SECURITY-RELATED QUESTION: Running paid membership sites on WordPress

wordpress is open source, anyone can see the code, and it's hacked day and night with fixes every few months, plus every plugin etc. potentially opens another hole into your site

if you are worried about security that much don't go with open source like wordpress

a custom built script will be way more secure than wordpress with a programmer with even minimal security knowledge

of course if security isn't your #1 priority then wordpress is pretty awesome

I have run a few membership sites in Wordpress and touch wood no problems yet however I do do all they say such as removing versions, keeping everything updated and doing all the security fixes.

I did have a specialized script at one stage but it got hacked and there was little support to get it fixed.

At least with wordpress I backup daily so if anything really bad happened I could be back up and running with a full install in a matter of hours.

Plus there is lots of help around when I need it.

Quentin

I hate to bump this, but I would appreciate some ideas based on experiences and understanding on this one. Thanks

There are many steps you can take to harden your wordpress install.

The most vulnerable blogs are those that go with the standard installation and do not go through the sometimes tedious process of hardening their blog using htaccess, anti bad robots script and robots txt, changing certain file permissions, renaming certain files etc.

One warrior put out a decent package on WP security steps... my staff and I have been researching, testing, and implementing many additional steps for WP security in the last couple weeks as well.

One of the most important things to consider regarding security if you are going to be using WP for delivering premium content is to never use any plugin or WP modification that calls for the storing of critical client data inside the actual WP installation and databases.

Never forget that wordpress is primarily a blog platform and should never be forced to handle things like ecommerce processing and affiliate management. And never forget that it should not be used to store critical client data. It should only be used as a gateway for providing access to content and as a mechanism for delivering that content.

Our approach was to create a plugin for creating and managing Wordpress Membership sites that interacted with our hosted subscriber management and ecommerce automation platform. Our plugin was designed to be less invasive and work with wordpress in the way wordpress was designed to behave.

Avoid significantly invasive plugins or themes that may cause compatibility problems with other less invasive plugins. Also be aware that themes and plugins you get from third parties can also introduce security risks.

Plugin called Wish List Member ... to me the best Wordpress Membership Plugin. I love it.

I guess my 2 cents would be keep no client data you do not want to expose.

If you use Wordpress the chances of you getting hit with a case of the hackies is through the roof. With that said I do use Wordpress with membership stuff.

I just limit the exposure by not keeping anything beyond username name email and DIFFERENT password in the system.
However I am, after dealing with hundreds of hacked Wordpress installs on a competitors hosting in January, looking at Amember.

IF your client wants to use video, better use something else. WP plugin I tested didn't protected the folders, just post/pages.

Everything you placed outside (videos/pdf's) could be shared via URL.

Don't know if the plugins updated that issue.

I personally use a self hosted solution, this one protects (encrypts) the url's to every video, pdf, etc, and it's damn easy to setup, update, lots of features, drip content, includes integration with Paypal, GoogleCheckout, Clickbank, own afilliate program... you name it.

InstantMamber by a fellow Warrior.

I use Josh's WP plug-in on a popular membership site
with hundreds of paying members and it works well.
It's easy to set up and content is automatically made
available inside WP through a "portal" to use their
terminology - the content doesn't actually exist in
wordpress at all.

I also use Rapid Action Profits and Bill Ortell's excellent
membership add-ons Membership Plus and Rapid Action
Press on several other membership sites and love it.

With Membership Plus, the WP install can be completely
hidden - the only way to access it is through authenticated
login inside the dedicated member's area.

With Rapid Action Press, the WP install can be public
but protected content cannot be seen unless the user
has an active and valid membership.

With both solutions (RAP and Nanacast/Mixiv) when a new
customer "buys", a user record is injected into the Wordpress
database, but permission to access the content is authenticated
against transaction records completely OUTSIDE of WP.

In terms of security, I'm rather proud of the fact that one
of the membership sites has been requested ad nauseam
on some of the "sharing sites" and the general consensus
has been "don't waste your time... total pain in the ass...
you'll never get it..."

This is largely due to the fact that the content, video, audio,
PDF, etc is locked up inside secure DL areas or hosted offsite
with encrypted links that expire momentarily after being
autogenerated for each viewer.

While security is ALWAYS a concern, the focus is largely on
increasing and maintaing sales, reducing attrition and other
marketing related objectives. Security is just not a problem
for me with the solutions I'm using.

The one time that one of the sites got hacked, it was through
the HELP DESK software on the site, not WP.

(DO NOT forget to disable file uploads if you use HESK!)

Hope this is helpful,

Brian

One thing you might be forgetting, while the system you deploy your site on has it's whole category of potential security holes, your hosting setup also plays a significant role in this.
Ensuring you have a very secure host with an active admin and good software running constantly scanning the systems is very important. You hack into the server, and well, it doesn't matter what you put your site up with... One could do whatever they wanted to it if they put their mind to it from inside your server...

Now, wordpress... Here are some security related plugins:
Secure WordPress
WordPress Ultimate Security

Those are two I am using on some of my sites. I have programmers working with me though, and for my membership and site system we've just been finishing up (based on WP) we use hard code modifications, and moving all admin files, locations, changing names, etc... and make sure you don't leave any links to your admin dashboard out in the front of the site like WP likes to do.. If you are using wordpress for a membership site, you are not going to send them to the same login screen as officers of the site that are going to be directed to the main dashboard. There's a number of ways to do this... but I can't really go into every detail of all of it, since we'll be running a WSO on our system soon.... but there's a lot more to our system than this.

