18 {{ upvoteCount | shortNum }}
18 {{ upvoteCount | shortNum }}

Basic Wordpress Security Advice for Beginners

by BackLinkiT
15 replies
I have just spent a very interesting hour or so watching some twerp from an IP address in Canada trying to force the password of my one and only Wordpress site. Mercifully, I have some basic security installed and this person was locked out in fairly swift order.

I recommend either:

WordPress › Login LockDown « WordPress Plugins

or

WordPress › Limit Login Attempts « WordPress Plugins

Both are very easy to instal and, in this day and age, vital it seems!

The other situation that can arise is choosing 'admin' for the username and a very basic and easy to crack password when installing WP using Fantastico or Simple Scripts. And, on the face of it, you are stuck with it. Well, not so.

You have two options. First, you can create a new user with a better username and secure password, grant them admin rights, and then delete the old admin username.

Secondly, and this is more advanced, you can make the relevant change via cpanel and phpmyadmin. This video tells you how to do it:


At the very least, everyone should have basic login protection.

Good luck to all and I hope this helps!
#advice #beginners #security #wordpress
  • Profile picture of the author Sushiman1111
    Yeah, I read somewhere that the single best step you can take to avoid getting hacked on WP is to not make your username "admin". Solves like 50% of the problem right there.
    Signature
    If you've made your first dollar online and want to take things to the next level - ie, $1000/month - sign up here to get on the WSO prelaunch list.

    Got a health/fitness niche list? Become an affiliate for something new and different here.
    {{ DiscussionBoard.errors[7780095].message }}
  • Profile picture of the author James.N
    Not using admin is the easiest and best place to start. Next, is to make sure you are keeping your plugins and theme up to date. Also, delete any plugins and themes that are not being used from your site.

    These couple things will go a LONG way to keep your site secure.
    {{ DiscussionBoard.errors[7780106].message }}
    • Profile picture of the author JohnMcCabe
      Another easy thing to do if you use the manual set-up is to make the database username and password 'strong-password' quality. As others have said, not using 'Admin', setting a good strong admin password and using easy security plugins to limit brute force attacks are (or should be) givens.

      I'd be mildly curious (but not enough to try) how many blogs you could hack with the combination of Admin + 'password'...
      {{ DiscussionBoard.errors[7780127].message }}
  • Profile picture of the author Robimx
    All my websites are secured using the free plugins: bulletproof security and better Wordpress security

    Also, they are monitored by Securi.net (which costs 200 per year) but is a great piece of mind since they will clean any hack off your site should anything like that happen
    Signature

    Photoshop Tutorials & Templates
    http://www.10MinuteDesign.com/

    Video Productions & Video Marketing
    http://www.IMXproductions.com/

    {{ DiscussionBoard.errors[7780170].message }}
    • Profile picture of the author so11
      Originally Posted by Robimx View Post

      All my websites are secured using the free plugins: bulletproof security and better Wordpress security

      Also, they are monitored by Securi.net (which costs 200 per year) but is a great piece of mind since they will clean any hack off your site should anything like that happen
      This is an excellent start, but be aware that hacking is not just putting some malware on your site....

      There are many different types of cyber attack and malware infection is just one of them. As its very common, it is least damageable. Now, information theft (your clients' info, credit card, etc.) that's another story. Damage is considerable to you, your business reputation and your clients...

      so11
      Signature
      www.groupesoloviev.com
      We help businesses manage cyber risk and compliance requirements.
      {{ DiscussionBoard.errors[7781052].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by so11 View Post

        This is an excellent start, but be aware that hacking is not just putting some malware on your site....

        There are many different types of cyber attack and malware infection is just one of them. As its very common, it is least damageable. Now, information theft (your clients' info, credit card, etc.) that's another story. Damage is considerable to you, your business reputation and your clients...

        so11
        +1

        sigh...on the other hand - soooo many plugins. Thread after thread on this forum about securing Wordpress and people still don't realize plugins are 90% of the problem, even security plugins. The more plugins you add, the move vulnerable you become.

