WordPress Hacking Prevention

37 replies
Just Found this post: Fighting Blog Hacks: Preventing and Eliminating Intruders. Thought it would be useful to many
#hacking #prevention #wordpress
  • Profile picture of the author philwiley
    Here's a plugin that does all, or most of,the anti hacking work for you

    WordPress Firewall Plugin » SEO Egghead

    I've been using it since early this year when my philwiley.com blog got hacked twice, and I've had no problems on any blogs since then. Here's a piece I wrote about using it, along with screenshots. I got hacked – TWICE

    phil
    {{ DiscussionBoard.errors[1423045].message }}
  • Profile picture of the author TheRichJerksNet
    What's even better is changing the coding on wordpress.. Using a plugin or some article that says do this or tthat will not protect your blog. It is open source code and the only way to protect it (nothing is 100% secure) is to change the coding so the hackers have no idea what to do or how to do it.

    James
    {{ DiscussionBoard.errors[1423165].message }}
    • Profile picture of the author xiaophil
      Originally Posted by TheRichJerksNet View Post

      It is open source code and the only way to protect it (nothing is 100% secure) is to change the coding so the hackers have no idea what to do or how to do it.
      James, while I agree that many of these so-called 'security' and audit plugins may do little to harden an installation, I doubt that security through obscurity is an effective countermeasure either.

      I will stick my neck out and hazard a guess that most blog break-ins on up-to-date software are the result of brute-force password attacks, where the attacker simply keeps rapidly trying variations of common passwords and random combinations.

      A powerful defense against this common attack is:

      1) Use a good password - i.e not a word from the dictionary, and bonus points for including upper and lower case, numbers and punctuation.

      2) Don't transmit the password in clear text - use a plugin that will encrypt the password on the client before passing it to the server, such as Chap Secure Login

      3) Temporarily lock out an IP address that appears to be trying lots of failed passwords i.e looks like an attack: Login LockDown

      If you have those covered, an attacker will most likely move on to easier pickings.
      {{ DiscussionBoard.errors[1423993].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by xiaophil View Post

        James, while I agree that many of these so-called 'security' and audit plugins may do little to harden an installation, I doubt that security through obscurity is an effective countermeasure either.

        I will stick my neck out and hazard a guess that most blog break-ins on up-to-date software are the result of brute-force password attacks, where the attacker simply keeps rapidly trying variations of common passwords and random combinations.

        A powerful defense against this common attack is:

        1) Use a good password - i.e not a word from the dictionary, and bonus points for including upper and lower case, numbers and punctuation.

        2) Don't transmit the password in clear text - use a plugin that will encrypt the password on the client before passing it to the server, such as Chap Secure Login

        3) Temporarily lock out an IP address that appears to be trying lots of failed passwords i.e looks like an attack: Login LockDown

        If you have those covered, an attacker will most likely move on to easier pickings.
        All the more reason to change the coding and stop updating with wp updates. Those cool little new features do not mean much if your business is suffering, do they ??

        Sorry but there is no plugin, no little article tips, that are going to stop the hacking. Hackers have access to all those plugins and articles and wp updates. If you change the coding and the hacker does not know what was changed then they have a very hard time hacking...

        Just being real and after dealing with well over 3,000 customers I think I know a few things...

        James
        {{ DiscussionBoard.errors[1424161].message }}
  • Profile picture of the author Steve Powers
    That's really appreciated.But the method and skill of prevent hacking is really challenge.It requires you have a excellent skill on network and communication.
    Signature
    HostEase Web Hosting
    20% for shared web hosting with coupon code "hostease"! $7.95 per domain with coupon code "695TLD"!
    99.9% Uptime Guarantee! 30 Day Money Back Guarantee! 24/7/365 Customer Support!
    {{ DiscussionBoard.errors[1423387].message }}
    • Profile picture of the author philwiley
      I'm not saying just using a plugin is going to stop all attacks. If someone wants to get you they probably will.

      My ozemedia.com forum got un-repairably corrupted a few years ago by a persistent attacker (maybe attackers) who kept at it for months until all my time was being spent fixing problems and I eventually closed it.

      And it's the same with blogs. If someone with the skills wants to make things bad for you, they will.

