Wordpress security tips

by radhika 14 replies
I am installing WP for one of my client. I never used WP before. So I was trying to make secure the site, I found out this.

Some good tips there:
http://www.noupe.com/how-tos/wordpre...and-hacks.html

.
#main internet marketing discussion forum #security #tips #wordpress
Avatar of Unregistered
  • Profile picture of the author Ron Killian
    Some good tips. I've been hacked, it's sure no fun. One hack even killed my SEO..

    Biggest tip in my opinion, as they mention, is a strong password. Make it long and very difficult to figure out. I just typed a bunch of random letters/characters/numbers, lower and upper case.
    Signature
    PLR Affiliate Program Has Launched! Easily Promote Over 5,000 PLR and MRR Products.

    Largest Selection of PLR Articles on the Planet! PLR Ebooks, PLR Video, PLR Websites and more with Private Label Rights
    {{ DiscussionBoard.errors[116097].message }}
  • Profile picture of the author Jesus Perez
    These really are good tips. For those of you not clicking through, it discusses:

    -Avoiding Brute force password attacks
    -Directory browsing on the server
    -Removing the 'version #' from your install
    -Protecting your wp-config.php correctly.
    Signature


    {{ DiscussionBoard.errors[116117].message }}
  • Profile picture of the author TheRichJerksNet
    The best tip is not to use WP at all.. Not only can they get access to your WP install but full access to your server and database.

    So many people never know how many hackers are actually running sql data from their server. Unless you really understand a database hackers can run just one or two tables from your database and link it to their server or any other server and you would never know unless you was looking for it.

    James
    {{ DiscussionBoard.errors[116157].message }}
    • Profile picture of the author radhika
      Originally Posted by TheRichJerksNet View Post

      The best tip is not to use WP at all.. Not only can they get access to your WP install but full access to your server and database.
      Can you explain it a bit more?

      How? Which version of WP has this exploit?

      Any posted document on WP web site on this?

      thanks.
      Signature
      Follow up Autoresponder PRO :: 33% Discount!!
      FREE Upgrades! IMPROVED Email Deliverability!!
      {{ DiscussionBoard.errors[116194].message }}
      • Profile picture of the author xmx
        A clever tip I fond online (but I don't remember the source)
        and used on my blogs is to NOT use "admin" as your username
        to access the admin section of your WP blog.

        This is useful as many hackers use robots to guess the
        admin password starting from the idea that the username
        is always "admin", but if you use a different username they
        will never find the correct username/password login data.


        Gian
        {{ DiscussionBoard.errors[116237].message }}
        • Profile picture of the author TheRichJerksNet
          Originally Posted by xmx View Post

          A clever tip I fond online (but I don't remember the source)
          and used on my blogs is to NOT use "admin" as your username
          to access the admin section of your WP blog.

          This is useful as many hackers use robots to guess the
          admin password starting from the idea that the username
          is always "admin", but if you use a different username they
          will never find the correct username/password login data.


          Gian
          This is true.. and for those that insist on running WP..

          * Go to your servers sql database and and change your login name as WP does not allow you to do this from the admin area.

          For those that seriously insist on using WP..

          * Login into FTP and change the admin folder name to something else like maybe "blog_admin" but now when you do this you will also have to change any paths inside any wp files that reference the admin folder as being named "admin"

          * Also go to your config file on ftp and rename the database name and then login to your server and change your database name. If you have a pre-install like from using fantastico then wp set your database name for you and you should change it to use the name you wish.

          * Make sure every sub-folder (that is not being used as a site) contains a blank .html file and the robots.txt file which denies all.

          Code:
          User-agent: *
          
          Disallow: *
          * If you allow comments or registration make sure you have captcha installed on these as it will block auto post. Find a coder to block SQL injection on comments and the registration form.

          * If you server allows (HostGator does) have the host install SuExec as this will help further protect your folders as you will no longer need to use permissions such as 777 which allows anyone access to those folders.

          * Install the WP Security Plug-in if you choose to do so..

          Now those are the best tips for security for those that really want to run WP..

          James
          {{ DiscussionBoard.errors[116296].message }}
          • Profile picture of the author radhika
            So why does a directory that has WP installed and everything blocked has 41 attempted accesses ?
            Usually bad crawlers check every site with random urls like -

            /blog/xmlsrv/xmlrpc.php
            /phpAdsNew/adxmlrpc.php
            /drupal/xmlrpc.php
            /gallery/displayCategory.php

            If they find out these files, they try to exploit them. So those have been trying to find WP files there.

            They know it is WP and they know how WP can be hacked and they wish to get access through it because that is the only way they would get into my server.
            It is my client's choice to use WP. So I can't do much except securing site as much as possible.

            thanks for your insight!

            .
            Signature
            Follow up Autoresponder PRO :: 33% Discount!!
            FREE Upgrades! IMPROVED Email Deliverability!!
            {{ DiscussionBoard.errors[116656].message }}
            • Profile picture of the author TheRichJerksNet
              Originally Posted by radhika View Post

              Usually bad crawlers check every site with random urls like -

              /blog/xmlsrv/xmlrpc.php
              /phpAdsNew/adxmlrpc.php
              /drupal/xmlrpc.php
              /gallery/displayCategory.php

              If they find out these files, they try to exploit them. So those have been trying to find WP files there.



