How To Make Your Wordpress Sites {Almost} Unhackable

112 replies
I thought I'd put together a little guide for everyone on the warrior forum who use wordpress for their websites.

I had to put {Almost} in the title, because obviously nothing is unhackable. But, if you follow these steps, you will be pretty much more protected than you are now.

The first thing you need to do is NOT use fantastico! I see everyone saying to use fantastico, and I have never seen anyone actually telling you the right way to do it so you are protected.

The reason why you do not want to use fantastico to install wordpress on your site is because by default it sets "wp_" as the prefix for each wordpress table name.

Hackers know that most people use fantastico, so it's easy for them to send malicious code targeting your wp_ based tables. Doing that, they can change the look of your site, redirect your url to their site, and im sure many more things that we don't want happening to our sites.

So how do we install wordpress if we can't use fantastico?

Well we do it manually and it really isn't hard at all. It just takes a few more steps, and maybe 5 minutes once you get it down.

How To Manually Install Wordpress And Change The Default Wordpress Table Prefix:

1. Download the latest version of wordpress from WordPress › Blog Tool and Publishing Platform
2. Log into your hosting and create a mysql database and user with all privileges (how to do this step below)
a. Click on MySQL Databases
b. Create a new database
c. Create a new user (remember your pw because you will need it)
d. Add user to database and check all privileges
3. Unzip wordpress, go into the wordpress folder, find the file named wp-config-sample and rename it to wp-config
4. Open wp-config (the one you just edited) and fill in the database fields with the info you just created (database name, database user, and password)
NOTE: You will have to right click on wp-config and choose to edit with a text editor. I use Notepad++ Notepad++ | 5.9 but just notepad should work fine.
5. Scroll down a little more and change the table prefix 'wp_' to 'newtableprefix_'
6. Save the file and close it
7. Upload all wordpress files to the root of the domain either with ftp or using your hosts ftp (don't upload the actual wordpress folder, just whats inside it)
8. On your favorite browser go to domain.com/wp-admin/install.php (domain.com would be your websites domain)
9. This starts the regular wordpress setup (Do NOT use admin as the username)

There that's it for manually installing wordpress and changing the default table prefix. It honestly looks like a lot and a little confusing on paper, but it's not.

I went ahead and created a video showing you step by step how to manually install wordpress and how to change the wordpress table prefix. You can watch it in HD on youtube


Next up you can create a file that only lets you see your wordpress admin log in page. I started doing this on all of my sites and quickly found out I couldn't do it anymore because my ip address changes often.

So this method is for people if you know your ip address doesn't change. If someone tries to go to your admin log in page they will only see a blank page.

Here is how you do it:

1. Open up notepad
2. Paste in

order deny,allow
deny from all
allow from xx.xx.xx.xx

3. Change xx.xx.xx.xx with your ip address
4. If you don't know what your ip address is then go to What Is My IP Address - Shows Your IP Address
5. Copy what they tell you your ip address is (make sure you aren't using any proxies at the time) and paste it over xx.xx.xx.xx
6. Save the text file as .htaccess
7. Upload it to your websites wp-admin folder through ftp
8. You may have to edit the name because for me when I upload it it changes to .htaccess.txt so just edit the name and take off the .txt part
9. Go to yourdomain.com/wp-admin, if it loads fine then you are good to go
10. If you only see a blank page then something went wrong, don't panic just go back into your ftp and make sure you put the right ip address in the .htaccess file
11. If you still can't figure out whats wrong then just delete the file

This method blocks everyone trying to go to your admin log in page unless their ip address is allowed in the .htaccess file. You can add more than 1 ip address in the file if you need to. Just add in another allow from xx.xx.xx.xx in the next line.

Next, I'll talk about some wordpress plugins that will help you with making your wordpress site *almost* unhackable.

The first one is called Login LockDown. WordPress › Login LockDown « WordPress Plugins

This is a great plugin if you can't use the method above. What it does is record every failed login attempt and will block anyone with 3 failed login attempts within 5 minutes. Basically it prevents brute force password discovery.

The next plugin is called Secure Wordpress. WordPress › Secure WordPress « WordPress Plugins

This plugin is pretty cool. It just does a lot of little things to help you be more secure. One of the best things I think is that it removes the wordpress version from being seen.

If your site is using an older version of wordpress, it makes it much easier to hack. If the hacker has no clue what version you are using they probably won't even try. You can see the other things this plugin does on its wordpress page using the link above.

The last plugin I want to share is WP-DBManager. WordPress › WP-DBManager « WordPress Plugins

This plugin will allow you to set up scheduled backups of your wordpress database. It's better to be safe than sorry, so please make sure you are keeping backups of all of your sites. I suggest creating a brand new gmail account just for getting scheduled backups, and creating filters in your email account for each website.

Also, in your wordpress settings, make sure that your wordpress username is not the name that shows up publicly when you make posts or comments. To change it follow these steps:

1. Log in to your wordpress site
2. Click on users
3. Edit your username
4. Create a nickname that isn't the same as what you use to log in
5. Change "Display name publicly as" to your nickname
6. Click "Update Profile"

I hope this post helps you make your wordpress sites more secure. Any and all comments very appreciated!

Brent
#make #sites #unhackable #wordpress
  • Profile picture of the author Roaddog
    Brent Jacoby

    The first thing you need to do is NOT use fantastico! I see everyone saying to use fantastico, and I have never seen anyone actually telling you the right way to do it so you are protected.

    The reason why you do not want to use fantastico to install wordpress on your site is because by default it sets "wp_" as the prefix for each wordpress table name.

    Hackers know that most people use fantastico, so it's easy for them to send malicious code targeting your wp_ based tables. Doing that, they can change the look of your site, redirect your url to their site, and im sure many more things that we don't want happening to our sites.
    I've been saying this whenever I talk about wp. The wp prefix is a dead givaway,

    There is a plugin called wp security scan that will let you change the wp prefix...but you have to have the permissions and I have never bothered, because I build them almost the same way as you.

    So how do we install wordpress if we can't use fantastico?

    Well we do it manually and it really isn't hard at all. It just takes a few more steps, and maybe 5 minutes once you get it down.

