16 {{ upvoteCount | shortNum }}
16 {{ upvoteCount | shortNum }}

WordPress Users - New Plugin For Blog Security

by Leanne King
13 replies
There is a new WordPress plugin that is going to be released in beta version soon called "Maximum Security" . It is a WordPress security plugin.

I was completely blown away when I read through the list of features.

It seems like this guy has come up with a v. comprehensive security plugin. I've signed up for the beta version release and can't wait to install it.

If you have my WordPress Bible I'll update the Security chapter soon to show the features of this new plugin.

By the way, that's not an affiliate link

All the best

Leanne
#blog #plugin #security #users #wordpress
  • Profile picture of the author Leanne King
    @jimrpips me too! I heard the guy interviewed the other day at WordPress Weekly and he certainly knew his stuff.

    Leanne
    Signature
    COUPON CRUSHER WSO - TRAFFIC GRAB CHEAT SHEETWP Mini Money Makers - XFACTOR WP THEME -
    Optimize Press WordPress Theme Review |
    HTML Sites to WordPress | WordPress Security |WP Twin Review | Nanacast Fast Start
    {{ DiscussionBoard.errors[385696].message }}
  • Profile picture of the author Midnight_Eden
    Thanks for that - I will check this out. My blog was hacked the other day so security is at the forefront of my mind at the moment.
    Signature

    {{ DiscussionBoard.errors[387942].message }}
  • Profile picture of the author Leanne King
    @Midnight Eden try and back up your blog regularly (including your db) so you have a "clean" copy to work from and change your password regularly as well. Maximum Security though certainly sound like it is going to kick some bad butts.

    @axeray - I totally agree. I'm always looking for new security measures for wordpress.

    Leanne
    Signature
    COUPON CRUSHER WSO - TRAFFIC GRAB CHEAT SHEETWP Mini Money Makers - XFACTOR WP THEME -
    Optimize Press WordPress Theme Review |
    HTML Sites to WordPress | WordPress Security |WP Twin Review | Nanacast Fast Start
    {{ DiscussionBoard.errors[388240].message }}
  • Profile picture of the author TheRichJerksNet
    A great deal of hype on that website ....

    James
    {{ DiscussionBoard.errors[388245].message }}
  • Profile picture of the author Ralf Skirr
    Leann, thanks for the link, the plugin has some useful features I've never seen before.

    Ralf
    {{ DiscussionBoard.errors[388266].message }}
  • Profile picture of the author Leanne King
    No probs Ralf the features list blew me away. I can't wait to give it a whirl.

    All the best
    Leanne
    Signature
    COUPON CRUSHER WSO - TRAFFIC GRAB CHEAT SHEETWP Mini Money Makers - XFACTOR WP THEME -
    Optimize Press WordPress Theme Review |
    HTML Sites to WordPress | WordPress Security |WP Twin Review | Nanacast Fast Start
    {{ DiscussionBoard.errors[388327].message }}
    • Profile picture of the author tobe
      Whoa, that Maximum Security software looks like really good stuff. I've got a few security plugins installed already on my Wordpress site and they do help, but that one looks like it covers LOT more bases.

      @Leanne King: I signed up to get a beta copy and hope it's released soon. Thanks for pointing it out.

      @TheRichJerksNet: Doesn't look like hype to me. But maybe I'm missing something - can you point out any specific 'hot air' for me and explain how it's hype?
      {{ DiscussionBoard.errors[388456].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by tobe View Post

        Whoa, that Maximum Security software looks like really good stuff. I've got a few security plugins installed already on my Wordpress site and they do help, but that one looks like it covers LOT more bases.

        @Leanne King: I signed up to get a beta copy and hope it's released soon. Thanks for pointing it out.

        @TheRichJerksNet: Doesn't look like hype to me. But maybe I'm missing something - can you point out any specific 'hot air' for me and explain how it's hype?
        Sure, since you asked.. If it is one thing I hate, for newbies to be tricked into thinking something ..

        Maximum Security scans your entire Wordpress configuration to detect potentially dangerous settings, such as using the default table prefix, using a "generator" tag in your site's page headers, leaving the default "admin" account enabled, and more.
        - You dont need anything to scan, go to your theme and edit the header file to remove the counter code which shows your wp version.

        - Default table prefix, look at the config file.. Want to change your prefix table then edit the db. Boom that simple.. No software will edit your db prefix table for you unless you have "ALTER RIGHTS" on your server. I can tell you now I have a dedicated server and even I don't have "ALTER RIGHTS" reason being is "ALTER RIGHTS" enabled is a secruity risk.

        - You should not have no account called "admin" period!!!