              It is my client's choice to use WP. So I can't do much except securing site as much as possible.

              thanks for your insight!

              .
              Yes I know why they try .. but it is useless to do so on my server ..lol

              Oh I forgot one thing on my post change the passwords on the database and WP if it was set by WP install.

              What I mean is change the passwords, do not use something like 8Vfcx4FDEs - That is NOT a secure password. A Secure password is more like

              I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

              I make all my passwords just as complex because there is no way any bruteforce would ever figure it out because it mostly looks for normal passwords with letters and number such as the one above.

              So make those password upper/lower case and use - & _ and make them 20 or 30 characters long.

              James
              {{ DiscussionBoard.errors[116698].message }}
              • Profile picture of the author Norma Holt
                So if WP is not hack proof what should we be using. My blogs are full of spam responses, which is sickening. It seems like men are so badly off in the sex department that viagra and viewing naked women is all they can think of, if you believe the posts from some sick minds.
                {{ DiscussionBoard.errors[129517].message }}
                • Profile picture of the author Ron Killian
                  Originally Posted by norma View Post

                  So if WP is not hack proof what should we be using. My blogs are full of spam responses, which is sickening. It seems like men are so badly off in the sex department that viagra and viewing naked women is all they can think of, if you believe the posts from some sick minds.
                  I've had zero spam since I started using the Math Comment Spam Protection Plugin. I use to get all the good ones like you, not any more...
                  Signature
                  PLR Affiliate Program Has Launched! Easily Promote Over 5,000 PLR and MRR Products.

                  Largest Selection of PLR Articles on the Planet! PLR Ebooks, PLR Video, PLR Websites and more with Private Label Rights
                  {{ DiscussionBoard.errors[130033].message }}
              • Profile picture of the author Greg Cooksley
                Originally Posted by TheRichJerksNet View Post

                Yes I know why they try .. but
                it is useless to do so on my server ..lol

                Oh I forgot one thing on my post change the passwords on the
                database and WP if it was set by WP install.

                What I mean is change the passwords, do not use something like
                8Vfcx4FDEs - That is NOT a secure password. A Secure password
                is more like

                I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

                I make all my passwords just as complex because there is no
                way any bruteforce would ever figure it out because it mostly
                looks for normal passwords with letters and number such as the
                one above.

                So make those password upper/lower case and use - & _ and make
                them 20 or 30 characters long.

                James


                Hey James,

                There are thousands of WP users out there that could do with
                valuable advice like you're providing here....

                Why don't you put together a WSO with all these security tips
                and I'm sure it will be a success. Just make sure that you write
                it so that newbies can understand exactly what to do and what
                to change etc...

                Also, if WP is not worth using can you suggest what other platform
                is worthwhile?

                Regards

                Greg
                {{ DiscussionBoard.errors[130200].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by radhika View Post

        Can you explain it a bit more?

        How? Which version of WP has this exploit?

        Any posted document on WP web site on this?

        thanks.
        I do not use any free open source code scripts because so many of them have little to no security at all. Any WP version can be hacked as so many have learned.

        Give you a good example here.. I installed WP to generate the html code for my product BlogSplash as I wanted to include the sloppy html code that WP produces to include in my product since so many people feel the need to use WP.

        I have the full up to date version, directories blocked, the wp security plug-in stalled, my bad bot scripts (one I built myself and use) installed, and I have the entire directory pass protected. Why do I have it pass protected ? Because I have no use to run WP as I use my own blog software that I built. I left the install there and the password protection on and to date the directory has had 41 attempted accesses which all failed due to the password protection.

        Now why on this green earth would someone try to access a directory that was created and password protected the minute it was created ?

        Let's look at a few things

        * maybe it's spiders trying to spider the site ? Well nope, I have a robots.txt file which denies all + I have my bad bot software installed.

        * maybe it's images or other materials that are trying to be pulled from the WP install ? Well nope, because it is just an install, no themes added, blogs added, nothing added.. It is the plain basic install.

        * maybe it is someone scanning the server for open directories ? Well nope, because stats do not show that and besides I have my bad bot software installed which has a 95% success rate of blocking bots such as snoopy and others that try to download sites or scan servers for open folders.

        So why does a directory that has WP installed and everything blocked has 41 attempted accesses ? The simple answer is that the install is known about due to poor coding on WP or the 5% of bad bots that I do not block, someone may have seen the directory exist.

        Let's assume it is the 5% my bad bot software did not block. Ok so now why would they want to access a WP blog ? It is not advertised or anything and as already stated it is password protected. The simple answer to this is...

        They know it is WP and they know how WP can be hacked and they wish to get access through it because that is the only way they would get into my server.

        Thus my suggestion as a developer would be not to use it at all. This is my opinion which I am sure many disagree with but for those that have atually been hacked and it cost them thousands in sales will agree with me.

        James
        {{ DiscussionBoard.errors[116261].message }}
Avatar of Unregistered

Trending Topics