      However, at least if you're taking some preventative measures like adding a security plugin, and making coding changes, you're doing more than 99.9 percent (guess) of other blog owners, so you should be safe from drive-by attacks.

      phil
      {{ DiscussionBoard.errors[1423473].message }}
      • Profile picture of the author rosterling
        Originally Posted by philwiley View Post

        I'm not saying just using a plugin is going to stop all attacks. If someone wants to get you they probably will.

        My ozemedia.com forum got un-repairably corrupted a few years ago by a persistent attacker (maybe attackers) who kept at it for months until all my time was being spent fixing problems and I eventually closed it.

        And it's the same with blogs. If someone with the skills wants to make things bad for you, they will.

        However, at least if you're taking some preventative measures like adding a security plugin, and making coding changes, you're doing more than 99.9 percent (guess) of other blog owners, so you should be safe from drive-by attacks.

        phil
        I am going to try that plugin, Phil. I use WP for most of my sites. I remember when that happened to your forum and you had to shut it down. Your's was the first forum I joined when I started in IM!
        {{ DiscussionBoard.errors[1423590].message }}
  • Profile picture of the author Abledragon
    Thanks AnniePot!

    Another thing you can do is to use SFTP rather than FTP when uploading/downloading WordPress files (new themes, plugins, etc).

    With FTP your details are transmitted in clear across the Internet and can be picked up by eavesdroppers. Once they have your FTP details they can access your WordPress installation via FTP.

    SFTP encrypts your details, securing that potential entry point.

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[1423491].message }}
  • Profile picture of the author mello
    Thanks everyone, this is useful to know. I had a hack which took me offline (host policy). Anything I can do to miniise the risk again (without becoming a techhead) is great to know.
    Signature
    Everything is doable ... if you take action
    Internet Marketing
    PLR
    {{ DiscussionBoard.errors[1423525].message }}
  • Profile picture of the author Quentin
    Having to administer many hundreds of blogs I used to get a few attacks however noticed many were from within so I offer these suggestions.

    1. Use good antivirus software. Free is good but the latest Wordpress attacks came from a malware problem that most of the free programs were not picking up.

    2. I found that FileZilla and many other FTP software was compromised so never store your passwords in them. Use something like Keypass to store your passwords and then enter as needed.

    Key Pass Security for your Business. | Website Marketing For Better Results

    3. Keep your wordpress and plugins up to date and keep away from poorly supported plugins.

    Quentin
    {{ DiscussionBoard.errors[1424150].message }}
  • Profile picture of the author UBotBuddy
    James is correct. When you have the resources to "Change the Tumblers" themselves then you are Hardening your site to a new level. Also, IF you are doing this kind of coding then it makes sense to NOT perform updates because it will simply undo what you have done.

    If you are married to your plugins then the best thing you can do it not advertise what you are using. Some plugin are more of an exposure than others.

    But if you are like me then staying current is the best option and watching your log file and stats. BUT be prepared to react. Do your backups religiously and KNOW that you can restore from them at a moments notice (you must practice recovery just as you perform Backups). Most failures from a restore occur because the backup was not done correctly.

    James sounds like he dreams in PHP (I used to dream in Assembler...aaaahhhh...the good ole days). I think he might be in the same club as another friend of mine that dreams in PHP. My friend can flat out produce PHP code. Shame he works in a corporate environment.

    Sorry I digressed.

    If your site is important enough to you then do not ignore securing it. However, if you are in marketing programs similar to Google's A (I won't mention it because the Mods will push this thread to another part of the forum) then just know how to recreate your site in a fast way and change your passwords.

    Be Security smart with what you want to protect.
    {{ DiscussionBoard.errors[1424249].message }}
    • Profile picture of the author TheRichJerksNet
      Originally Posted by SiteBlaster View Post

      J

      James sounds like he dreams in PHP (I used to dream in Assembler...aaaahhhh...the good ole days). I think he might be in the same club as another friend of mine that dreams in PHP. My friend can flat out produce PHP code. Shame he works in a corporate environment.
      I think that is about right since 100% of all my sites I have coded in Php ...lol

      James
      {{ DiscussionBoard.errors[1424309].message }}
  • Profile picture of the author mattlloyd
    These are useful stuff. Thanks, everyone.
    Signature
    Start your own info-marketing business, and scale from $0 to over $81K in under 12 months. Free webinar shows you EXACTLY what I did, and all my private numbers:

    https://WebinarConferenceMeetings.com/startyourowninfomarketingbusiness
    {{ DiscussionBoard.errors[1424301].message }}
  • Profile picture of the author Marcus Paul
    My best hack prevention is my automated backup. At worst I lose 4 hours of data. I can be up and going in 15 mins again after an attack.

