI, CISA, and NSA joint advisory says organizations should assume all accounts on infected devices as being compromised. Admins should also immediately remove Internet access to the management interface.

Botnet disrupted, malware removed from C2 servers

On Wednesday, US government officials announced the disruption of the Cyclops Blink botnet before being weaponized and used in attacks.

The FBI also removed the malware from Watchguard devices identified as being used as command and control servers, notifying owners of compromised devices in the United States and abroad before cleaning the Cyclops Blink infection.

“I should caution that as we move forward, any Firebox devices that acted as bots, may still remain vulnerable in the future until mitigated by their owners,” FBI Director Chris Wray warned.

“So those owners should still go ahead and adopt Watchguard’s detection and remediation steps as soon as possible.”

WatchGuard has shared instructions on restoring infected Firebox appliances to a clean state and updating them to the latest Fireware OS version to prevent future infections.

Related Articles:

US, UK link new Cyclops Blink malware to Russian state hackers

CISA orders agencies to patch actively exploited Sophos firewall bug

CISA warns orgs to patch actively exploited Chrome, Redis bugs

CISA adds 66 vulnerabilities to list of bugs exploited in attacks

CISA adds 15 vulnerabilities to list of flaws exploited in attacks

Source :
https://www.bleepingcomputer.com/news/security/cisa-warns-orgs-of-watchguard-bug-exploited-by-russian-state-hackers/

Cybersecurity Threat Spotlight: HermeticWiper, SDUser, and Xenomorph

This has been a busy month for cyber attackers, and the Cisco Umbrella team – in conjunction with Cisco Talos – has observed several new threats for users to be aware of.

In this month’s edition of the Cybersecurity Threat Spotlight, we discuss a wiper making its way through Ukraine, a dropper targeting India and China, and a newly discovered Trojan targeting EU banks.

Want to see Cisco Umbrella in action? Sign up for a free trial today!

HermeticWiper

Threat Type: Wiper

Attack Chain:

Graphic showing the attack chain for HermeticWiper. The attack chain proceeds as follows: stolen credentials, network access, direct wiper deployment, data destruction. The graphic indicates that Cisco Secure protects users from stolen credentials and data destruction.

Description: HermeticWiper is a data destructing malware observed in attacks targeting Ukraine. This wiper comes as a small executable with a valid digital signature issued to “Hermetica Digital Ltd.” The malware leverages embedded resources to interact with storage devices present on infected systems. The applicable embedded driver is extracted, loaded into the wiper’s process memory space, decompressed, and written to the disk before the wipe process. The wiper disables the generation of crash dumps and corrupts the first 512 bytes to destroy the MBR of physical drives. For partitions, it disables the Volume Shadow Copy Service and uses different destructive mechanisms on the partitions depending on whether they’re FAT type or NTFS type. The wiper also attempts to corrupt housekeeping files. During the final stage, HermeticWiper waits for all sleeping threads to complete and initiates a reboot to ensure the success of the wiping activity.

HermeticWiper Spotlight: Cisco Talos has become aware of a series of wiper attacks going on inside Ukraine. One of the wipers used in these attacks has been dubbed “HermeticWiper.” Deployment of this destructive malware began on February 23, 2022. The malware has two components designed for destruction: one targeting the Master Boot Record (MBR) and another targeting partitions.

Target Geolocations: Ukraine
Target Data: Physical Drivers, Partitions
Target Businesses: Government Sector
Exploits: N/A

Mitre ATT&CK for HermeticWiper

Initial Access:
Valid Accounts

Discovery:
System Information Discovery
File and Directory Discovery

Persistence:
Create or Modify System Process: Windows Service

Execution:
Native API

Evasion:
Modify Registry

Impact:
Disk Wipe: Disk Structure Wipe
Inhibit System Recovery
Service Stop
System Shutdown/Reboot

Privilege Escalation:
Access Token Manipulation

IOCs1

Hashes:
0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da
1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591
2c10b2ec0b995b88c27d141d6f7b14d6b8177c52818687e4ff8e6ecf53adf5bf
3c557727953a8f6b4788984464fb77741b821991acbf5e746aebdd02615b1767

Additional Information
Threat Advisory: Hermetic Wiper

Which Cisco Secure Products Can Block
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella

SDUser

Threat Type: Dropper

Attack Chain:

A graphic showing the attack chain of SDUser, which is as follows: malspam to download weaponized document to malicious macros to SDUser payload to follow-up malware. The graphic indicates that Cisco Secure products protect users from downloading weaponized documents and follow-up malware.