    How To Manually Install Wordpress And Change The Default Wordpress Table Prefix:

    1. Download the latest version of wordpress from WordPress › Blog Tool and Publishing Platform
    2. Log into your hosting and create a mysql database and user with all privileges (how to do this step below)
    a. Click on MySQL Databases
    Some cpanels have mysql database wizard which will let you change the prefix and is much easier than the complete manual database build. If you have this I highly recommend it

    If not then the following.

    b. Create a new database
    c. Create a new user (remember your pw because you will need it)
    d. Add user to database and check all privileges
    3. Unzip wordpress, go into the wordpress folder, find the file named wp-config-sample and rename it to wp-config
    4. Open wp-config (the one you just edited) and fill in the database fields with the info you just created (database name, database user, and password)
    NOTE: You will have to right click on wp-config and choose to edit with a text editor. I use Notepad++ Notepad++ | 5.8.7 but just notepad should work fine.
    5. Scroll down a little more and change the table prefix 'wp_' to 'newtableprefix_'
    6. Save the file and close it
    7. Upload all wordpress files to the root of the domain either with ftp or using your hosts ftp (don't upload the actual wordpress folder, just whats inside it)
    8. On your favorite browser go to domain.com/wp-admin/install.php (domain.com would be your websites domain)
    9. This starts the regular wordpress setup (Do NOT use admin as the username)
    another really good tip.


    So this method is for people if you know your ip address doesn't change. If someone tries to go to your admin log in page they will only see a blank page.

    Here is how you do it:

    1. Open up notepad
    2. Paste in

    order deny,allow
    deny from all
    allow from xx.xx.xx.xx

    3. Change xx.xx.xx.xx with your ip address
    4. If you don't know what your ip address is then go to What Is My IP Address - Shows Your IP Address
    5. Copy what they tell you your ip address is (make sure you aren't using any proxies at the time) and paste it over xx.xx.xx.xx
    6. Save the text file as .htaccess
    7. Upload it to your websites wp-admin folder through ftp
    8. You may have to edit the name because for me when I upload it it changes to .htaccess.txt so just edit the name and take off the .txt part
    9. Go to yourdomain.com/wp-admin, if it loads fine then you are good to go
    10. If you only see a blank page then something went wrong, don't panic just go back into your ftp and make sure you put the right ip address in the .htaccess file
    11. If you still can't figure out whats wrong then just delete the file

    This method blocks everyone trying to go to your admin log in page unless their ip address is allowed in the .htaccess file. You can add more than 1 ip address in the file if you need to. Just add in another allow from xx.xx.xx.xx in the next line.

    I didn't know this one , so thanks for another good tip.


    Also, in your wordpress settings, make sure that your wordpress username is not the name that shows up publicly when you make posts or comments. To change it follow these steps:

    1. Log in to your wordpress site
    2. Click on users
    3. Edit your username
    4. Create a nickname that isn't the same as what you use to log in
    5. Change "Display name publicly as" to your nickname
    6. Click "Update Profile"

    Something I usually ignore, but should really do.



    Very nicely done, there seem to be an abundance of, MY WP got hacked, threads lately. I'm sure this will be of good use to quite a few people.


    Jim
    {{ DiscussionBoard.errors[3424936].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by Roaddog View Post

      Brent Jacoby

      I've been saying this whenever I talk about wp. The wp prefix is a dead givaway,

      There is a plugin called wp security scan that will let you change the wp prefix...but you have to have the permissions and I have never bothered, because I build them almost the same way as you.

      Some cpanels have mysql database wizard which will let you change the prefix and is much easier than the complete manual database build. If you have this I highly recommend it

      If not then the following.

      another really good tip.

      I didn't know this one , so thanks for another good tip.

      Something I usually ignore, but should really do.

      Very nicely done, there seem to be an abundance of, MY WP got hacked, threads lately. I'm sure this will be of good use to quite a few people.

      Jim
      Hey Jim,

      Thanks for your reply.

      I'm glad you don't suggest fantastico when you tell people about wordpress. I've checked out wp security scan in the past but I never used it to change the table prefix either.

      The mysql database wizard doesn't let you change the wordpress table prefix. It just walks you through setting up the database and that's it.

      Yup, I have been seeing a lot of the, "OMG MY WORDPRESS SITE GOT HACKED!!!1!!" as well. It doesn't take much to make them a little more secure.

      Again, thanks for the reply.

      Brent
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3425206].message }}
      • Profile picture of the author Roaddog
        Originally Posted by Brent Jacoby View Post

        Hey Jim,



        The mysql database wizard doesn't let you change the wordpress table prefix. It just walks you through setting up the database and that's it.


        Brent
        Are you sure?
        Because mine does. I just went back to the databases and they are all random prefixes that I set with the wizard. I know I did because it's the only way I build em anymore. I got tired of building manually.
        Somewhere (and I don't remember where) in the process the prefix comes up on mine and I just change right in there.

        Maybe yours doesn't have that feature, who knows.


        Good tips though


        Jim
        {{ DiscussionBoard.errors[3425485].message }}
        • Profile picture of the author Brent Jacoby
          Originally Posted by Roaddog View Post

          Are you sure?
          Because mine does. I just went back to the databases and they are all random prefixes that I set with the wizard. I know I did because it's the only way I build em anymore. I got tired of building manually.
          Somewhere (and I don't remember where) in the process the prefix comes up on mine and I just change right in there.

          Maybe yours doesn't have that feature, who knows.


          Good tips though


          Jim
          When you create the database and user that is something different than the wordpress table prefix.

          You cannot see the wordpress table prefix by looking at your databases, but you can see it when you go to phpMyAdmin.

          A table will look like:

          wp_options
          wp_posts
          wp_comments

          The wp_ at the beginning is the prefix I am talking about changing.
          Signature
          Coming Soon!
          {{ DiscussionBoard.errors[3425531].message }}
          • Profile picture of the author Roaddog
            Originally Posted by Brent Jacoby View Post

            When you create the database and user that is something different than the wordpress table prefix.

            You cannot see the wordpress table prefix by looking at your databases, but you can see it when you go to phpMyAdmin.

            A table will look like:

            wp_options
            wp_posts
            wp_comments

            The wp_ at the beginning is the prefix I am talking about changing.


            That's what I am talking about, in phpadmin.

            Had to check to make sure that I was right, but there they are.

            And if you know how you can change passwords from in there.

            That's one reason this is important.

            Jim


            edit* after you use the database wizard you can change the prefix on the initial admin info (where you change the admin name) if you change wp_ there, it will work. I see where the confusion is, I do everything in the browser and your editing the config file by text editor.
            The only thing I write down is the password, db name, and user.
            Everything else can be done through the browser.
            {{ DiscussionBoard.errors[3425552].message }}
  • Profile picture of the author Sarah Russell
    Great info - thanks for sharing!
    {{ DiscussionBoard.errors[3424977].message }}
  • Profile picture of the author Istvan Horvath
    This method blocks everyone trying to go to your admin log in page unless their ip address is allowed in the .htaccess file. You can add more than 1 ip address in the file if you need to. Just add in another allow from xx.xx.xx.xx in the next line.

    I didn't know this one , so thanks for another good tip.
    Reminder: most likely your ISP assigns you a different IP every time you login/go online. 99% of the IPSs work like that.