    The bottom line is that a hacker wants to get you he will if he tries hard enough, particularly if you use WP. You just need to have a disaster recovery plan in place.
    Signature
    New Launch in 2019 - Join my free Facebook Group - Step4: Profit! - We help beginners learn strategies to make money online.


    {{ DiscussionBoard.errors[1424316].message }}
  • Profile picture of the author Kezz
    I have a standard lineup of three security plugins that I install with every Wordpress site.

    'AskApache Password Protect' - blocks spam, hackers and password protects your site (several folders). WordPress › AskApache Password Protect WordPress Plugins

    'Login Lockdown' - adds extra security to the admin login page. WordPress › Login LockDown WordPress Plugins

    'Secure Wordpress' - takes care of a series of tweaks that remove some Wordpress vulnerabilities. WordPress › Secure WordPress WordPress Plugins

    To make installing these easy, the first plugin I always install is Plugin Central, which lets you paste in a list of standard plugins and then installs those plugins for you automatically.

    The addresses to include in your Plugin Central list for those three are:
    HTML Code:
    http://downloads.wordpress.org/plugin/secure-wordpress.zip
    http://downloads.wordpress.org/plugin/login-lockdown.1.5.zip
    http://downloads.wordpress.org/plugin/askapache-password-protect.4.6.5.2.zip
    {{ DiscussionBoard.errors[1424553].message }}
    • Profile picture of the author xiaophil
      Originally Posted by TheRichJerksNet View Post

      All the more reason to change the coding and stop updating with wp updates.
      Ahhhh, I just noticed you are selling a Wordpress "security" product in your sig. That explains a lot.

      I was having a great laugh reading your parody "security" site before realizing you are actually trying to be serious.

      From the sales page:

      Close and block all exploits that hackers know about
      Priceless! Rather a sweeping statement there don't you think?

      Stop any and all SQL injection attacks
      Wow that's amazing! Hardening WordPress explains how to prevent some of them by changing the database table prefix, but I can see you are well ahead of the core development team on this one.

      Block all folders that are open to a hacker's attack
      Really? So instead of of just making them read-only (chmod 755) and invisible (Options -Indexes in .htaccess) we can actually "block" them from "hackers" (whatever that means). This is great news.


      Just think of all the time myself and countless others have wasted keeping WP blogs up to date with the latest official security patches, when all along we could have just bought a "secure" system for the cheap one-off price of $39.97.


      Even the WordPress Firewall Plugin mentioned above states "Its purpose is not to replace prompt and responsible upgrading", but I see your apparently impervious product requires no such disclaimer.


      Infosec and digital forensic skills are in high demand by Fortune 500s, have you considered consulting? Maybe you already are, or perhaps scaring blog owners into spending $39.97 is more lucrative?


      On the topic of credentials, "15 years of Internet industry experience" sounds way too modest for such groundbreaking achievements in computer security. Don't be shy, tell us how you did it. I am sure there are heaps of web-monkeys out there looking to make the leap into the lucrative world of digital forensics.

      Sorry but there is no plugin, no little article tips, that are going to stop the hacking.
      Except yours, right?

      Just being real and after dealing with well over 3,000 customers...
      Is "dealing with" a euphemism for "misleading"?

      I think I know a few things...
      A very revealing statement, as one of the hallmarks of unconscious incompetence is the inability to recognize a deficit.

      It is open source code and the only way to protect it (nothing is 100% secure) is to change the coding so the hackers have no idea what to do or how to do it.
      In my opinion, claiming that Open Source software is inherently insecure because it isn't obscure indicates an overall lack of understanding of the causes of software vulnerabilities.

      Whether software is open or closed source is largely irrelevant. It's security is dependent primarily on the quality of the code.

      There are numerous Open Source cryptographic and other security oriented software in widespread use with very few issues. On the other hand there are also very popular closed source operating systems that regularly announces patches for newly discovered vulnerabilities.

      Some people may consider it disturbing when a "secure" software vendor appears to have little grasp of the subject. The tragedy is that their customers are most likely unaware of this, and in their search for some peace of mind, put their faith in the snake oil.
      {{ DiscussionBoard.errors[1425177].message }}
      • Profile picture of the author TheRichJerksNet
        Originally Posted by xiaophil View Post

        Ahhhh, I just noticed you are selling a Wordpress "security" product in your sig. That explains a lot.

