WordPress Security? WP Padlock?

by Local Banned
37 replies
Does anyone have any recent experience with WP Padlock?

I found it after following a recommendation, however, the sales letter was dated 2008 and obviously any WordPress security tips, training, and software etc., that was even a few months old, let along 3 years, would likely not be relevant any longer.

Evie
#hacker #padlock #security #wordpress #wp padlock
  • Profile picture of the author Michael Ten
    ya; something new might better.. just search "security" and good ones should pop up.. go with popular ones prolly too. good luck!
    {{ DiscussionBoard.errors[3257094].message }}
  • Profile picture of the author Sandee
    there's nothing much about wp security. What you want to defend yourself from it is try using some code in .htaccess to prevent access to our main files in our server and lock off any way of our wp login or admin and implement some free plugin to notify us each time here an attack on our site. Esp, try update all new version of our WP system and plugin as well
    Signature
    {{ DiscussionBoard.errors[3257107].message }}
  • Profile picture of the author Wide
    Cant see why you want to use something to "protect" your wordpress blog.

    All you have to do is:
    - Update your wordpress blog when an update is out.
    - Choose an admin login name that is different from the most common ones.
    - Choose an "publisher nichname" that is different from your admin login name.
    - Use a random password (a hard one).
    Signature
    {{ DiscussionBoard.errors[3257114].message }}
    • Profile picture of the author joe12joe
      Originally Posted by Wide View Post

      Cant see why you want to use something to "protect" your wordpress blog.

      All you have to do is:
      - Update your wordpress blog when an update is out.
      - Choose an admin login name that is different from the most common ones.
      - Choose an "publisher nichname" that is different from your admin login name.
      - Use a random password (a hard one).
      ya exactly, after all it is just a CMS.They use this CMS for blogging and some use it for e-commerce websites. You will have to install SSL certificate at your own after purchasing it. So its upto you how much secure you want it just like how good you want your website to be.
      {{ DiscussionBoard.errors[3257625].message }}
      • Profile picture of the author Aj Wilson
        Originally Posted by Wide View Post

        Cant see why you want to use something to "protect" your wordpress blog.

        All you have to do is:
        - Update your wordpress blog when an update is out.
        - Choose an admin login name that is different from the most common ones.
        - Choose an "publisher nichname" that is different from your admin login name.
        - Use a random password (a hard one).
        Originally Posted by joe12joe View Post

        ya exactly, after all it is just a CMS.They use this CMS for blogging and some use it for e-commerce websites. You will have to install SSL certificate at your own after purchasing it. So its upto you how much secure you want it just like how good you want your website to be.


        If you dont protect your wp-admin folder and your wp-config file via
        .htaccess then you're leaving your database details open to an attack.

        I Recommend http://wordpress.org/extend/plugins/bulletproof-security/ too ...

        However,

        You'll need to restore your site from a backup made before your attack,
        or failing that, start from a clean install.

        I know it's a pain in the backside, but easier than
        checking every file for malicous code throughout your site.

        (Hackers can leave a backdoor that can be very hard to search for and find).

        Once you've got your site back up & running,
        all your plugins/themes and content installed.

        Run BulletProof.

        First thing is to backup your current .htaccess files.
        and follow the instructions if you have your blog installed on root, or /folder/.

        Then use WP Twin to create a backup when you've finished,
        and backup monthly etc ... far easier to restore from a WPTwin backup than anything else I've come across so far.
        Signature
        {{ DiscussionBoard.errors[3479106].message }}
    • Profile picture of the author Local
      Banned
      Originally Posted by Wide View Post

      Cant see why you want to use something to "protect" your wordpress blog.

      All you have to do is:
      - Update your wordpress blog when an update is out.
      - Choose an admin login name that is different from the most common ones.
      - Choose an "publisher nichname" that is different from your admin login name.
      - Use a random password (a hard one).
      "Cant see why you want to use something to "protect" your wordpress blog."?

      One of my lead generation sites was recently "hacked" and that site is responsible for a six+ figure income.

