Wordpress security tips

by radhika

Posted: 14 years ago 14 replies

INTERNET MARKETING

I am installing WP for one of my client. I never used WP before. So I was trying to make secure the site, I found out this.

Some good tips there:
http://www.noupe.com/how-tos/wordpre...and-hacks.html

.

#security #tips #wordpress

Ron Killian 14 years ago

Some good tips. I've been hacked, it's sure no fun. One hack even killed my SEO..

Biggest tip in my opinion, as they mention, is a strong password. Make it long and very difficult to figure out. I just typed a bunch of random letters/characters/numbers, lower and upper case.
- Thanks
Signature
PLR Affiliate Program Has Launched! Easily Promote Over 5,000 PLR and MRR Products.

Largest Selection of PLR Articles on the Planet! PLR Ebooks, PLR Video, PLR Websites and more with Private Label Rights
{{ DiscussionBoard.errors[116097].message }}
Jesus Perez 14 years ago

These really are good tips. For those of you not clicking through, it discusses:

-Avoiding Brute force password attacks
-Directory browsing on the server
-Removing the 'version #' from your install
-Protecting your wp-config.php correctly.
- Thanks
- 1 reply
Signature
{{ DiscussionBoard.errors[116117].message }}
- joefission 14 years ago
  
  Another great source of up-to-date information (one to bookmark and check regularly):
  
  BlogSecurity
  
  Tips from Matt Cutts:
  
  Three tips to protect your WordPress installation
  
  Shaun
  
  Thanks
  
  Signature
  
  ♦ Superbowl Victory WSO: Five Blogging Products, 1 INSANELY Low Price ♦
  ♦ Clickbank Blogging Conduit Review Site: Grab Some Low-hanging Fruit ♦
  ♦ Backlink Persuasion: Better Search Rankings in 12 Minutes ♦
  
  {{ DiscussionBoard.errors[116136].message }}

TheRichJerksNet

14 years ago

The best tip is not to use WP at all.. Not only can they get access to your WP install but full access to your server and database.

So many people never know how many hackers are actually running sql data from their server. Unless you really understand a database hackers can run just one or two tables from your database and link it to their server or any other server and you would never know unless you was looking for it.

James

Thanks
2 replies

{{ DiscussionBoard.errors[116157].message }}

joefission 14 years ago

Smashing idea!

It's settled then -- just don't EVER use Wordpress again.

Shaun
- Thanks
Signature

♦ Superbowl Victory WSO: Five Blogging Products, 1 INSANELY Low Price ♦
♦ Clickbank Blogging Conduit Review Site: Grab Some Low-hanging Fruit ♦
♦ Backlink Persuasion: Better Search Rankings in 12 Minutes ♦
{{ DiscussionBoard.errors[116177].message }}

radhika

14 years ago

Originally Posted by TheRichJerksNet

The best tip is not to use WP at all.. Not only can they get access to your WP install but full access to your server and database.

Can you explain it a bit more?

How? Which version of WP has this exploit?

Any posted document on WP web site on this?

thanks.

Thanks
2 replies

Signature

Follow up Autoresponder PRO :: 33% Discount!!
FREE Upgrades! IMPROVED Email Deliverability!!

{{ DiscussionBoard.errors[116194].message }}

xmx

14 years ago

A clever tip I fond online (but I don't remember the source)
and used on my blogs is to NOT use "admin" as your username
to access the admin section of your WP blog.

This is useful as many hackers use robots to guess the
admin password starting from the idea that the username
is always "admin", but if you use a different username they
will never find the correct username/password login data.

Gian

Thanks
1 reply

{{ DiscussionBoard.errors[116237].message }}

TheRichJerksNet

14 years ago

Originally Posted by xmx

This is true.. and for those that insist on running WP..

* Go to your servers sql database and and change your login name as WP does not allow you to do this from the admin area.

For those that seriously insist on using WP..

* Login into FTP and change the admin folder name to something else like maybe "blog_admin" but now when you do this you will also have to change any paths inside any wp files that reference the admin folder as being named "admin"

* Also go to your config file on ftp and rename the database name and then login to your server and change your database name. If you have a pre-install like from using fantastico then wp set your database name for you and you should change it to use the name you wish.

* Make sure every sub-folder (that is not being used as a site) contains a blank .html file and the robots.txt file which denies all.

Code:

User-agent: *

Disallow: *

* If you allow comments or registration make sure you have captcha installed on these as it will block auto post. Find a coder to block SQL injection on comments and the registration form.

* If you server allows (HostGator does) have the host install SuExec as this will help further protect your folders as you will no longer need to use permissions such as 777 which allows anyone access to those folders.

* Install the WP Security Plug-in if you choose to do so..

Now those are the best tips for security for those that really want to run WP..

James

Thanks
1 reply

{{ DiscussionBoard.errors[116296].message }}

radhika

14 years ago

So why does a directory that has WP installed and everything blocked has 41 attempted accesses ?

They know it is WP and they know how WP can be hacked and they wish to get access through it because that is the only way they would get into my server.

It is my client's choice to use WP. So I can't do much except securing site as much as possible.

thanks for your insight!

.

Thanks
1 reply

Signature

Follow up Autoresponder PRO :: 33% Discount!!
FREE Upgrades! IMPROVED Email Deliverability!!

