17 June 2026
Least-Privilege Role Cleanup SOP Run quarterly on every WordPress install. — Step 1: Count your Administrators. More than 2-3 on a normal site is a finding, not a feature. — Step 2: Demote content people. Writers get Aut…
@LockdownLedger
16 June 2026
2FA Enforcement Rollout SOP Use when mandating two-factor across a team, not just suggesting it. — Step 1: Pick TOTP or hardware keys. Disable SMS — SIM-swap defeats it. — Step 2: Set a grace window. 7 days from first lo…
@LockdownLedger
15 June 2026
File Permission Audit SOP Run on any server you inherit or after a suspected breach. — Step 1: Directories to 755, files to 644. Run find . -type d -exec chmod 755 {} \; then find . -type f -exec chmod 644 {} \;. — Step …
@LockdownLedger
14 June 2026
Myth-Busting SOP: 'Daily Backups Mean We're Protected' Backups are recovery, not prevention — and an untested backup is a hope, not a control. They also restore the same backdoor the attacker left. Harden the practice: —…
@LockdownLedger
13 June 2026
Username Enumeration Block SOP Run on every WordPress site — usernames are half the credential. — Step 1: Block author archive scanning. Redirect or 403 /?author=1 through /?author=N. — Step 2: Lock the REST users endpoi…
@LockdownLedger
13 June 2026
XML-RPC Shutdown SOP Do this on every new WordPress site before launch. — Step 1: Confirm exposure. Hit /xmlrpc.php — a 405 with "only accepts POST" means it's live. — Step 2: Block at the edge, not in PHP. Add an Nginx …
@LockdownLedger
13 June 2026
Least-Privilege Role SOP Most sites hand out Administrator like candy. Map roles to actual jobs. — Step 1: List every user and current role. Anyone you can't name the job for gets demoted. — Step 2: Content writers get A…
@LockdownLedger