Description: SDUser is a VBA-based dropper that is used by Advanced Persistent Threat (APT) groups. The functionality of the payload includes command and control protocol, anti-sandboxing techniques, and a reverse shell mechanism.

SDUser Spotlight: In June 2021, Cisco Talos researchers discovered a malicious Excel spreadsheet that attempted to drop a previously unknown RAT. A month later, they discovered another closely related spreadsheet. These samples were internally referred to as “SDUser” sampled due to the specific PDB string left in the binary payload.

More recent analysis shows similar code being used by two different APT groups: Transparent Tribe, which targets organizations in India, and Donut, which targets organizations in Pakistan and China. These two different threat actors may use code from the same source in their attacks, which means that their attacks would display similarities despite being conducted by different groups. Code reuse, adopting techniques from successful attacks, and deliberate integration of evidence designed to fool analysts can disguise the true perpetrator and lead to these attacks being attributed to different groups.

Target Geolocations: Pakistan, China
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for SDUser

Initial Access:
Phishing: Spearphishing Attachment

Discovery:
Peripheral Device Discovery
Query Registry

Execution:
Command and Scripting Interpreter

Evasion:
Obfuscated Files or Information
Virtualization/Sandbox Evasion: System Checks

Command and Control:
Application Layer Protocol
Web Service

IOCs1

Domains:
microsoft-updates[.]servehttp[.]com
microsoft-patches[.]servehttp[.]com
microsoft-docs[.]myftp[.]org

IPs:
45.153.240[.]66
46.30.188[.]222

Additional Information:
What’s with the shared VBA code between Transparent Tribe and other threat actors?

Which Cisco Secure Products Can Block:
Cisco Secure Endpoint
Cisco Secure Email
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Xenomorph

Threat Type: Mobile Trojan

Attack Chain:

A graphic showing the attack chain of Xenomorph, which is as follows: Trojanized app to data logging to data exfiltration. The graphic indicates that Cisco Secure products protect against data exfiltration.

Description: Xenomorph is an Android Banking Trojan. It is capable of stealing credentials via overlay attack, and it uses SMS and notification interception to log and use potential 2FA tokens. Stolen data is sent to the C2 for further exploitation.

Xenomorph Spotlight: Xenomorph was initially discovered in February 2022. It is distributed through the official Google Play Store. It targets users of 56 different European banks and cryptocurrency wallets. Capabilities include – but are not limited to – stealing credentials, SMS and notification interception, excessive logging, and data exfiltration. The core engine is designed as a modular system and still appears to be in the development stage. Malware heavily relies on the overlay attack mechanism to steal personally identifiable information (PII) and other sensitive data. Collected data is exfiltrated to an attacker-controlled server using the open-source project RetroFit2.

Target Geolocations: EU
Target Data: User Credentials, Browser Data, Sensitive Information
Target Businesses: Any
Exploits: N/A

Mitre ATT&CK for Xenomorph

Initial Access:
Deliver Malicious App via Authorized App Store

Execution:
Native Code

Evasion:
Masquerading as Legitimate Application

Credential Access:
Capture SMS Messages
Input Capture

Command and Control:
Standard Application Layer Protocol

Exfiltration:
Data Encryption
Standard Application Layer Protocol

IOCs1

Domains:
simpleyo5[.]tk   
simpleyo5[.]cf   
art12sec[.]ga    
kart12sec[.]gq   
homeandofficedeal[.]com

Additional Information:
Xenomorph: A newly hatched Banking Trojan

Which Cisco Secure Products Can Block
Cisco Secure Firewall/Secure IPS
Cisco Secure Malware Analytics
Cisco Umbrella
Cisco Secure Web Appliance

Source :
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-hermeticwiper-sduser-xenomorph