      Then, as I began investigating further, I became aware of thousands of "take overs" every day.

      All of your suggestions are spot on.

      Evie
      {{ DiscussionBoard.errors[3258577].message }}
  • Profile picture of the author azsno
    I've just updated WP-Padlock to be compatible with Wordpress 3.1 and added more security plugins...It's now a complete security suite for Wordpress...

    There's more info in my Signature below about WP-Padlock Security Suite

    Hope this helps...

    ~AzSno...
    {{ DiscussionBoard.errors[3431589].message }}
  • {{ DiscussionBoard.errors[3431620].message }}
  • Profile picture of the author GaryHarvey
    Azsno, you say there's something in your sig about this WP security product. All I see in your sig right now is...

    Make AdSense, Amazon, and eBay CA$H with Autoblogs!
    Drip Feed Your BLOGS with Content!

    Gary
    {{ DiscussionBoard.errors[3478932].message }}
  • Profile picture of the author haymanpl
    I've written an entire blog post on wordpress security which is up to date but not sure if i'm allowed to post links here.

    There's a few wordpress plugins that protect your wordpresss site from malicious attacks and other security issues.

    Surprisingly, there's no (free) wordpress plugins that backup your entire site which is a worry.
    Many bloggers are backing up thier databases but this doesn't include plugins, uploads, seo settings etc.
    {{ DiscussionBoard.errors[3479931].message }}
  • Profile picture of the author GaryHarvey
    haymanpl, I'd certainly be interested in that post.
    Gary
    {{ DiscussionBoard.errors[3479954].message }}
  • Profile picture of the author kjhosein
    Check out VaultPress. It's not free, but it is made by Auttomatic, the same developers who run WordPress.com and manage the WordPress application.
    Signature
    <!--PM me for a quicker reply. Thx!-->
    {{ DiscussionBoard.errors[3480359].message }}
  • just checked this out WordPress › BulletProof Security « WordPress Plugins

    why in the world is that not a core feature for all php type systems

    thanks for the link, good thread

    keep the answers coming : )
    {{ DiscussionBoard.errors[3480362].message }}
    • Profile picture of the author WillR
      Originally Posted by affiliateprogramindex View Post

      just checked this out WordPress › BulletProof Security « WordPress Plugins

      why in the world is that not a core feature for all php type systems

      thanks for the link, good thread

      keep the answers coming : )
      I agree. It was the same with the Wordpress Automatic Update feature that was missing for so many years - we always had to rely on a plugin. Finally they took note and included it as a standard feature of Wordpress.

      You would think by now they would also have improved the SEO side of things so plugins like 'All in One SEO' and/or 'Platinum SEO' were not always required.

      Seems these guys are always a little behind the times...
      {{ DiscussionBoard.errors[3480980].message }}
      • Profile picture of the author Jason Fladlien
        Thanks AJ for the wp twin mention. That is exactly what I was going to say. Use a plugin like Azsno's for protection and then wp twin to do backups before you update your site. I'm not sure, but Azsno has a set of wp twin licenses we set up for him, so he might have some left. Maybe you can hook them up with a deal Azsno?

        But yeah, wordpress security extends far beyond a unique username and a difficult password plus the latest version of wordpress. While those things decrease your chances of your site being attacked... it doesn't stop a decent cracker from getting at you if they choose to.
        Signature

        Co-creator of WP Twin. Perhaps the most expensive yet most reliable wordress cloning tool on the market. We've definitely been used more successfully than all other options :)

        {{ DiscussionBoard.errors[3481127].message }}
        • Profile picture of the author azsno
          Originally Posted by Jason Fladlien View Post

          Thanks AJ for the wp twin mention. That is exactly what I was going to say. Use a plugin like Azsno's for protection and then wp twin to do backups before you update your site. I'm not sure, but Azsno has a set of wp twin licenses we set up for him, so he might have some left. Maybe you can hook them up with a deal Azsno?

