12 {{ upvoteCount | shortNum }}
12 {{ upvoteCount | shortNum }}

Wordpress Hackers!

by londoncoffee
10 replies
I have a few WP sites set up on Hostgator baby plan. I am concerned about all the security holes, and i've already had a disaster after using one security plugin which instructed me to move files, delete files, change permissions etc. I was then locked out and had to reinstall everything. Also, wp codex suggests moving wp-config file to directory above. But as i'm using add-on domains, i was told it'll cause conflicts if more than 1 wp-config resides in same directory. And hostgator wont let me change permissions on config to 400/440. I love WP but all this hacking stuff is worrying me. Why do people hack sites anyway? Is it for fun or what? I have 2 client sites and they paid me good money. I'll be in trouble if their wp sites get hacked.
I am thinking of using Media Temple Grid Hosting but not sure if its any better for security.
Any feedback from experienced site owners appreciated.
#hackers #wordpress
  • Profile picture of the author AnniePot
    As with any internet presence, be it a conventional site, or a Wordpress blog, nothing can ever be 100% secure; that just isn't possible.

    Funnily enough though, in more than twenty years on the web, I've only been hacked once, and that involved a straight html site, NOT a Wordpress blog, and I have loads of them.

    I have a post on my IM blog (yes, that's WP too ) which sets out the security regime I follow. There is a link to it in my signature if you are interested.
    {{ DiscussionBoard.errors[4956070].message }}
  • Profile picture of the author ChristineCobb
    I agree you can't be 100% safe but here are some steps you can take:

    --Strong, strong passwords. Use Roboform to generate passwords and remember them.
    --Don't use admin as the logon username (you can find a plugin that will change this if you already use it.
    --Keep your theme and plugins up to date.
    --Install a login plugin. I use Login Lockdown so that if someone tries a few times to log in, they get locked out.
    --Don't let people register from the login screen. Uncheck this setting in the WP General Settings.
    --Scan your files for malware and unsafe permissions. I use Backup Buddy to do this.
    --Subscribe to a good WordPress security blog. I read WPSecurityLock.com because I can't keep up with the latest hacker nastiness on my own.
    Signature
    Creating an Affiliate Tools Page Couldn't Get Any Easier. Find out how.

    Free Screencast Videos Resource Guide Here
    {{ DiscussionBoard.errors[4956242].message }}
    • Profile picture of the author athenistic
      One more tip to add to this great list. Oddly enough, it came from Matt Cutts.

      Three tips to protect your WordPress installation

      And another - go into your cpanel and make sure that directory browsing is turned off for each folder in all of your sites. Some hosts leave directory browsing on by default.

      Those are just two more things you can do out of a list of probably hundreds.
      Signature

      {{ DiscussionBoard.errors[4956260].message }}
      • Profile picture of the author Brian Alaway
        In your Hostgator cPanel go to Advanced>Cloudflare
        The first screen will explain the service and it's advantages/disadvantages.
        Cloudflare acts as a reverse proxy to provide an initial layer of defense as well as caching for performance. You can create a free account and start using the service immediately. Once active, login and go to Dashboards>Threat Control. Here you will see a list of spamming and hack attempts for any domains you have registered with Cloudflare and you have the option to block each ip with one click.

        Permissions via your .htaccess are essential. You can learn and implement them yourself Hardening WordPress « WordPress Codex plus you can use a plugin like WordPress › BulletProof Security « WordPress Plugins to take care of your .htaccess permissions. While some hosting services provide better security than others, ultimately it's up to you to make sure your sites are protected. If you mess up, you can use sftp to simply rename your .htaccess file and start over.
        Signature
        How to Configure Secure FTP
        {{ DiscussionBoard.errors[4956446].message }}
        • Profile picture of the author lerxtjr
          Speaking of hostgator, had a new client come our way a couple of weeks ago that couldn't view her 3 websites hosted on hg. Turns out she had the TomThumb virus. HG support acknowledged to me that the virus had come in through someone else's website on the shared hosting and effected all sites server-wide.

          So, another component of security would be upgrading your hosting to a dedicated hosting account instead of shared. Or at least piggy backing on someone else's dedicated server if you don't have enough clients to justify a dedi.
          Signature

          Come practice your public speaking skills with us FREE every week! SpeakersSpeakLIVE.com >>

          {{ DiscussionBoard.errors[4956916].message }}
          • Profile picture of the author ChristineCobb
            Originally Posted by lerxtjr View Post

            Speaking of hostgator, had a new client come our way a couple of weeks ago that couldn't view her 3 websites hosted on hg. Turns out she had the TomThumb virus. HG support acknowledged to me that the virus had come in through someone else's website on the shared hosting and effected all sites server-wide.

            So, another component of security would be upgrading your hosting to a dedicated hosting account instead of shared. Or at least piggy backing on someone else's dedicated server if you don't have enough clients to justify a dedi.
            Here's a nifty plugin that will scan your theme and plugins to determine if you have the unsecure version of TimThumb.php and then fix it.
            WordPress › Timthumb Vulnerability Scanner « WordPress Plugins
            Signature
            Creating an Affiliate Tools Page Couldn't Get Any Easier. Find out how.

            Free Screencast Videos Resource Guide Here
            {{ DiscussionBoard.errors[4957021].message }}
  • Profile picture of the author slimrider94
    Just by Googling "WordPress Security" you can find tons of fixes to prevent people from using easy methods to hack your website.
    {{ DiscussionBoard.errors[4957083].message }}
    • Profile picture of the author Karen Blundell
      There's lots of great advice in this thread.
      a couple of additional suggestions from me which may have not been mentioned:
      1. get rid of any inactive plugins - if you're not using it, get rid of it because old plugins are easy targets for hackers unless you've got a secure plugin directory..(and even if you have secured the directory, it's still good idea for the sake of a cleaner WP database) (see item 2)
      2. directory browsing easy solution: stick a blank index.html page in wp-content/plugins directory, root images directory, root cgi directory as this little trick completely stops anyone from browsing in that directory or you can also get the plugin Secure WordPress which does it for the plugin directory only, but what it also does is hides the WordPress version you are using from the source code of your website, so hackers have a harder time guessing what version of WordPress you are using.
      3. create a robots.txt file to prevent bots from accessing certain directories on your server
      Signature
      ---------------
      {{ DiscussionBoard.errors[4957146].message }}
  • Profile picture of the author digitalquilluk
    Agree with everything ChrisCobb says, but would add install WordpressFirewall

    I posted a blog post about WP Security some time ago

    20 Tips to increase Wordpress Security | Digitalquill - My Life and Times
    Signature

    Matt Houldsworth
    Digitalquill Custom Wordpress Development

    Import XML, RSS and CSV Datafeeds into Wordpress | Import Amazon Products Into Wordpress | Post Automatically Categories in Wordpress

    {{ DiscussionBoard.errors[4957160].message }}
  • Profile picture of the author tarpon19
    Regardless of the cautionary measures, it is something we just have to evolve with and try to fix the security holes as we find them and as new technology comes about.
    {{ DiscussionBoard.errors[4957244].message }}

Trending Topics