{{ DiscussionBoard.errors[116656].message }}

TheRichJerksNet

14 years ago

Originally Posted by radhika

Usually bad crawlers check every site with random urls like -

/blog/xmlsrv/xmlrpc.php
/phpAdsNew/adxmlrpc.php
/drupal/xmlrpc.php
/gallery/displayCategory.php

If they find out these files, they try to exploit them. So those have been trying to find WP files there.

It is my client's choice to use WP. So I can't do much except securing site as much as possible.

thanks for your insight!

.

Yes I know why they try .. but it is useless to do so on my server ..lol

Oh I forgot one thing on my post change the passwords on the database and WP if it was set by WP install.

What I mean is change the passwords, do not use something like 8Vfcx4FDEs - That is NOT a secure password. A Secure password is more like

I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

I make all my passwords just as complex because there is no way any bruteforce would ever figure it out because it mostly looks for normal passwords with letters and number such as the one above.

So make those password upper/lower case and use - & _ and make them 20 or 30 characters long.

James

Thanks
2 replies

{{ DiscussionBoard.errors[116698].message }}

Norma Holt

14 years ago

So if WP is not hack proof what should we be using. My blogs are full of spam responses, which is sickening. It seems like men are so badly off in the sex department that viagra and viewing naked women is all they can think of, if you believe the posts from some sick minds.

Thanks
1 reply

Signature

Roman Emperor Constantine <> Who wrote the New Testament <> Crimes Against Humanity <>
My reincarnation and spirituality <> The Big Picture <> Save Planet Earth <>
Murder by Plastic <> The Great Roman Conspiracy <>
Twitter with me

{{ DiscussionBoard.errors[129517].message }}

Ron Killian

14 years ago

Originally Posted by norma

I've had zero spam since I started using the Math Comment Spam Protection Plugin. I use to get all the good ones like you, not any more...

Thanks

Signature

PLR Affiliate Program Has Launched! Easily Promote Over 5,000 PLR and MRR Products.

Largest Selection of PLR Articles on the Planet! PLR Ebooks, PLR Video, PLR Websites and more with Private Label Rights

{{ DiscussionBoard.errors[130033].message }}

Greg Cooksley

14 years ago

Originally Posted by TheRichJerksNet

Yes I know why they try .. but
it is useless to do so on my server ..lol

Oh I forgot one thing on my post change the passwords on the
database and WP if it was set by WP install.

What I mean is change the passwords, do not use something like
8Vfcx4FDEs - That is NOT a secure password. A Secure password
is more like

I_had-Fun_With_tHe_NakED-Elf_inThE-Woods_Last-Night

I make all my passwords just as complex because there is no
way any bruteforce would ever figure it out because it mostly
looks for normal passwords with letters and number such as the
one above.

So make those password upper/lower case and use - & _ and make
them 20 or 30 characters long.

James

Hey James,

There are thousands of WP users out there that could do with
valuable advice like you're providing here....

Why don't you put together a WSO with all these security tips
and I'm sure it will be a success. Just make sure that you write
it so that newbies can understand exactly what to do and what
to change etc...

Also, if WP is not worth using can you suggest what other platform
is worthwhile?

Regards

Greg

Thanks

{{ DiscussionBoard.errors[130200].message }}

TheRichJerksNet 14 years ago

Originally Posted by radhika

Can you explain it a bit more?

How? Which version of WP has this exploit?

Any posted document on WP web site on this?

thanks.

I do not use any free open source code scripts because so many of them have little to no security at all. Any WP version can be hacked as so many have learned.

Give you a good example here.. I installed WP to generate the html code for my product BlogSplash as I wanted to include the sloppy html code that WP produces to include in my product since so many people feel the need to use WP.

I have the full up to date version, directories blocked, the wp security plug-in stalled, my bad bot scripts (one I built myself and use) installed, and I have the entire directory pass protected. Why do I have it pass protected ? Because I have no use to run WP as I use my own blog software that I built. I left the install there and the password protection on and to date the directory has had 41 attempted accesses which all failed due to the password protection.

Now why on this green earth would someone try to access a directory that was created and password protected the minute it was created ?

Let's look at a few things

* maybe it's spiders trying to spider the site ? Well nope, I have a robots.txt file which denies all + I have my bad bot software installed.

* maybe it's images or other materials that are trying to be pulled from the WP install ? Well nope, because it is just an install, no themes added, blogs added, nothing added.. It is the plain basic install.

* maybe it is someone scanning the server for open directories ? Well nope, because stats do not show that and besides I have my bad bot software installed which has a 95% success rate of blocking bots such as snoopy and others that try to download sites or scan servers for open folders.

So why does a directory that has WP installed and everything blocked has 41 attempted accesses ? The simple answer is that the install is known about due to poor coding on WP or the 5% of bad bots that I do not block, someone may have seen the directory exist.

Let's assume it is the 5% my bad bot software did not block. Ok so now why would they want to access a WP blog ? It is not advertised or anything and as already stated it is password protected. The simple answer to this is...

They know it is WP and they know how WP can be hacked and they wish to get access through it because that is the only way they would get into my server.

Thus my suggestion as a developer would be not to use it at all. This is my opinion which I am sure many disagree with but for those that have atually been hacked and it cost them thousands in sales will agree with me.

James
- Thanks
{{ DiscussionBoard.errors[116261].message }}

Wordpress security tips

Trending Topics

What are some of your favorite jobs/occupations you held in your life ??

New here

Bing revises crawl system for efficiency

How to optimise product pages on your Google Merchant listing

5 customer experience trends to explore in 2023