        Installing a plugin is not "security". Using htaccess is ok, until you start copy/pasting other peoples "junk" that can & should be done using other methods. There's no need to have 100's of lines banning this & that in the htaccess file. Most people don't even realize half of the junk doesn't even do anything as it's already blocked at the server level via a firewall.
        Signature

        |~| VeeroTech Hosting - sales @ veerotech.net
        |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
        |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
        |~| Visit us @veerotech Facebook - Twitter - LinkedIn

        {{ DiscussionBoard.errors[7781095].message }}
  • Profile picture of the author Michael71
    Wordfence and some .htaccess magic is all I need, and fail2ban is installed on my dedicated server.

    Daily backups of files/database is also very important.
    Signature

    HTML/CSS/jQuery/ZURB Foundation/Twitter Bootstrap/Wordpress/Frontend Performance Optimizing
    ---
    Need HTML/CSS help? Skype: microcosmic - Test Your Responsive Design - InternetCookies.eu

    {{ DiscussionBoard.errors[7780183].message }}
  • Profile picture of the author Bobby Asburn
    I am using Better WP security to secure my site from basic attacks.
    {{ DiscussionBoard.errors[7780653].message }}
  • Profile picture of the author mrsray
    the security also starts at the time of installing wordpress, changing the table prefix, adding salts to the config file, making sure your computer is not infected with keyloggers prior to installing and try not to use the 1 click installers like fantastico, settings from using those can also make WordPress installations more vulnerable.
    Signature
    >>> no cost website hosting, ad free, for life <<<
    StartYourOwnOnlineBusiness.com
    {{ DiscussionBoard.errors[7781186].message }}
    • Profile picture of the author BackLinkiT
      Originally Posted by mrsray View Post

      the security also starts at the time of installing wordpress, changing the table prefix, adding salts to the config file, making sure your computer is not infected with keyloggers prior to installing and try not to use the 1 click installers like fantastico, settings from using those can also make WordPress installations more vulnerable.
      Thanks, guys, but this thread was aimed at beginners or 'newbies' for whom installing a plugin will be a new experience! I was highlighting simple login protection for them, that's all.

      '...changing the table prefix...' and .htaccess edits are just not going to happen for them
      {{ DiscussionBoard.errors[7781214].message }}
      • Profile picture of the author so11
        Originally Posted by BackLinkiT View Post

        Thanks, guys, but this thread was aimed at beginners or 'newbies' for whom installing a plugin will be a new experience! I was highlighting simple login protection for them, that's all.

        '...changing the table prefix...' and .htaccess edits are just not going to happen for them
        it is brutal out there. They dont care whether you are a newb or a pro. Security is like a chain, the weakest link will be found and exploited
        Signature
        www.groupesoloviev.com
        We help businesses manage cyber risk and compliance requirements.
        {{ DiscussionBoard.errors[7781238].message }}
        • Profile picture of the author Kingfish85
          Originally Posted by so11 View Post

          it is brutal out there. They dont care whether you are a newb or a pro. Security is like a chain, the weakest link will be found and exploited
          This, and this EXACTLY. 9 times out of 10, that weakest link is going to either be a poorly coded theme that was download for free OR some no longer supported plugin.
          Signature

          |~| VeeroTech Hosting - sales @ veerotech.net
          |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
          |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
          |~| Visit us @veerotech Facebook - Twitter - LinkedIn

          {{ DiscussionBoard.errors[7781252].message }}
    • Profile picture of the author Kingfish85
      Originally Posted by mrsray View Post

      the security also starts at the time of installing wordpress, changing the table prefix, adding salts to the config file, making sure your computer is not infected with keyloggers prior to installing and try not to use the 1 click installers like fantastico, settings from using those can also make WordPress installations more vulnerable.
      Some of this is good advice however, pushing people away from using installers is simply not. Just because someone uses an auto installer does NOT make the site less secure.

      In reality, what does changing the prefix do? Anyone who knows how to force a site to display an error can easily find out what the prefix is...

      EDIT: Don't take that as saying you shouldn't do it, because it won't hurt to change them. Does it help..sure, is it fool-proof? No.
      Signature

      |~| VeeroTech Hosting - sales @ veerotech.net
      |~| High Performance CloudLinux & LiteSpeed Powered Web Hosting
      |~| cPanel & WHM - Softaculous - Website Builder - R1Soft - SpamExperts
      |~| Visit us @veerotech Facebook - Twitter - LinkedIn

      {{ DiscussionBoard.errors[7781244].message }}

Trending Topics