        I was having a great laugh reading your parody "security" site before realizing you are actually trying to be serious.

        From the sales page:

        Priceless! Rather a sweeping statement there don't you think?

        Wow that's amazing! Hardening WordPress explains how to prevent some of them by changing the database table prefix, but I can see you are well ahead of the core development team on this one.

        Really? So instead of of just making them read-only (chmod 755) and invisible (Options -Indexes in .htaccess) we can actually "block" them from "hackers" (whatever that means). This is great news.


        Just think of all the time myself and countless others have wasted keeping WP blogs up to date with the latest official security patches, when all along we could have just bought a "secure" system for the cheap one-off price of $39.97.


        Even the WordPress Firewall Plugin mentioned above states "Its purpose is not to replace prompt and responsible upgrading", but I see your apparently impervious product requires no such disclaimer.


        Infosec and digital forensic skills are in high demand by Fortune 500s, have you considered consulting? Maybe you already are, or perhaps scaring blog owners into spending $39.97 is more lucrative?


        On the topic of credentials, "15 years of Internet industry experience" sounds way too modest for such groundbreaking achievements in computer security. Don't be shy, tell us how you did it. I am sure there are heaps of web-monkeys out there looking to make the leap into the lucrative world of digital forensics.

        Except yours, right?

        Is "dealing with" a euphemism for "misleading"?

        A very revealing statement, as one of the hallmarks of unconscious incompetence is the inability to recognize a deficit.

        In my opinion, claiming that Open Source software is inherently insecure because it isn't obscure indicates an overall lack of understanding of the causes of software vulnerabilities.

        Whether software is open or closed source is largely irrelevant. It's security is dependent primarily on the quality of the code.

        There are numerous Open Source cryptographic and other security oriented software in widespread use with very few issues. On the other hand there are also very popular closed source operating systems that regularly announces patches for newly discovered vulnerabilities.

        Some people may consider it disturbing when a "secure" software vendor appears to have little grasp of the subject. The tragedy is that their customers are most likely unaware of this, and in their search for some peace of mind, put their faith in the snake oil.
        First off I highly suggest reading the rules and especially rule #1...

        With that said nothing in my sales copy is wrong or misleading.. Nothing I say is misleading and if you knew me as many of my customers do you would understand that.

        I have no "plugin" ... I have a system that has been recoded and the security added into it. You do not need all these plugins and patches and articles and everything.

        I have been custom building sites for over 15 years and yes I do know what I talk about. I do not hype anything or lie to get sales.

        I find it funny though that you choose to attack a well respected member of this forum and a well respected website developer. That tells us a whole great deal right there..

        If you want to mislead people into using useless crap then be my guest. As one well respected forum member told me before I even released v1 of my product. "If they want to be cheap and not protect their business then let them be hacked and when they come running charge them twice".

        James
        {{ DiscussionBoard.errors[1427467].message }}
        • Profile picture of the author xiaophil
          Hello James,

          Thanks for the response.

          In the past, I have seen some of your posts and sometimes even agreed with what you said.

          What bothered me in this thread is that you adopted a stance which attempted to discredit what are actually some quite effective measures for the sole purpose of promoting your product.

          Originally Posted by TheRichJerksNet View Post

          First off I highly suggest reading the rules and especially rule #1...
          I have read the rules and am aware of rule #1. I have no problems with you as a person and have not tried your "security" product. If you think I am in violation of the rules then simply report my post and have a moderator assess it. Easy.

          With that said nothing in my sales copy is wrong or misleading.. Nothing I say is misleading...
          James, look at the language of some of the claims you are making, for example:

          Close and block all exploits that hackers know about
          That statement is a minefield. Let me know if you can't figure out why.

          And there are plenty more, like this gem:

          It is open source code and the only way to protect it... is to change the coding
          This statement is saying that the software is inherently insecure because it is Open Source. That is inaccurate and misleading.

          And while we're on the subject of Open Source:

          I have no "plugin" ... I have a system that has been recoded and the security added into it.
          So you are saying you have forked the Wordpress code and rewritten ("recoded") it into a "secure" version. Is that right?

          Wordpress is licensed under the GPL, the terms of which would oblige you to make any changes available as source code along with the your new product.