          But yeah, wordpress security extends far beyond a unique username and a difficult password plus the latest version of wordpress. While those things decrease your chances of your site being attacked... it doesn't stop a decent cracker from getting at you if they choose to.
          You took the words right out of my mouth Jason...

          I'm offering a WPTwin version of WP-Padlock Security Suite, it doesn't include WPTwin though you must own WPTwin to install the "hardened" site...In fact I have a video DEMO of installing the hardened WP-Padlock Security Suite site, all in less than 1 minute...

          Maybe I'll offer WPTwin in an upcoming version of the product...

          Bottom line, the ONLY way to make "exact" backups or "CLONES" of your sites is using WPTwin. There are many products out there that "claim" they're easy to use, but WPTwin actually delivers on that promise...I use it daily to create back-ups and move my sites quickly and easily...

          ~AzSno...
          {{ DiscussionBoard.errors[3481625].message }}
          • Profile picture of the author WillR
            Originally Posted by azsno View Post

            You took the words right out of my mouth Jason...

            I'm offering a WPTwin version of WP-Padlock Security Suite, it doesn't include WPTwin though you must own WPTwin to install the "hardened" site...In fact I have a video DEMO of installing the hardened WP-Padlock Security Suite site, all in less than 1 minute...

            Maybe I'll offer WPTwin in an upcoming version of the product...

            Bottom line, the ONLY way to make "exact" backups or "CLONES" of your sites is using WPTwin. There are many products out there that "claim" they're easy to use, but WPTwin actually delivers on that promise...I use it daily to create back-ups and move my sites quickly and easily...

            ~AzSno...
            Will WP-Twin clone them properly when the databases, etc are installed manually? From what I understand you need to go in and install Wordpress first before you can then run the WP Twin clone. That's why using Fantastico was agood as it was very quick to clone a site. Now if you are saying you need to install WP manually it is going to prolong the process.
            {{ DiscussionBoard.errors[3483228].message }}
            • Profile picture of the author azsno
              Originally Posted by WillR View Post

              Will WP-Twin clone them properly when the databases, etc are installed manually? From what I understand you need to go in and install Wordpress first before you can then run the WP Twin clone. That's why using Fantastico was agood as it was very quick to clone a site. Now if you are saying you need to install WP manually it is going to prolong the process.
              Craig was the one who stated he installs manually, I don't believe I mentioned that in this thread...

              I always use Fantastico or WP Desktop Installer to install Wordpress, then install the WP-Padlock clone using WPTwin (assuming you purchased the WPTwin version off the WP-Padlock Security Suite website)...

              WPTwin will clone any Wordpress Site regardless of whether it was installed manually, using Fantastico, or WP Desktop Installer...For more clarification you'll need to contact Jason's support desk, he can give you more clarification since it's his product...

              ~AzSno...
              {{ DiscussionBoard.errors[3484669].message }}
              • Profile picture of the author WillR
                Originally Posted by azsno View Post

                Craig was the one who stated he installs manually, I don't believe I mentioned that in this thread...

                I always use Fantastico or WP Desktop Installer to install Wordpress, then install the WP-Padlock clone using WPTwin (assuming you purchased the WPTwin version of WP-Padlock Security Suite)...

                WPTwin will clone any Wordpress Site regardless of whether it was installed manually, using Fantastico, or WP Desktop Installer...For more clarification you'll need to contact Jason's support desk, he can give you more clarification since it's his product...

                ~AzSno...
                Sorry, I didn't mean you had suggested the idea, sorry.

                Jason,

                With WP-Twin we can still replicate a manual set up? So if I setup the databases and everything manually so they don't have the wp prefixes, etc and then create a clone with Wp-Twin, I could then install future blogs using Fantastico, upload the clone, and it would now replicate the manual wordpress and databases I had created?

                Does that make sense?
                {{ DiscussionBoard.errors[3484839].message }}
                • Profile picture of the author azsno
                  Originally Posted by WillR View Post

                  Sorry, I didn't mean you had suggested the idea, sorry.