    So let's make it bold: UNLESS you know absolutely sure that you always get the same IP address whenever you go online - DO NOT TRY this method
    Signature

    {{ DiscussionBoard.errors[3425011].message }}
    • Profile picture of the author Roaddog
      Originally Posted by Istvan Horvath View Post

      Reminder: most likely your ISP assigns you a different IP every time you login/go online. 99% of the IPSs work like that.

      So let's make it bold: UNLESS you know absolutely sure that you always get the same IP address whenever you go online - DO NOT TRY this method

      Good tip.

      I do have mostly dedicated IP's, but a lot don't.


      Jim
      {{ DiscussionBoard.errors[3425046].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by Istvan Horvath View Post

      Reminder: most likely your ISP assigns you a different IP every time you login/go online. 99% of the IPSs work like that.

      So let's make it bold: UNLESS you know absolutely sure that you always get the same IP address whenever you go online - DO NOT TRY this method
      I'm not sure what you mean by "every time you login/go online". I mean I understand if you are talking about dial-up, but when you have cable, dsl, fiber optics... there isn't any logging in or going online.

      My IP doesn't change everyday, but it changes often enough to make me not want to have to edit the .htaccess file every time it does.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3425238].message }}
      • Profile picture of the author Istvan Horvath
        Originally Posted by Brent Jacoby View Post

        I'm not sure what you mean by "every time you login/go online". I mean I understand if you are talking about dial-up, but when you have cable, dsl, fiber optics... there isn't any logging in or going online.

        My IP doesn't change everyday, but it changes often enough to make me not want to have to edit the .htaccess file every time it does.
        OK, maybe I exaggerated a bit... because so many novice users are reading these forums and they always jump into applying the weirdest "advices". Often you have to tell them: Don't try it at home...

        The more accurate answer would have been based on this:
        What is an IP address lease time?
        An IP lease time is the amount of time your ISP determines you'll be assigned a particular IP. Some IP lease times could be just a couple of hours, where some are set to a few days, and other IP lease times could be set for as long as a year or more. This setting is completely up to your ISP.
        Signature

        {{ DiscussionBoard.errors[3425319].message }}
        • Profile picture of the author Brent Jacoby
          Originally Posted by Istvan Horvath View Post

          OK, maybe I exaggerated a bit... because so many novice users are reading these forums and they always jump into applying the weirdest "advices". Often you have to tell them: Don't try it at home...

          The more accurate answer would have been based on this:
          Haha I got ya. Thanks for the clarity Istvan.
          Signature
          Coming Soon!
          {{ DiscussionBoard.errors[3425339].message }}
        • Profile picture of the author GBryar
          Great tips, except the one with the IP, as many should not be doing this like it's been said many times over the thread. Most people have dynamic IP, if you're NOT SURE, you DONT'T have a static IP.

          It will change when the ISP lease expires or it "might" change when you reset your modem. Just my 2cent about IP addresses.

          But everything else that is recommended seems to make since and more and more people will want to secure their sites from hackers, so GREAT POST! Tks for the info.
          Signature

          Knowledge is key to your success ...

          {{ DiscussionBoard.errors[3709028].message }}
  • Profile picture of the author Istvan Horvath
    When it comes to WP related (help) topics... my mantra is: every question you can come up with has already been answered in the Codex, the online manual of WP.

    Hardening WordPress « WordPress Codex
    Signature

    {{ DiscussionBoard.errors[3425042].message }}
  • Profile picture of the author Istvan Horvath
    Jim,

    it's not about the dedicated IP of your site (where your WP install lives)!

    It is about the IP address that you get when your computer goes online...
    Get your here: Find your IP Address with IP Info
    Signature

    {{ DiscussionBoard.errors[3425063].message }}
    • Profile picture of the author Roaddog
      Originally Posted by Istvan Horvath View Post

      Jim,

      it's not about the dedicated IP of your site (where your WP install lives)!

      It is about the IP address that you get when your computer goes online...
      Get your here: Find your IP Address with IP Info

      Istvan, yea i did kind of misread that (that's what multitasking will do for ya)

      I do have a static IP, but rereading that whole thing I got a key point wrong.

      Not so sure I would do that even though I have one. ( the .htaccess.... the rest helps)

      Because, I like so many others live at the whim of the thinly disguised monopolies called cable companies and they can change anything at any time.


      So thanks for puttin the breaks on, as it were, for me to take a second look.


      Jim
      {{ DiscussionBoard.errors[3425130].message }}
  • Profile picture of the author richinca
    My favorite WP backup tool is EZPZ One Click Backup

    Its fast and painless.
    Signature
    {{ DiscussionBoard.errors[3425899].message }}
    • Profile picture of the author richinca
      Sorry forgot to mention it is a free WP plug-in

      Originally Posted by richinca View Post

      My favorite WP backup tool is EZPZ One Click Backup

      Its fast and painless.
      Signature
      {{ DiscussionBoard.errors[3425913].message }}
  • Profile picture of the author VOnline
    [DELETED]
    {{ DiscussionBoard.errors[3425968].message }}
    • Profile picture of the author Roaddog
      Brent,

      This is the way I do it....I find it faster, but to each his own of course.

      upload wp

      Use database wizard

      keep db name db user and password in notepad or whatever

      go to and open wp admin in your directory

      click on install.php

      open url in browser

      should say need to create config file

      click on

      lets go page

      click on

      change db name-db name- password -change prefix- leave localhost

      click on

      all right sparky page

      press run install

      welcome page

      fill in site title - change admin name -site admin password -email

      press enter

      welcome

      you can go back and delete install.php

      Definitely don't recommend fantastico

      Jim
      {{ DiscussionBoard.errors[3426046].message }}
      • Profile picture of the author Susan Hope
        Some great tips here guys - thanks muchly

        Sue
        Signature
        One-to-One WordPress Coaching Service Available at Low Hourly Rate - Let the frustration end now! WordPress Installs, Theme Design, Site Tweaks & other WordPress services available
        Find me on Pinterest: PINTEREST
        {{ DiscussionBoard.errors[3426213].message }}
      • Profile picture of the author Brent Jacoby
        Originally Posted by Roaddog View Post

        Brent,

        This is the way I do it....I find it faster, but to each his own of course.

        upload wp

        Use database wizard

        keep db name db user and password in notepad or whatever

        go to and open wp admin in your directory

        click on install.php

        open url in browser

        should say need to create config file

        click on

        lets go page

        click on

        change db name-db name- password -change prefix- leave localhost

        click on

        all right sparky page

        press run install

        welcome page

        fill in site title - change admin name -site admin password -email

        press enter

        welcome

        you can go back and delete install.php

        Definitely don't recommend fantastico

        Jim
        Thanks for posting your way of doing it Jim.
        Signature
        Coming Soon!
        {{ DiscussionBoard.errors[3426630].message }}
  • Profile picture of the author theresagas
    Actually, what you said is only 40 percent of what i am doing to protect my wp site. I use fantastico and as well prefix table can be edit easily with wp plugin. For ip protection login, you can use this