          Please explain how you can simultaneously have a product that relies upon security through obscurity and is released under an Open Source license. A few of us are very keen to hear how this works.

          I have been custom building sites for over 15 years and yes I do know what I talk about. I do not hype anything or lie to get sales.
          Your skills as a web developer are not an issue here, and you haven't been accused of lying, so I am not sure why you feel the need to mention that.

          I find it funny though that you choose to attack a well respected member of this forum and a well respected website developer. That tells us a whole great deal right there..
          James, I am not attacking you. I don't know you. You may very well be a nice guy. Am I attacking your methods in this particular instance? Absolutely.

          If you want to mislead people into using useless crap then be my guest.
          Having an up to date system with a handful of sensible security measures is a simple and effective way to secure a blog against the majority of attacks.

          I would rather focus on raising awareness and education rather than pushing a magical cure-all for the purpose of extracting forty bucks from someone.

          The fact is that by implementing a handful of best practices, many of which have been mentioned, people can achieve pretty good security on their blogs.
          {{ DiscussionBoard.errors[1428544].message }}
          • Profile picture of the author theimdude
            James, James, James are you at it again ................ I am a bit confused here as in all your post here you knock all methods and security plugins and even wordpress as being bad news but you sell a plugin for wordpress in your signature.

            Wordpress GPL or not rocks. Just keep it updated and you will be ok.
            Signature
            Do you want 30 back-links in my PRIVATE BLOG network for ONLY $20 ???
            [LIMITED ACCESS + FREE ARTICLE INCLUDED OR YOUR OWN]

            CLICK HERE NOW
            {{ DiscussionBoard.errors[1428587].message }}
            • Profile picture of the author TheRichJerksNet
              Originally Posted by theimdude View Post

              James, James, James are you at it again ................ I am a bit confused here as in all your post here you knock all methods and security plugins and even wordpress as being bad news but you sell a plugin for wordpress in your signature.

              Wordpress GPL or not rocks. Just keep it updated and you will be ok.
              Not knocking it .. it's more of a warning.. Regardless of what anyone says most website developers know open source code is a target because it is open source. Otherwise many wannabe hackers would not be able to hack it.

              I do not sell any plugins...

              There are far too many people that are mislead until it is too late. Keeping something up-to-date does not always correct the problem. Matter fact search the post here and see how many lost everything due to updating so fast, because trust me there are many.

              I will say it again nothing is 100% secure but fact is if you take your business serious then I suggest you take your security secrious and not just depend upon some plugin or some update.

              James
              {{ DiscussionBoard.errors[1428604].message }}
              • Profile picture of the author theimdude
                Originally Posted by TheRichJerksNet View Post

                Not knocking it .. it's more of a warning.. Regardless of what anyone says most website developers know open source code is a target because it is open source. Otherwise many wannabe hackers would not be able to hack it.

                I do not sell any plugins...

                There are far too many people that are mislead until it is too late. Keeping something up-to-date does not always correct the problem. Matter fact search the post here and see how many lost everything due to updating so fast, because trust me there are many.

                I will say it again nothing is 100% secure but fact is if you take your business serious then I suggest you take your security secrious and not just depend upon some plugin or some update.

                James
                Problem is James I read what you selling and it is public. So once what you selling is out then what?

                Will the owners of your method be told there was a hacker better than you.

                Anycase I always wonder why you come into a wonderful thread which offer good advice (the link from the OP is very good) and seem to stir................

                Just my observation

                Eza Articles
                Duplicate content
                Now Wordpress security
                Signature
                Do you want 30 back-links in my PRIVATE BLOG network for ONLY $20 ???
                [LIMITED ACCESS + FREE ARTICLE INCLUDED OR YOUR OWN]

                CLICK HERE NOW
                {{ DiscussionBoard.errors[1428632].message }}
                • Profile picture of the author xiaophil
                  Originally Posted by SiteBlaster View Post

                  Good luck to you xiaophil! And I do mean that.
                  Yes you keep saying that. Good luck with what, precisely?

                  I do not engage in pointless arguments.
                  Glad to hear it.

                  ...I will not be cutting and pasting excerpts from posts to try and debunk what they have said...
                  Why would your objective be to debunk things? I thought this thread was about sharing ideas on improving Wordpress security.

                  You claim to have extensive commercial experience of software security, but so far we have yet to hear a single iota of practical advice from you.