                  Jason,

                  With WP-Twin we can still replicate a manual set up? So if I setup the databases and everything manually so they don't have the wp prefixes, etc and then create a clone with Wp-Twin, I could then install future blogs using Fantastico, upload the clone, and it would now replicate the manual wordpress and databases I had created?

                  Does that make sense?
                  Absolutely, that's exactly what I'd do...Set up a site, change the wp_ prefix, install plugins, set SEO, etc. and then CLONE using WPTwin...

                  Install future blogs using Fantastico, FTP the CLONE, then install in less than 1 minute and voila!!! Instant secured site! It replicates everything except Site Title and Tag Line, you'll need to change that for each site...

                  ~AzSno...
                  {{ DiscussionBoard.errors[3484921].message }}
                  • Profile picture of the author WillR
                    Originally Posted by azsno View Post

                    Absolutely, that's exactly what I'd do...Set up a site, change the wp_ prefix, install plugins, set SEO, etc. and then CLONE using WPTwin...

                    Install future blogs using Fantastico, FTP the CLONE, then install in less than 1 minute and voila!!! Instant secured site! It replicates everything except Site Title and Tag Line, you'll need to change that for each site...

                    ~AzSno...
                    Yeah just as I thought. It's a massive time saver for someone creating a whole lot of identical blogs. Way to go Wilson and Jason!

                    And thanks for confirming that Azsno. I'll take a look at your product when I get things going.
                    {{ DiscussionBoard.errors[3484953].message }}
  • Profile picture of the author WillR
    Originally Posted by Craig Desorcy View Post

    Okay, one last tip, stop using fantastico to install wordpress.
    Whys that?
    {{ DiscussionBoard.errors[3481316].message }}
  • Profile picture of the author azsno
    Originally Posted by Craig Desorcy View Post

    I'd much rather install Wordpress by hand.

    I get to control some security settings this way.

    If you've studied up on Wordpress Blog Security,
    you'll know your database table prefix should not
    be wp_ but fantasico will give it that.

    Also, Wordpress does not need FULL access to the
    allocated database but with Fantasico, it'll get it.

    With a manual install, I get more control.

    Craig
    That's one of the things I cover in the WP-Padlock Security Suite, an easy way to change the default wp_ to something else (I have a video tutorial that walks you through the process)

    Since the advent of updated cPanels and more hosting companies pushing Fantastico or "Scripts" much like Bluehost, over 99% of people will choose the default Wordpress installs...It's just too easy...

    Don't fear though, all is not lost...I've installed over 1000 blogs in the last 3 years and none have ever been compromised or hacked...I ONLY protected with WP-Padlock, now with the new version of WP-Padlock Security Suite, the Wordpress install is bullet-proof...

    ~AzSno...
    {{ DiscussionBoard.errors[3481604].message }}
  • Profile picture of the author GaryHarvey
    I've installed over 1000 blogs in the last 3 years and none have ever been compromised or hacked...I ONLY protected with WP-Padlock
    Very impressive. I'm off to buy this now.

    Just yesterday one of my sites was hacked.
    Grrrrr.

    Gary
    {{ DiscussionBoard.errors[3484846].message }}
  • Profile picture of the author Marvin Johnston
    WordPress site protection is something I'm interested in as well, so I also went ahead and bought the product. The only thing missing is a PDF with the checklist, but the videos explain the installation pretty well.

    This thread has provided some really good information, so thanks to Local for starting it!

    Marvin
    {{ DiscussionBoard.errors[3485126].message }}
  • Profile picture of the author Brian Alaway
    I use the free BulletProof Security Plugin
    I prefer Hostgators Quickinstall script to Fantastico, but either way, then just use WordPress Table Rename to quickly and safely rename the prefix. Nothing wrong with doing it all manually unless you suffer from tech avoidance. Or you're just lazy like me.
    Just as important though is to use strong passwords, protect your computer (anti-virus/anti-malware), use SFTP instead of ftp and use SSL for your admin/dashboard access.
    I also use WP Twin for cloning.
    {{ DiscussionBoard.errors[4347682].message }}
  • Profile picture of the author hometutor
    Is there a way to block an ip address along with email and user name just like you can in a forum?