@OP: Please remind me to get back to you on this subject, or contact me off the forum... I want to have another chat with my programmers/dev team and get some more of the security related to membership access etc info from them so I can give you some more tips. Perhaps we can all throw some input around and I'll sponsor the development of a new security plugin specifically for this type of application?

daniel brock from dantheinternetman.com runs his membership site through wordpress. Email him.

Btw.... in case anyone is tempted to think that using some wordpress security related plugins will secure your WP... it wont.

There are a lot of things you must do manually to increase WP security. There are very few plugins that do anything related to WP security to any level of effectiveness. Most are very limited in what they do and even scanning plugins do not fix issues... they just notify you of some (not all) potential issues.

So don't be tempted to search "Wordpress Security Plugin" and think that what you find will resolve much... you won't be able to do much of anything with a plugin. Again a lot of manual work is required to increase your blog security.

Don't know about Wordpress itself, but why not use htaccess along with a htpassword system? It is old school, but it works at the apache level. its real secure and there is even software to keep users from sharing their memberships. After that all you do is make the wordpress area open and lock it down with the htaccess.

I'm a little late to the party on this one, but as somebody that used to be employed investigating, cleaning and hardening hacked sites (including many wordpress installs) some of the info in this thread makes me cry.

Thankfully a couple of people have already torn apart the "proprietary is more secure open" argument, a mature popular peer-reviewed product will always have had so many developers paw over the code it's far less likely to be vulnerable than code written in a time-pushed, must release on time, corporate environment where only a small number of people have ever seen the code.

The main issue for security is the vital part between the chair and the keyboard. The user. Almost every incident we had to investigate was due to somebody in a trusted position (the site admin, the installer, the web host etc) doing something completely stupid in good faith, normally with a view to "putting it back later". Choose a reliable web host (big doesn't always mean trusted), install wordpress by the book, follow one of the hardening guides, keep your plugins and wordpress up to date (and expect your web host to do the same with their server software) and you'll no go far wrong.

As for the choice of plugin, my advice is choose a membership plugin that's been around a long time, offers fast responsive support, uses it's own in-house developers (rather than out sourcing) and have developers with a background in security. I'd recommend the one I work for, but frankly I don't want to lessen the importance of the security message in this post.

Hi,

I see a lot of mis-perceptions in this thread regarding what makes a website secure or insecure.

Lets start with the "open source is open so its insecure"

Thats an epic fail. Linux is open source and has 0 viruses written per year for it. Windows on the other hand has over 60k. Most AV vendors will tell you they are fighting a losing battle.

Closed source doesn't mean you can't see or hack the code. Closed source means it's illegal to take apart or modify the code.

Open source is no more or less visible than closed source. Its just that its legal to look at it and take it apart and play with it. Because of this the average open source project has 10 times as many people looking at the code, spotting bugs etc.

2nd common fallacy regarding Security: Popularity.

Yes popularity might increase the odds that a larger number of people might try to hack the software, but that hack will also become well known and fixed in relatively short order. But popularity has nothing to do with how easy it is to hack something. Thats down to the skill of the hacker and how well the code being hacked has been written. But the bottom line: ANYTHING is hackable.

Open source has a track record of FEWER high risk security exploits and FASTER response times to fixing them. Sometimes more overall security exploits are uncovered with open source, but that's because so many people are looking at it more bugs are uncovered. Bear in mind I say more overall security exploits are found, most of them are low level risk and they are fixed swiftly when found. Rest asured your closed source software has just as many if not more holes. it's just better hidden from the public (but not from the hackers).

The number one contributing factor to the security failure of any given website is NOT the software it runs.

It's the person who set it up and the person running it. Most hacks happen due to poor security practices. For example Using the default table prefix in your database, using admin as the login name, using a short guessable password, folder permissions on the server being too lax, logging in via http instead of https etc etc etc.

9 times out of 10 when a website got hacked it wasn't an exploit affecting WordPress it was an exploit affecting the server. Meaning the hack would have gone off regardless of the software that was being run.

I had a client just last week. His site was redirecting to a porno site when ever you visited the home page. Turns out he wasn't even hacked. He downloaded a pirated theme. The hacker had modified the theme to contain malicious code.

Another client of mine had his whole server hacked, over 25 websites. The hacker got in via ftp set to user name admin, password admin.

Another client had his site hacked via his WordPress login. User name: his real first name password was his DOB. This poor guy lost his Twitter account, facebook, gmail, yahoo mail and a few others. All using the same user name and password.

As anyone with a police, military or security background will tell you. The biggest threat to security is always you.

Yes plugins in wordpress can add security holes, but if your plugin comes from a reputable source your safe enough. Take some time, read reviews. See what others say about the plugin.

If your still feel your not sure, hire an expert to consult with you and guide you in choosing the right plugins.

Re-reading my response just now is making me
want to re-emphasize that I am NOT advocating
being slack or lazy about securing your websites
and online properties.

Getting hacked is a pain in the ass under the best
of circumstances and can be a total NIGHTMARE
when things are not "optimal"...

That said, I talk to way too many marketers who
obsess endlessly about potential security breaches,
illegal file sharing, and host of other "ugly" IM issues
while they allow their marketing efforts to languish.

NOT PROFITABLE.

Brian

What a read! I did not know there was so much possibility of losing the very fiber of what on is trying to accomplish on the internet. Dumb me. Would the use of numbers and letters help in the password? Thank you people for this information. I wonder if you have the same feelings about BlogSpot Blogger?