                  It's not too late though, you can still chose to share some of the wealth of experience you claim to have.

                  You don't even need to cut and paste excerpts, just answer the simple questions put to you, if you can.

                  For your convenience I will reiterate one here:

                  "How specifically did you validate the claims of the product in question?"

                  If you didn't, just say so.

                  Originally Posted by SiteBlaster View Post

                  I don't secure or backup ALL of my sites. Just the ones I care about.
                  In my opinion, that doesn't sound like something a computer security professional would say.
                  {{ DiscussionBoard.errors[1428901].message }}
  • Profile picture of the author UBotBuddy
    xiaophil

    I would be very careful how you tread on this subject. It is easy to sit back and punch holes in security comments. I've been there. I have also been on the other side of the table when comments like yours are directed towards people in jobs like I had just so they could protect a little bit of knowledge they thought was correct. Ultimately, it was the wrong logic.

    The advice given up to this point has been VERY good and very much on the mark.

    As I have said in the past, there are good plans and there are bad plans.

    What is your experience in auditing and security? I can tell you after 10 years of working in that business I know what I am talking about. I was the most hated auditor of them all only because I was right. As far as James is concerned, IMHO he is a much knowledgeable about this subject as any other that I have heard and it does not give me any reason to doubt him or his ebook. But if any of his comments in here are a prelude to it then he will be on the mark as well.

    I do wish you well in your endeavors, I just hope it is not in auditing or security!
    {{ DiscussionBoard.errors[1425253].message }}
    • Profile picture of the author GuerrillaIM
      Originally Posted by SiteBlaster View Post

      xiaophil

      I would be very careful how you tread on this subject. It is easy to sit back and punch holes in security comments. I've been there. I have also been on the other side of the table when comments like yours are directed towards people in jobs like I had just so they could protect a little bit of knowledge they thought was correct. Ultimately, it was the wrong logic.

      The advice given up to this point has been VERY good and very much on the mark.

      As I have said in the past, there are good plans and there are bad plans.

      What is your experience in auditing and security? I can tell you after 10 years of working in that business I know what I am talking about. I was the most hated auditor of them all only because I was right. As far as James is concerned, IMHO he is a much knowledgeable about this subject as any other that I have heard and it does not give me any reason to doubt him or his ebook. But if any of his comments in here are a prelude to it then he will be on the mark as well.

      I do wish you well in your endeavors, I just hope it is not in auditing or security!
      From my experience working in software industry and also my training company providing security certification like the CISSP, CEH and the Security+ I think that xiaophil has some very valid points here.

      Good security points for your wordpress blog in my opinion are:

      - Dont have username "admin"
      - Set your server to deny access to IP and log attempt after so many wrong logins, this will help you defend against brute force. Setting your server up to send a SMS to your phone when alarm is triggered is something we have done for mission critical system before.
      - Change the prefix of the wordpress database.
      - Dont use shared hosting. In most of the cases my clients have been hacked it is usually because they are on shared hosting. We have kept their site secure but another site that shares the same server is vulnerable and allowed access. Shared hosting means your website shares a server with literally thousands of other websites.

      Underground hacker and bot networks can do a lot of damage with 0day exploits before they are patched. Making your self "hacker proof" in most cases is not practical, but making sure you are not an easy target is essential, and usually enough to keep you out of trouble.

      Usually though the entry point for hacks are keyloggers distributed through P2P or bit-torreent sites. The hacker takes out your weak home system and then gains access passwords to all your accounts. This happens more than you could believe and the fall out of something like this can be nasty. Virus scanners are not real security, they just stop the noobs that dont know how to make viruses themselves.
      {{ DiscussionBoard.errors[1425293].message }}
    • Profile picture of the author xiaophil
      Siteblaster,

      Thanks for your response.

      I certainly have no beef with the legitimate security auditing industry.

      What does get my heckles up is seeing self-proclaimed experts preying on the uneducated, and the sure signs of a charlatan are broad, sweeping generalizations linked to cure-all claims and the conspicuous lack of credentials.

      That may not be happening here, but the warning signs are evident.

      As I am not positioning myself as a security expert, my credentials are perhaps not as important as someone who is.

      "Computer security" is a huge and varied business, what aspect of it were you involved in specifically?

      And seeing as you are the one with the hands-on experience, could you explain how specifically did you validate the claims of the product in question?