        A powerful file permissions scanner examines every core Wordpress file to determine its current security permission setting.
        - Your cpanel/server already does this for you, also most FTP programs tell you what permissions are .. Files should be 0644 permissions and folders should be 0755 permissions. If your server is setup properly these file permissions are already set for you, thus no need for any scanner to tell you something that is already set.

        Maximum Security also prevents anyone from browsing files on your entire site. All you have to do is check a box to enable the feature and you're done - all of your directories and files are instantly protected against unwanted snooping.
        - Again your server already does this, it's called .htaccess

        Gaining access to your admin panel is often the goal of some intruders. In most cases the bad guy will need to figure out the username and password for an administrator account in order to login to gain that level of access. Maximum Security gives you the ability to add another layer of password security to the login process by defining a second administrator password.
        - Again your server already can do this, it's called .htaccess - It is not needed by any means but figure I would tell you .htaccess can do it.

        - Having double passwords downfall, it will block some automation like websites that offer to dripfeed your blogs on auto-pilot for you.

        I really could not read anymore because they are using a great deal of hype and trying to use "big words" that they know newbies do not understand.

        I said it once and I will say it again, only way to protect your wordpress blog from hackers is to take security into your own hands and not reply on any plugin or software to do it for you..

        James
        {{ DiscussionBoard.errors[388490].message }}
        • Profile picture of the author tobe
          Originally Posted by TheRichJerksNet View Post

          Sure, since you asked.. If it is one thing I hate, for newbies to be tricked into thinking something ..

          - You dont need anything to scan, go to your theme and edit the header file to remove the counter code which shows your wp version.
          People need to understand HTML and PHP to safely edit a header without accidentally messing it up. Wordpress is used on well over 1 million blogs (according to stats at the WP site) - the vast majority of Wordpress users aren't technically savvy.

          Originally Posted by TheRichJerksNet View Post

          - Default table prefix, look at the config file.. Want to change your prefix table then edit the db. Boom that simple.. No software will edit your db prefix table for you unless you have "ALTER RIGHTS" on your server. I can tell you now I have a dedicated server and even I don't have "ALTER RIGHTS" reason being is "ALTER RIGHTS" enabled is a secruity risk.
          Well, let's face it. Having a Web site, period, is a security risk. So the question is how much risk is reasonable? And that's a question that has to be answered by individuals - there's no blanket answer that applies to everyone. Not that I can see anyway.

          All of my Wordpress blogs (over a dozen on several different major "top 50" hosting companies) have "alter" rights, because I can install various new plugins that alter existing tables to make new data fields or add new tables for use by whatever plugin I'm installing.

          So this "alter" right appears to be status quo for hosting companies to automatically grant to a database. I don't see it as a big deal. It's more a hassle to not have that right.

          But anyway how is that issue hype?

          Originally Posted by TheRichJerksNet View Post

          - You should not have no account called "admin" period!!!
          Wordpress installs it by default. So it needs to be disabled or removed for better security. Sure. One of the free security plugins I have on my own sites does that for me.

          Even so I don't get what that has to do with the Maximum Security plugin.

          Originally Posted by TheRichJerksNet View Post

          - Your cpanel/server already does this for you, also most FTP programs tell you what permissions are .. Files should be 0644 permissions and folders should be 0755 permissions. If your server is setup properly these file permissions are already set for you, thus no need for any scanner to tell you something that is already set.
          None of the major hosting companies I use have cPanel. They all have their own custom control panels. But even if every hosting company had cPanel, most people have no idea what "0644" means. You have to know a bit about Linux or Unix to understand what that really means.

          So people having a plugin to handle file permissions for them sounds like a good idea to me. Just like Windows - most firewalls protect the system so you don't have to be a Windows expert or security expert. Looks to me like that's something being kept in mind by those guys making the Maximum Security plugin. Nothing wrong with that. Plenty of devs make using Wordpress painless.

          If I have 20 Wordpress sites then I'd have to login to 20 sites via FTP and change a long list of file permissions. I'd rather be out making some cash :-)

          Again I have to ask, how is this issue hype? I was hoping your were going to point out how the plugin won't do what it says it can do, or something like that. I only know so much about Wordpress and PHP... I'm no genuine expert with either one of them.

          Originally Posted by TheRichJerksNet View Post

          - Again your server already does this, it's called .htaccess
          What if I don't know how to write .htaccess rules? Heck I have buddies at the office who've been using Linux and Apache for years and even they can't write decent .htaccess rules without someone (or some instructional Web site) holding their hand.

          I find myself wondering again, where's the hype with this issue?

          Having a plugin make some mods to my .htaccess file for me sounds like typical "ease of use" being built into a security plugin.