    # Redirect people from accessing this directory (my dashboard) to another page
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REMOTE_ADDR} !^199\.85\.
    RewriteRule .* redirecturl.com [R,L]
    </IfModule>

    # Protect the wp-login.php file from access
    # <IfModule mod_rewrite.c>
    # RewriteCond %{REQUEST_URI} wp-login.php
    # RewriteCond %{REMOTE_ADDR} !^199\.85\.
    # RewriteRule .* redirecturl.com [R,L]
    # </IfModule>
    {{ DiscussionBoard.errors[3426273].message }}
    • Profile picture of the author briancassingena
      Originally Posted by theresagas View Post

      Actually, what you said is only 40 percent of what i am doing to protect my wp site. I use fantastico and as well prefix table can be edit easily with wp plugin. For ip protection login, you can use this
      ...aaaaaaaaaand the plugin to fix the prefix table iiiiiissssss.......
      {{ DiscussionBoard.errors[3427983].message }}
      • Profile picture of the author Brent Jacoby
        Originally Posted by briancassingena View Post

        ...aaaaaaaaaand the plugin to fix the prefix table iiiiiissssss.......
        Haha. And I was wondering what the other 60% is that he uses.
        Signature
        Coming Soon!
        {{ DiscussionBoard.errors[3432733].message }}
    • Profile picture of the author awoob
      Originally Posted by theresagas View Post

      Actually, what you said is only 40 percent of what i am doing to protect my wp site. I use fantastico and as well prefix table can be edit easily with wp plugin. For ip protection login, you can use this

      # Redirect people from accessing this directory (my dashboard) to another page
      <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REMOTE_ADDR} !^199.85.
      RewriteRule .* redirecturl.com [R,L]
      </IfModule>

      # Protect the wp-login.php file from access
      # <IfModule mod_rewrite.c>
      # RewriteCond %{REQUEST_URI} wp-login.php
      # RewriteCond %{REMOTE_ADDR} !^199.85.
      # RewriteRule .* redirecturl.com [R,L]
      # </IfModule>
      Do you mean to replace ones IP with "199\.85\." in the above code?
      {{ DiscussionBoard.errors[3649193].message }}
    • Profile picture of the author awoob
      Originally Posted by theresagas View Post

      For ip protection login, you can use this

      # Redirect people from accessing this directory (my dashboard) to another page
      <IfModule mod_rewrite.c>
      RewriteEngine On
      RewriteCond %{REMOTE_ADDR} !^199.85.
      RewriteRule .* redirecturl.com [R,L]
      </IfModule>

      # Protect the wp-login.php file from access
      # <IfModule mod_rewrite.c>
      # RewriteCond %{REQUEST_URI} wp-login.php
      # RewriteCond %{REMOTE_ADDR} !^199.85.
      # RewriteRule .* redirecturl.com [R,L]
      # </IfModule>
      Please, explain the use of this code better so that those who don't understand could understand its uses very well. You will observe that the OP explain the other code very well and well understood. Thanks.
      {{ DiscussionBoard.errors[3649249].message }}
      • Profile picture of the author theantihype
        Originally Posted by awoob View Post

        Please, explain the use of this code better so that those who don't understand could understand its uses very well. You will observe that the OP explain the other code very well and well understood. Thanks.
        # Redirect people from accessing this directory (my dashboard) to another page
        <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} wp-login.php
        RewriteCond %{REMOTE_ADDR} !^199.85.
        RewriteRule .* redirecturl.com [R,L]
        </IfModule>

        if mod-rewrite is enabled on the server, do the following
        Rewrite engine allows us to use rewrite rules
        first condition- if trying to access wp-login
        second condition- if IP address IS NOT in the 199.85.xx.xx range
        then we redirect, permanently and without more rules to redirecturl.com
        {{ DiscussionBoard.errors[3649637].message }}
  • Profile picture of the author DavidJeff
    All tips are amazing and good, most of them are not in my knowledge. I will implement these things in my wordpress sites
    {{ DiscussionBoard.errors[3427096].message }}
  • Profile picture of the author Christian Little
    The problem with setting htaccess rules for your IP address are that these days a lot of people on are a dynamic ip from their web host. While it doesn't change very often for most people, it can be a pain in the rear to have to FTP and update your .htaccess file when it does change.

    One other suggestion though - only get hosting with a company that has a good firewall setup. You'd be amazed at how much protection a good firewall can offer to everybody on the server.
    {{ DiscussionBoard.errors[3427117].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by Christian Little View Post

      The problem with setting htaccess rules for your IP address are that these days a lot of people on are a dynamic ip from their web host. While it doesn't change very often for most people, it can be a pain in the rear to have to FTP and update your .htaccess file when it does change.

      One other suggestion though - only get hosting with a company that has a good firewall setup. You'd be amazed at how much protection a good firewall can offer to everybody on the server.
      Thanks for the suggestion about a good firewall setup at your host. Great to know more ways to keep yourself protected.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3428667].message }}
  • Profile picture of the author mktbiz
    On the problem of your ip address changing you might deny all and allow a range of ip addresses. You could call your ISP and see what block of addresses are served out to the routers where you live and just allow that range of address. This would only allow connections from a block of addresses from your ISP which greatly limits the number of potential people able to connect to your admin area.

    Check the apache doc at http://httpd.apache.org/docs/2./mod/mod_authz_host.html
    to see how you can allow a block of address either by ip address or domain name.

    This would allow your ip address to change and still be able to access as long as the new ip address is in the block of addresses you allow. Your ISP should be able to tell you what that block of address is or you can probably figure it out from your router ip address and netmask.

    Check out the article on website security at
    How to prevent your website from getting hacked. Repair damaged site.
    which has instructions on site repair after being hacked along with info on securing your site ahead of time.
    {{ DiscussionBoard.errors[3427332].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by mktbiz View Post

      On the problem of your ip address changing you might deny all and allow a range of ip addresses. You could call your ISP and see what block of addresses are served out to the routers where you live and just allow that range of address. This would only allow connections from a block of addresses from your ISP which greatly limits the number of potential people able to connect to your admin area.

      Check the apache doc at http://httpd.apache.org/docs/2./mod/mod_authz_host.html
      to see how you can allow a block of address either by ip address or domain name.

      This would allow your ip address to change and still be able to access as long as the new ip address is in the block of addresses you allow. Your ISP should be able to tell you what that block of address is or you can probably figure it out from your router ip address and netmask.

