Patchstack VS Signed Pages

Start off by checking your plugins against somewhere like https://patchstack.com/ (or even using their automated service). Source: over 1 year ago

Security is actually very simple, realize that 99% of security issues with wordpress are due to plugins. So what you want to do is install good ones and keep them up to date, you can also install something like https://patchstack.com/ to warn you if a plugin you have installed has a vulnerability. Other than this, use a strong password and change the admin user and use a 2FA plugin with google authenticator. You... Source: over 1 year ago

If only people understood this, a free solution like patchstack.com coupled with good plugin hygience, strong passwords and 2FA. And you're 99.98% safe. Source: over 1 year ago

You can connect your sites with Patchstack for free to be notified when some new vulnerability is found in plugin/theme/wordpress version that you use. You can also check the vulnerability database manually here: https://patchstack.com/database/. Source: almost 2 years ago

People have to understand that 98% of wordpress security issues are due to plugin vulnerabilities, if you monitor for plugin vulnerabilities in the plugins you use, maybe using a something free like patchstack.com and then use a free firewall plugin like BBQ firewall or Cloudflare + Using 2-FA with a password manager, changing the login URL to avoid bots all together. Source: almost 2 years ago

There is "Signed Pages" by the debeloper of EteSync. It is a browser extension, that checks webapps based on signatures in the html file. The addon then warns the user if the signature is not correct or - if I remember correctly - the source changed. This allows you to be sure what webapp code was delivered. But it seems like it did not really get used outside of his own projects. - Source: Hacker News / 3 months ago

EteSync has implemented something called Signed Pages, this might be worth looking closer at. This uses PGP keys which is preloaded into the browser; but I suspect that will be a barrier too high for most non-tech users. Source: 12 months ago

There are also projects like signed web pages which can also help increasing the trust level to some degree. But that requires that you can download the source code and regenerate the verification hash locally - or have other trusted methods to verify the hash value hasn't been modified as well. The current concept is reasonably sane, but it requires too much from users currently to make it widely used. Source: almost 2 years ago

> The server can at any time start serving malicious payloads True, and I call this threat model "Beware Each and Every Fetch" (BEEF) in contrast to the more common TOFU model (although if you trust a desktop app to auto-update itself then these two models might not be all that different). In any case, I think you're being a little quick to dismiss the idea of server-hosted applications. It's true that browsers... - Source: Hacker News / about 2 years ago

Something like a browser extension for this does already exist, fortunately: https://github.com/tasn/webext-signed-pages. - Source: Hacker News / about 2 years ago