          Originally Posted by TheRichJerksNet View Post

          - Having double passwords downfall, it will block some automation like websites that offer to dripfeed your blogs on auto-pilot for you.
          Are you sure? Have you seen the plugin in action yet? I can envision how a Wordpress blog can be "drip fed" - as you call it - without passwords interfering. It's not a problem on one of my sites that I feed content into automatically. And that site has an extra admin psw via an .htaccess file.

          Originally Posted by TheRichJerksNet View Post

          I really could not read anymore because they are using a great deal of hype and trying to use "big words" that they know newbies do not understand.
          Well I read the entire feature list and all the blogs posts (there are only a few so it didn't take me long) and the developers - according to the site - apparently have something like 15 years experience with security, so I figure they probably know what they're doing.

          We have a guy like that in our office that handles Windows desktop security and he's worth his weight in gold in my opinion. I bet he wishes I got to set his pay level! Lol.

          Originally Posted by TheRichJerksNet View Post

          I really could not read anymore because they are using a great deal of hype and trying to use "big words" that they know newbies do not understand.
          Well I'm not entirely a newbie but I'm no expert either and it all made perfect sense to me. Most of the plugin descriptions I've seen from other people have a simple bullet list with incredibly brief explanations. But over there I was pleased to see that they offfer a lot of explanation for every feature in the security plugin.

          In fact I actually found the content to be very educational! I hope they post more blog articles about security like they say they will. I added them to my 'following' list on Twitter and will be watching their RSS feed too.

          I guess if any of it doesn't make sense (for some strange reason) a person could always ask them to explain or clarify. They've got a forum over there and a contact form page and Wordpress allows people to post comments, as you probably know. Seems like a friendly and helpful bunch to me, so far, based on what I read.

          Originally Posted by TheRichJerksNet View Post

          I said it once and I will say it again, only way to protect your wordpress blog from hackers is to take security into your own hands and not reply on any plugin or software to do it for you..
          I've been a Windows desktop administrator for over a decade. I know full well that I cannot rely on users to handle anything except their job - which is basically to generate cashflow for the company. So any tool I can put on their desktop to help automate tasks (e.g. add more "ease of use" stuff) pays for itself repeatedly in the long run and saves our company a lot of bux and a lot of headaches.

          I really don't see Wordpress as any different. That's why there are a gillion plugins, because for example, instead of posting content yourself you can drip feed it with a tool - which again is that 'ease of use' thing that we admins really like. Site security isn't much different in so far as I can see.
          {{ DiscussionBoard.errors[388578].message }}
          • Profile picture of the author TheRichJerksNet
            Originally Posted by tobe View Post

            People need to understand HTML and PHP to safely edit a header without accidentally messing it up. Wordpress is used on well over 1 million blogs (according to stats at the WP site) - the vast majority of Wordpress users aren't technically savvy.
            You do not need to know any html or php to remove the wp version - it is one line and it even tells you what line it is. This is common knowledge for many that use wordpress.

            Originally Posted by tobe View Post

            Well, let's face it. Having a Web site, period, is a security risk. So the question is how much risk is reasonable? And that's a question that has to be answered by individuals - there's no blanket answer that applies to everyone. Not that I can see anyway.
            Yes no website is 100% secure, the more and more "plugins" you allow access to your db and files the more security risk you are taking. Any real developer will tell you the same.

            Originally Posted by tobe View Post

            All of my Wordpress blogs (over a dozen on several different major "top 50" hosting companies) have "alter" rights, because I can install various new plugins that alter existing tables to make new data fields or add new tables for use by whatever plugin I'm installing.

            So this "alter" right appears to be status quo for hosting companies to automatically grant to a database. I don't see it as a big deal. It's more a hassle to not have that right.

            But anyway how is that issue hype?
            I doubt you have alter rights, we are not talking about a plugin.. We are talking about the db itself being changed on the fly. 80% Of host have this disabled for good reasons, it is a HUGE SECURITY RISK if enabled.


            Originally Posted by tobe View Post

            Wordpress installs it by default. So it needs to be disabled or removed for better security. Sure. One of the free security plugins I have on my own sights does that for me.

            Even so I don't get what that has to do with the Maximum Security plugin.
            You can change your admin name very easy, there is about 1,000 sites out there that tell you how to do it. You don't need some plugin which is another connection to your db, as stated the more you use the more you are at risk.

            Originally Posted by tobe View Post

            None of the major hosting companies I use have cPanel. They all have their own custom control panels. But even if every hosting company had cPanel, most people have no idea what "0644" means. You have to know a bit about Linux or Unix to understand what that really means.

            So people having a plugin to handle file permissions for them sounds like a good idea to me. Just like Windows - most firewalls protect the system so you don't have to be a Windows expert or security expert. Looks to me like that's something being kept in mind by those guys making the Maximum Security plugin. Nothing wrong with that. Plenty of devs make using Wordpress painless.