      Check out the article on website security at
      How to prevent your website from getting hacked. Repair damaged site.
      which has instructions on site repair after being hacked along with info on securing your site ahead of time.
      Great post! I checked out the resources you posted. I didn't really see how to allow the block of addresses. Do you know how it would look?
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3429390].message }}
  • Profile picture of the author rain21
    good info dude, actually not only wordpress, all CMS installing manually is not a big work. So I think everyone can do it manually now onwards without using fantantico.
    {{ DiscussionBoard.errors[3427506].message }}
    • Profile picture of the author sanssecret
      I am forever grateful that when I first got into trying wordpress I was guided by a wordpress geek and advised NEVER to use fantastico. In all honesty, a manual install is so easy I just don't get why you would bother with it anyway.
      Signature
      San

      The man who views the world at fifty the same as he did at twenty has wasted thirty years of his life. ~Muhammad Ali
      Pay me to play. :) Order a Custom Cover today.
      {{ DiscussionBoard.errors[3427806].message }}
      • Profile picture of the author corsleymaxwell
        This is so great. Thanks for sharing this application / procedure so that a wordpress site can't be hacked. It is important that we can really maintain the security of our sites.

        I will further study this and see what I can do.
        {{ DiscussionBoard.errors[3427915].message }}
      • Profile picture of the author J Bold
        Originally Posted by sanssecret View Post

        I am forever grateful that when I first got into trying wordpress I was guided by a wordpress geek and advised NEVER to use fantastico. In all honesty, a manual install is so easy I just don't get why you would bother with it anyway.
        Because it's even easier using fantastico, that's the whole selling point. Even faster and easier for those who are easily confused by the technical stuff involved with installing wordpress manually.

        No, it's not hard at all to install wordpress manually but of course many people want a simple "one click install" without worrying about all the tech stuff and that's why they would use it.

        I think it's simple to see why people would use fantastico, but now this thread has shown me reasons not to use it. I am not a tech geek at all, so it certainly helps to see this stuff.
        {{ DiscussionBoard.errors[3639123].message }}
  • Profile picture of the author jazbo
    Great tips. I think its important to note that you should absolutely limit access to admin areas via htacces,, but only if you have a static IP address. Also, this trick is not limited to wordpress, dump that htaccess file into every private area you dont want people other than yourself to access.
    Signature
    CONTENT WRITER. Reliable, UK-Based, 6 Years Experience - ANY NICHE
    Click Here For Writing Samples & Online Ordering
    {{ DiscussionBoard.errors[3427882].message }}
  • Profile picture of the author Andrea Wilson
    It seems complicated. But I might want to check up on this post once I get my new wordpress blog. Nothing seems easy with getting a site more secure than before. This seems to be a work for a pro.

    Andrea
    {{ DiscussionBoard.errors[3433570].message }}
    • Profile picture of the author AubreyWebWhiz
      Wow! Very informative. Thank you for the great tips.

      Best,

      A.
      Signature

      How To Make A Full-time Living Working From Home With Zero Risk! Click HERE To Find Out How.

      {{ DiscussionBoard.errors[3447850].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by Andrea Wilson View Post

      It seems complicated. But I might want to check up on this post once I get my new wordpress blog. Nothing seems easy with getting a site more secure than before. This seems to be a work for a pro.

      Andrea
      Hey Andrea,

      It does seem complicated, but it's not! When you set up your next wordpress blog, just follow along with the steps that I wrote out or follow along with my youtube video on how to do it.

      If you need help just shoot me a pm and I will help you out.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3629066].message }}
  • Profile picture of the author awoob
    Originally Posted by Brent Jacoby View Post


    The first thing you need to do is NOT use fantastico! I see everyone saying to use fantastico, and I have never seen anyone actually telling you the right way to do it so you are protected.
    Thanks a lot for this great post.

    But now that I had used fantastico already, how should I go about the manual installation without affecting my blogs contents?

    I will really appreciate your reply! Thanks.
    {{ DiscussionBoard.errors[3627143].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by awoob View Post

      Thanks a lot for this great post.

      But now that I had used fantastico already, how should I go about the manual installation without affecting my blogs contents?

      I will really appreciate your reply! Thanks.
      I have some wordpress sites that I set up with fantastico before I started researching how to make my sites more secure. I have not changed the table prefix for those sites. There are ways to do it, but I'm not a big techie person, so I didn't bother with it.

      Just google something like "how to change wordpress table prefix" and see what you can find.

      Sorry that I don't have more of a step by step instruction for you, but I'm sure it's out there somewhere.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3629080].message }}
      • Profile picture of the author awoob
        Originally Posted by Brent Jacoby View Post

        I have some wordpress sites that I set up with fantastico before I started researching how to make my sites more secure. I have not changed the table prefix for those sites. There are ways to do it, but I'm not a big techie person, so I didn't bother with it.

        Just google something like "how to change wordpress table prefix" and see what you can find.

        Sorry that I don't have more of a step by step instruction for you, but I'm sure it's out there somewhere.
        Thanks for the humble reply. It is not that I don't realize I could have easily used the WP Security Scan plugin to change my "wp_" table prefix but I don't want to.

        Immediately I read this post, I went ahead to do a lot of research on protecting wordpress. In the end, I decided to delete my initial installation with fantastico (without bordering about some things I had done on my blog already) and started the blog afresh with manual installation (as explained above including some others facts I was able to come across in my research).

        I decided so because I am just starting the blog. I don't have any post on it already. I was about posting contents on it before stumbling upon this great informative post. I want to ensure that I utilize all the meaningful protective measures I had come across as much as possible.

        So, thanks for the great post.
        {{ DiscussionBoard.errors[3632679].message }}
        • Profile picture of the author Brent Jacoby
          Originally Posted by awoob View Post

          Thanks for the humble reply. It is not that I don't realize I could have easily used the WP Security Scan plugin to change my "wp_" table prefix but I don't want to.

          Immediately I read this post, I went ahead to do a lot of research on protecting wordpress. In the end, I decided to delete my initial installation with fantastico (without bordering about some things I had done on my blog already) and started the blog afresh with manual installation (as explained above including some others facts I was able to come across in my research).

          I decided so because I am just starting the blog. I don't have any post on it already. I was about posting contents on it before stumbling upon this great informative post. I want to ensure that I utilize all the meaningful protective measures I had come across as much as possible.

          So, thanks for the great post.
          You're welcome for the post. I'd love to hear what else you could find about securing your wordpress site.
          Signature
          Coming Soon!
          {{ DiscussionBoard.errors[3634015].message }}
          • Profile picture of the author awoob
            Originally Posted by Brent Jacoby View Post

            You're welcome for the post. I'd love to hear what else you could find about securing your wordpress site.
            Apart from changing the "wp_" table prefix during the edition of the wp-config file, I also added some lines of automatically generated "authenticated unique keys " (from https://api.wordpress.org/secret-key/1.1/salt/) to the "Authentication Unique Keys and Salts" section of my wp-config file.