    Rick
    {{ DiscussionBoard.errors[4349869].message }}
    • Profile picture of the author Brian Alaway
      Originally Posted by hometutor View Post

      Is there a way to block an ip address along with email and user name just like you can in a forum?

      Rick
      If you're talking about blocking spam by ip, you can use WP SpamFree.
      {{ DiscussionBoard.errors[4350152].message }}
  • Profile picture of the author colinph970
    I've read this with interest.....and have an ebook which shows how to recover a site when its been hacked and also how to increase security to make sure it never happens again. Its for sale on Amazon at:


    Amazon.com: Wordpress Hacked Report eBook: Mandy...Amazon.com: Wordpress Hacked Report eBook: Mandy...

    BUT.......I am prepared to offer a review copy to any poster on this thread in exchange for a review on Amazon......just pmail if interested.
    {{ DiscussionBoard.errors[4350219].message }}
  • Profile picture of the author Teez
    Hi guys Im no techie at all but I know Bullet Proof security is a must the issue I have is with configuring it as the jargon htaccess etc is a bit of a foreign language

    Should I just say yes to bulletproof mode and leave it or is there more that needs doing cos I tried reading the read me info but still no sense made to me

    So essentially I kinda need a walk through that some one can vouch for or link to one if anyone would be so kind.

    Also to everyone using login lock down I read this earlier and it says that plug in hasnt been updated since 09 just so you all know.


    http://www.warriorforum.com/blogs/az...han-sorry.html
    Signature

    My first stab at success is the Nike Air Yeezys this is what made me believe.

    You can't be scared of rejection on the quest to perfection.

    {{ DiscussionBoard.errors[5944876].message }}
    • Profile picture of the author Ashwin
      old thread, but:

      I used WP Secure or WP Padlock to place the wp-admin page behind
      the .php file on one of my sites.

      The result is that there is no www.xxxxx.com/wp-admin page to access. A 404 or 403 page is displayed instead.

      I am still getting about 100 failed login attempts
      per 24 hours from Wordfence on that site. The alerts are like this:

      A user with IP address xxx.xx.xxx.xx has been locked out
      from the signing in or using the password recovery
      form for the following reason: Used an invalid
      username 'admin' to try to sign in. User IP: xxxxxxxxxxxxx


      I wondered how that could happen.


      Theory:

      The hackers must be skipping the wp-admin page, and going directly
      to that longer URL address that comes after arriving at the wp-admin page.

      I looked at the string of characters for two websites. One was protected by WP Secure, and the other was not. That longer URL is the same for both, after accounting for the domain name.

      First domain:
      wp-login.php?redirect_to=http%3A%2F%2F domainA %2Fwp-admin%2F&reauth=1

      Second domain
      wp-login.php?redirect_to=http%3A%2F%2F domainB %2Fwp-admin%2F&reauth=1

      I can use either of the strings, copied from one browser into another and access the wp-admin page.

      So the hackers must be going directly to that longer url, entering the domain name as needed to get to the login page.

      The result is that WP Secure and WP Padlock plugin cannot be relied upon to protect the wp-admin login page...if my reasoning is correct.

      I now appreciate my 25+ character passwords even more!
      {{ DiscussionBoard.errors[9973577].message }}
  • Profile picture of the author seven4
    Cant see why you want to use something to "protect" your wordpress blog."?

    One of my lead generation sites was recently "hacked" and that site is responsible for a six+ figure income.

    Then, as I began investigating further, I became aware of thousands of "take overs" every day.

    All of your suggestions a
    re spot on.
    {{ DiscussionBoard.errors[9973741].message }}
  • Profile picture of the author affiliolabs
    I personally use iThemes security. Super quick and easy to setup with any feature you can imagine
    {{ DiscussionBoard.errors[9973745].message }}

Trending Topics