      After all, as a professional security auditor, surely you didn't just base your conclusions on whether the vendor sounds like they know what they are talking about, did you?

      Originally Posted by SiteBlaster View Post

      I would be very careful how you tread on this subject. It is easy to sit back and punch holes in security comments. I've been there. I have also been on the other side of the table when comments like yours are directed towards people in jobs like I had just so they could protect a little bit of knowledge they thought was correct. Ultimately, it was the wrong logic.
      I am always receptive to new ideas, as well as corrections and feedback from a domain expert. Unfortunately you have provided nothing more here than some kind of vague warning and a lot of finger waving.

      As I have said in the past, there are good plans and there are bad plans.
      I'll write that down for future reference.

      I can tell you after 10 years of working in that business I know what I am talking about. BLAH BLAH BLAH BLAH BLAH....
      Well then, respectfully, perhaps you could contribute to this thread by actually sharing some of your knowledge instead of just telling us how big it is.

      I do wish you well in your endeavors, I just hope it is not in auditing or security!
      Your tone is not all that sincere, but my endeavors are doing fine, thanks.

      Like I said, If you are willing to explain things, I am happy to listen, but this attitude of "I know lots and you're wrong, and what do you know anyway" just doesn't cut it I'm afraid.
      {{ DiscussionBoard.errors[1425482].message }}
  • Profile picture of the author troy23
    Kezz
    "I have a standard lineup of three security plugins that I install with every Wordpress site."

    I would like to ask if it is difficult to configure these plug ins? I have a Wordpress site, but I am a novice when it comes to the admin side.
    {{ DiscussionBoard.errors[1425319].message }}
    • Profile picture of the author Kezz
      Originally Posted by troy23 View Post

      Kezz
      "I have a standard lineup of three security plugins that I install with every Wordpress site."

      I would like to ask if it is difficult to configure these plug ins? I have a Wordpress site, but I am a novice when it comes to the admin side.
      Not difficult at all, easy peasy. All you need to do is install them and activate them and you're good. There are some options available for each, but I've found the default settings to be just fine.
      {{ DiscussionBoard.errors[1427363].message }}
  • {{ DiscussionBoard.errors[1425330].message }}
  • Profile picture of the author GuerrillaIM
    Originally Posted by ProductCreator View Post

    - don't use a ton of obscure plugins, a handful of well known (updated) ones is OK.
    Exploits can be found even in popular plugins (it's the popular ones that are most dangerous, exploits in unkown programs often go without reprisal)

    Follow advice with caution.
    {{ DiscussionBoard.errors[1425560].message }}
  • Profile picture of the author UBotBuddy
    Good luck to you xiaophil! And I do mean that.

    I do not engage in pointless arguments. I know a snake oil salesman when I see the talk and so far James has yet to even come close to being that and his comments have been right on.

    So, I will not be cutting and pasting excerpts from posts to try and debunk what they have said, it's just not worth it. So we will just have to Agree to Disagree.
    {{ DiscussionBoard.errors[1427674].message }}
    • Profile picture of the author zerofill
      There is only one way to completely stop any chance of being hacked...

      Unplug the computer running the blog form the internet

      Other than that...I don't care if it is open source or a custom designed application...someone good wants in...their getting in...period...
      Signature
      Serp Shaker
      The IM World Will Be Shaken to the Core!
      Join my list at: IMCool.Biz
      New Podcast --> podcast.imcool.biz
      {{ DiscussionBoard.errors[1427790].message }}
  • Profile picture of the author UBotBuddy
    I agree zerofill! lol

    I don't secure or backup ALL of my sites. Just the ones I care about.
    {{ DiscussionBoard.errors[1427803].message }}
  • Profile picture of the author TheRichJerksNet
    Dude I am not going to waste my time to argue with you .. Matter fact I did not even read your entire post.. I did not post in here to promote my product .. Heck "DONT BUY MY PRODUCT".... What I posted was the truth and I have over 15 years to back me up...

    Go get some off the wall plugins, be my guest.. It's not my website/blog...

    James

    P.S. And the ignore list gets bigger....
    {{ DiscussionBoard.errors[1428559].message }}
  • Profile picture of the author AnniePot
    A good friend of mine who makes a living managing WP blogs has also just recommended WordPress Exploit Scanner to me.

    Anne
    {{ DiscussionBoard.errors[1429240].message }}

Trending Topics