            I also learnt about the following (though some of which are known already) in additions to some of the things you mentioned above as far as protecting wordpress website is concerned:

            --Updating to the latest version of wordpress regularly
            --Updating plugins regularly
            --Using complicated password
            --Hiding ones plugs
            --Being careful about ones computer vulnerabilities
            --Hosting on reliable server
            --Avoiding network vulnerabilities
            --Being careful with plugins file permissions and so on (in fact, majority of which had been mentioned in this interesting thread.)

            Thanks.
            {{ DiscussionBoard.errors[3637609].message }}
            • Profile picture of the author Brent Jacoby
              Originally Posted by awoob View Post

              Apart from changing the "wp_" table prefix during the edition of the wp-config file, I also added some lines of automatically generated "authenticated unique keys " (from https://api.wordpress.org/secret-key/1.1/salt/) to the "Authentication Unique Keys and Salts" section of my wp-config file.

              I also learnt about the following (though some of which are known already) in additions to some of the things you mentioned above as far as protecting wordpress website is concerned:

              --Updating to the latest version of wordpress regularly
              --Updating plugins regularly
              --Using complicated password
              --Hiding ones plugs
              --Being careful about ones computer vulnerabilities
              --Hosting on reliable server
              --Avoiding network vulnerabilities
              --Being careful with plugins file permissions and so on (in fact, majority of which had been mentioned in this interesting thread.)

              Thanks.
              Some great security advice awoob! Thanks for coming back and sharing what you found. I think I've already mentioned it in this thread.. but for generating secure passwords and remembering them, I use roboform. I also use ESET for my computer AV and it works amazingly.
              Signature
              Coming Soon!
              {{ DiscussionBoard.errors[3638714].message }}
        • Profile picture of the author neojr
          Very useful information, thanks for sharing!

          Neo
          {{ DiscussionBoard.errors[3679159].message }}
        • Profile picture of the author Jill Carpenter
          I've got one of those roaming IP addy's on a broadband network, so step one is definitely too much to deal with but the rest are good.
          Signature

          "May I have ten thousand marbles, please?"

          {{ DiscussionBoard.errors[3692177].message }}
          • Profile picture of the author Brent Jacoby
            Originally Posted by Jill Carpenter View Post

            I've got one of those roaming IP addy's on a broadband network, so step one is definitely too much to deal with but the rest are good.
            Ha. Yea I don't recommend doing that step if your IP changes. I remember doing it for all of my sites.. then a week later my IP changed... was not fun.
            Signature
            Coming Soon!
            {{ DiscussionBoard.errors[3705843].message }}
  • Profile picture of the author imfusa
    OMG so much info. I use a plugin called stealth login, which hides the wp-admin entrance for the admin to log in.

    This method blocks everyone trying to go to your admin log in page unless their ip address is allowed in the .htaccess file. You can add more than 1 ip address in the file if you need to. Just add in another allow from xx.xx.xx.xx in the next line.

    I didn't know this one , so thanks for another good tip.
    If you want to try that and you are being assigned every time another ip by your ISP, you will have to edit htacceess on every connection. I would do that, better safe than sorry.
    {{ DiscussionBoard.errors[3627246].message }}
    • Profile picture of the author L41db4ck
      You can use Fantastico, no problem but then you should upgrade to the latest version of WP and change the wp_ prefix in the database.
      Signature

      Rgds, our password-named poster

      Google LOVES aged domains!
      Premium Aged Domains - - Make An Offer Now!


      {{ DiscussionBoard.errors[3627751].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by imfusa View Post

      OMG so much info. I use a plugin called stealth login, which hides the wp-admin entrance for the admin to log in.



      If you want to try that and you are being assigned every time another ip by your ISP, you will have to edit htacceess on every connection. I would do that, better safe than sorry.
      Thanks for the plugin recommendation. I checked out the plugin, but it looks like it has not been updated since early 2009 and seems like its broken.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3629092].message }}
  • Profile picture of the author Tim Franklin
    Wow, ok some interesting information, I do not agree with all of it, but hey thats what life is all about right, one thing I wanted to point out, is that some plugins will not work if you change the prefix, (just deactivate and activate, will fix it most of the time)

    Never use Fantastico, you will regret it as soon as you start using custom software or plugins, on your installation. (no time to get into it today, just google why fantastico $ucks

    While it used to be true that IP addresses changed all the time, that too is changing, It is really funny how much things change when your busy doing other things, in an effort to be able to keep up with some justice department mandates, many users will have the same IP address over time, it is simply more convenient to be able to track users that way.

    I have a DNS at my ISP, and my IP has not changed in 5 years.

    So, even if the ip address changed, I could just upload the change to the file using FTP, just keeping it real, because anyone that can use FTP create a MySQL database, install software can easily fix a changed IP address.

    Over all some great advice cheers to the OP for the post.
    Signature
    Software Development | Applications | OSX | iOS | Android | Cloud Software Engineering |
    {{ DiscussionBoard.errors[3627892].message }}
    • Profile picture of the author L41db4ck
      Originally Posted by Tim Franklin View Post

      Never use Fantastico, you will regret it as soon as you start using custom software or plugins, on your installation. (no time to get into it today, just google why fantastico
      What? Rubbish!
      Signature

      Rgds, our password-named poster

      Google LOVES aged domains!
      Premium Aged Domains - - Make An Offer Now!


      {{ DiscussionBoard.errors[3628037].message }}
      • Profile picture of the author Tim Franklin
        They say dont feed the trolls, but in this case I will make an exception,

        What most people do not realize is that shared hosting and most other forms of average hosting does not by default allow you root access, and or shell access, which is where fantastico runs, (from inside Cpanel Usually configured as its own user, (not you the website owner, get that)

        So, at times, you could find that in Linux, the owner of the script, would be fantastico, not you the website owner, this creates so many problems, that I cannot cover them all, but really dont take my word for it, take the thousands of others as well.

        Why You Shouldn’t Use Fantastico For Anything!

        Fantastico sucks! - osTicket Forums - Project Tools

        http://www.google.com/url?sa=t&sourc...tnKXeA&cad=rja




        Originally Posted by L41db4ck View Post

        What? Rubbish!
        Signature
        Software Development | Applications | OSX | iOS | Android | Cloud Software Engineering |
        {{ DiscussionBoard.errors[3628160].message }}
  • Profile picture of the author haymanpl
    WOW its a bit short. You need to add more content! hahaha

    No really great article or should i say post

    I have written an entire blog post on wordpress security plugins which i can add
    {{ DiscussionBoard.errors[3627947].message }}
  • Profile picture of the author cjreynolds
    Do all you can to protect your site, but most of all, backup, backup, backup! (just the advice you would expect from an old IT guy!)

    then if you do get hacked, or something else disasterous happens to your site, you're back up and running ASAP.