            Again I have to ask, how is this issue hype? I was hoping your were going to point out how the plugin won't do what it says it can do, or something like that. I only know so much about Wordpress and PHP... I'm no genuine expert with either one of them.
            Any proper setup host will have permissions set properly upload upload/install.. If they don't then time to change host. Also it is a very well know fact that if you are running anything other than:

            Unix Server running Php 5.2.5 (or php 4 is fine), Cpanel 11 and apache compiled with SuExec installed.

            Then you are risking your business, period!! SuExec does not require any permissions at 777 to run scripts, it runs php faster, and it helps protect you against SQL injection.

            Originally Posted by tobe View Post

            What if I don't know how to write .htaccess rules? Heck I have buddies at the office who've been using Linux and Apache for years and even they can't write decent .htaccess rules without someone (or some instructional Web site) holding their hand.

            I find myself wondering again, where's the hype with this issue?

            Having a plugin make some mods to my .htaccess file for me sounds like typical "ease of use" being built into a security plugin.
            Again another plugin with more access, bad idea.. Your server will create a .htaccess file for you. If you will need to understand it more.. Well there is about a million sites out there that will give you full free examples that you can use.

            Originally Posted by tobe View Post

            Are you sure? Have you seen the plugin in action yet? I can envision how a Wordpress blog can be "drip fed" - as you call it - without passwords interfering. It's not a problem on one of my sites that I feed content into automatically. And that site has an extra admin psw via an .htaccess file.
            I do not need to see the plugin, I am a website developer that has been online for over 20 years and have built 10,000's of high end dynamic driven websites. As far as drip-feeds, I am not talking about any wp plugin, I am talking about actual drip-feed websites.. Having double passwords could cause an issue. You don't even need double passwords if you have secured your site proper anyways.

            James
            {{ DiscussionBoard.errors[388639].message }}
            • Profile picture of the author tobe
              Originally Posted by TheRichJerksNet View Post

              You do not need to know any html or php to remove the wp version
              Well you alleged 'hype' regarding the plugin, so I thought that maybe you could point out actual hype (exaggerations) about that Maximum Security plugin. So far you haven't done any such thing, which is fine, I'm not complaining and I didn't have any expectations for you to do so. I was simply asking for clarification if you could provide any.

              It appears to me that you simply disagree with how to go about securing a Wordpress Web site. You apparently like the manual minimalist approach while the vast majority of Wordpress users don't (and frankly, who wants to do a bunch of tech work when they could be out making money faster and easier?). The fact of the matter is that robust functionality and extreme ease of use are truly kings - which is of course why Microsoft eventually created Windows and Apple eventually created OS X, otherwise we'd all being using a DOS or Unix command line and tediously typing everything out by hand instead of simply pointing and clicking with a mouse to get things done fast and efficiently. Time is money, after all.

              It's also a fact that 99.99% of Wordpress users are not techie types. They're producers of content for their own individual reasons and goals. So I personally think it's safe to say that all those Wordpress users need real world assistance and not tech talk and jargon tossed at them. Of course if someone does want some tech talk then Wordpress.org has some pretty good community forums (excellent in fact) for that purpose where users can readily share tips, advice, questions, and help each other, etc.

              And besides, in terms of what you are mentioning here - stuff like the WP version numbers and MySQL table prefixes - that seems to be incredibly trivial features of the plugin when compared to the other security plugins and so-called Wordpress security solutions that I've seen. Looks to me like the developers of this new plugin are simply covering as many security bases as possible and making sure that the tool surpasses all expectations. Plus I think it's safe to say that we can expect to be able to either disable any features we don't want to use or to manually do other security tweaks if we feel a need to.

              From my perspective - with me having extensively studied highly effective commercial product marketing in school - the approach of the Maximum Security plugin developers makes perfect sense. It's rather obviously that they think there's a lot that can be done to help make using Wordpress much safer and simpler, which is undoubtedly why the plugin is being created and probably also why (according to the features list I read) it has a firewall and intrusion prevention system, an event monitoring system, malicious code scanner, all sorts of user account protection, etc., all tailored for Wordpress. Looks pretty darn good to me! I'm definitely impressed. Glad to have found out about it.

              I guess if you want to voice your opinion to them directly then I don't see any reason why you couldn't do that. But carrying this on further here at WF doesn't seem appropriate since you aren't pointing out any actual exaggerations in reference to the abilities of the plugin.

              Looks to me like it was a very good recommendation and I fully intend to give a whirl.
              {{ DiscussionBoard.errors[388847].message }}

Trending Topics