    There are two types of computer users - those who have lost data, and those who will lose data.

    Protect yourself!

    joe
    Signature

    I just added this sig so I can refer to it in my posts...

    {{ DiscussionBoard.errors[3629167].message }}
    • Profile picture of the author DudleyDog
      Just like to say I followed your video and the steps are spot on. Thanks.
      Signature

      Find Out What Really Works In Web Design
      Mobile Website Design | Website Design | QR Code Marketing

      {{ DiscussionBoard.errors[3632823].message }}
    • Profile picture of the author David McKee
      Originally Posted by cjreynolds View Post

      Do all you can to protect your site, but most of all, backup, backup, backup! (just the advice you would expect from an old IT guy!)

      then if you do get hacked, or something else disasterous happens to your site, you're back up and running ASAP.

      There are two types of computer users - those who have lost data, and those who will lose data.

      Protect yourself!

      joe
      So Joe...

      What in your opinion is the best WP backup solution? I have been using XCloner which is a true cron-tab based backup plugin and seems to work quite well as I can define both full backups and partial - It is a bit tricky to get working as it is dependent on my ISP having cron and getting those to work together.

      I guess I would like to know what system provides backups that are easy to re-install, because it's one thing to "backup", and quite another to "restore".

      Thanks.
      Signature
      Are you an affiliate marketer? My site has tons of free stuff and 14,000 pages of Clickbank research. www.affiliatesledgehammer.com
      Buy a Freedom Bulb! Don't let the government tell you what kind of light bulb you can use!
      {{ DiscussionBoard.errors[3705961].message }}
      • Profile picture of the author cjreynolds
        Originally Posted by David McKee View Post

        So Joe...

        What in your opinion is the best WP backup solution? I have been using XCloner which is a true cron-tab based backup plugin and seems to work quite well as I can define both full backups and partial - It is a bit tricky to get working as it is dependent on my ISP having cron and getting those to work together.

        I guess I would like to know what system provides backups that are easy to re-install, because it's one thing to "backup", and quite another to "restore".

        Thanks.
        For WP blogs, I just do an export from the dashboard. It's not a FULL backup, but it gets the content, categories, etc., and I usually change themes, etc. often anyway (keeps the site looking fresh), so I use it as an excuse to re-design the site.

        I've never done a complete backup on a WP site, so I'm not much help there.

        joe
        Signature

        I just added this sig so I can refer to it in my posts...

        {{ DiscussionBoard.errors[3713433].message }}
        • Profile picture of the author WPpro
          Originally Posted by cjreynolds View Post

          For WP blogs, I just do an export from the dashboard. It's not a FULL backup, but it gets the content, categories, etc., and I usually change themes, etc. often anyway (keeps the site looking fresh), so I use it as an excuse to re-design the site.

          I've never done a complete backup on a WP site, so I'm not much help there.

          joe
          BackupBuddy is the best I've seen. Really good stuff.
          {{ DiscussionBoard.errors[3713447].message }}
          • Profile picture of the author haymanpl
            Backupbuddy or cpanel does a full backup or you can backup the files and databases seperate and then restore them as long as its cpanel your restoring to. I do this on a regular basis and have written 5 blog posts and all the different ways to backup, migrate and restore using different methods
            {{ DiscussionBoard.errors[3713473].message }}
  • Profile picture of the author Murt@gh
    Thanks for the plugins, I've installed and set them up now.
    {{ DiscussionBoard.errors[3632491].message }}
  • Profile picture of the author BizSeo
    thanks for the post, it motivated me to take a look at my wordpress sites and update them with your security tips.

    If I can add more:

    1. Make sure your server isn't running any insecure or unused protocols linked to the internet, example: ssh, ftp, stmp, samba...
    2. CREATE SECURE PASSWORDS!!! Nothing that is in any dictionary file.
    3. Update.. Update... and Update... Always update your plug-ins, your database, wordpress, your operating system, Apache. Make sure you have a way to revert from your updates because sometimes they will break something.

    Be safe! Have fun.
    {{ DiscussionBoard.errors[3634116].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by BizSeo View Post

      thanks for the post, it motivated me to take a look at my wordpress sites and update them with your security tips.

      If I can add more:

      1. Make sure your server isn't running any insecure or unused protocols linked to the internet, example: ssh, ftp, stmp, samba...
      2. CREATE SECURE PASSWORDS!!! Nothing that is in any dictionary file.
      3. Update.. Update... and Update... Always update your plug-ins, your database, wordpress, your operating system, Apache. Make sure you have a way to revert from your updates because sometimes they will break something.

      Be safe! Have fun.
      Thanks for the extra tips BizSeo! I'll throw another in with create secure passwords. Don't use the same password everywhere! I use roboform to create and remember my passwords and I love it.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3634150].message }}
      • Profile picture of the author RyanRobinson
        Thanks for creating the thread Brent,

        It saves me buying a $17 dollar ebook that a marketer is selling. It tells you how to secure WordPress when the information is already available online as free information.
        Signature

        Send me a PM regarding any web design/development work.

        {{ DiscussionBoard.errors[3636530].message }}
        • Profile picture of the author Mark Ford
          d. Add user to database and check all privileges
          I never do this and consider that it could be a security risk.

          When you assign your user to the wordpress database, don't give them all permissions, this might save you some grief later - the user only needs SELECT, UPDATE, INSERT, DELETE, CREATE,ALTER and DROP to do everything required within WordPress. ALL is not required

          Great post though.
          {{ DiscussionBoard.errors[3636573].message }}
  • Profile picture of the author WilliamLark
    great advice and nice little guide GREAT JOB!
    Signature

    FREE Mobile Marketing Products at TheMobileConspiracy.com
    Top Selling WSO - See What Products Are Hot On The Warrior Forum: TopSellingWSO.com
    WP QRCodez - FREE Wordpress Plugin To Create QR Codes In Posts & Pages..Click Here!


    {{ DiscussionBoard.errors[3638036].message }}
  • Profile picture of the author royaltyw
    Thanks Brent for the post. That actually came in handy.
    Signature

    For a weight loss program that works long term, get the diet solution. Discover what his needs her needs are today and strengthen your relationship.

    {{ DiscussionBoard.errors[3639060].message }}
  • Profile picture of the author Adam Struve
    Don't ever used pirated themes. It's really easy to sneak in malicious code into them.
    {{ DiscussionBoard.errors[3639119].message }}
  • Some great advice for the newbies such as myself. Thank you
    {{ DiscussionBoard.errors[3639714].message }}
  • Profile picture of the author theantihype
    Nice.. but no where near secure.

    Still very vulnerable to bad queries and database jacking (you miss 3 critical wp-config security settings)

    Plus you don't talk about turning off server signatures in httd.conf
    {{ DiscussionBoard.errors[3649586].message }}
    • Profile picture of the author awoob
      Originally Posted by theantihype View Post

      Nice.. but no where near secure.

      Still very vulnerable to bad queries and database jacking (you miss 3 critical wp-config security settings)

      Plus you don't talk about turning off server signatures in httd.conf
      Then give us what is "near secure" according to you as he has kindly done!
      {{ DiscussionBoard.errors[3649645].message }}
      • Profile picture of the author theantihype
        Originally Posted by awoob View Post

        Then give us what is "near secure" according to you as he has kindly done!
        Here's a quick and easy one:

        instead of using the default wp-config where you put your database credentials.. create a new php file with that info (cut and paste). Then upload this server above your public_html folder (your private / non-www area). Then require (not include) this file with correct pathing in wp-config.

        this essentially hides your most important info, which is stored in plain text.

        next i recommend installing BBQ to block from XSS / eval / base64
        WordPress › Block Bad Queries (BBQ) « WordPress Plugins

        finally, once you had completed editing your theme/plugins, add this to wp-config:
        define('DISALLOW_FILE_EDIT',true);

        Which will prevent any user from editing any PHP.

        So if you're login gets hacked, they won't be able to do as nearly
        as much damage. Especially if you also CHMOD you wp-content folder to 644
        {{ DiscussionBoard.errors[3649697].message }}
        • Profile picture of the author awoob
          Originally Posted by theantihype View Post

          Here's a quick and easy one:

          instead of using the default wp-config where you put your database credentials.. create a new php file with that info (cut and paste). Then upload this server above your public_html folder (your private / non-www area). Then require (not include) this file with correct pathing in wp-config.

          this essentially hides your most important info, which is stored in plain text.
          I also read about this in my research. Thanks for sharing other security measures.
          {{ DiscussionBoard.errors[3649808].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by theantihype View Post

      Nice.. but no where near secure.

      Still very vulnerable to bad queries and database jacking (you miss 3 critical wp-config security settings)

      Plus you don't talk about turning off server signatures in httd.conf
      Thanks for bringing up some more methods to make our wordpress sites more secure. I don't claim to be a wordpress security expert at all. I started this thread to help others with what I have learned from my own research and also appreciate anyone contributing their own security tips.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3650329].message }}
  • Profile picture of the author theantihype
    forgot to add this as well... place in your theme's functions.php:

    remove_action('wp_head', 'rsd_link');
    remove_action('wp_head', 'wlwmanifest_link');
    remove_action('wp_head', 'wp_generator');

    Last I'm not sure if OP mentioned it, but last plugin to install is "Stealth Login" which will further limit spam and splog
    {{ DiscussionBoard.errors[3649730].message }}
  • Profile picture of the author jimmidwest
    Brent - thanks for putting this information together. Very timely, just the information I'm looking for.

    Thanks
    Jim
    {{ DiscussionBoard.errors[3674877].message }}
  • Profile picture of the author EliteWealth
    That was a load of information that will have me revisiting this thread for the next few days. Being that I have plenty of wp sites that was created using fantastico because I didn't think that it was insecure but now I see that I have a lot of work to do.
    {{ DiscussionBoard.errors[3675334].message }}
  • Profile picture of the author Jake Gray
    Brent,

    WordPress wouldn't be the major security problem. Although there
    are plugins out there that could pose a potential security risk, (which
    is why you do NOT install numerous, unused plugins on your blog) but
    if your server isn't safe, it doesn't matter how many precautions you
    take with your CMS.

    Server security is usually managed by your host (If you are hosting with
    a shared hosting account) and then there are things such as unmanaged
    virtual private servers, etc. It all goes into security. If you have a reliable
    structure, your building won't come crashing down and turn into a pile of
    rubble.

    Jake
    {{ DiscussionBoard.errors[3675345].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by Jake Gray View Post

      Brent,

      WordPress wouldn't be the major security problem. Although there
      are plugins out there that could pose a potential security risk, (which
      is why you do NOT install numerous, unused plugins on your blog) but
      if your server isn't safe, it doesn't matter how many precautions you
      take with your CMS.

      Server security is usually managed by your host (If you are hosting with
      a shared hosting account) and then there are things such as unmanaged
      virtual private servers, etc. It all goes into security. If you have a reliable
      structure, your building won't come crashing down and turn into a pile of
      rubble.

      Jake
      Thanks for your insight about sever security, Jake. I know what you mean about needing to have a secure server.. but of course it doesn't hurt to also take some precautions with your cms.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3677649].message }}
  • Profile picture of the author shafiqkamal
    Hi,

    What if my Wordpress site is installed using fantastico and have all my posts in it. How do i change this?


    Regards,
    Shafiq
    Signature

    Never give up, Never surrender!

    {{ DiscussionBoard.errors[3675576].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by shafiqkamal View Post

      Hi,

      What if my Wordpress site is installed using fantastico and have all my posts in it. How do i change this?


      Regards,
      Shafiq
      Hey Shafiq,

      I have some sites that I installed with fantastico, and I didn't bother changing them. I just made sure that I installed all of my future wordpress sites manually. If you google something like 'how to change wordpress table prefix' I am sure you will find some info about what to do. I just never messed with it since the wordpress sites that I did install with fantastico were not that big of a deal to me.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3677668].message }}
  • Profile picture of the author iwantmore
    Great information coming through in this thread.

    I was directed here by one of my plugin owners as they think it would be a good idea to make you all aware of what my plugin can offer in terms of security.

    As the thread owner has already said "almost" unhackable is the keyword. everything can be breached, its all about make it very difficult.

    The information provided is a great start to securing your WordPress install, but you can go much, much further.

    The plugin i have developed has alot of features aimed at securing WordPress. All of which require no file editing, no ftp access, no manual labour.

    All you have to do is install the plugin, and then setup the options from the WordPress admin.

    Im trying not to turn this into a "look at my product" post but i do think many readers on this thread would benifit from reading about the features available with my plugin.


    The Quick Site Setup Plugin
    WordPress Security at its Best



    Keep the security ideas coming, i might be able to intergrate them into my plugin in the future
    Signature
    No Half Pixels
    Creative Web Development and Design, NOT A FIXED PRICE SERVICE, if you want the best don't settle for an off the shelf solution.

    We provide cutting edge design, web development with WordPress, WHMCS, PHP, HTML, CSS, jQuery, and personalised hosting solutions to suit any needs.
    {{ DiscussionBoard.errors[3679132].message }}
    • Profile picture of the author iwantmore
      sorry, i would just like to mention one feature of the plugin is that you can change the wordpress table prefix from within WordPress and donnot have to the admin area.
      Signature
      No Half Pixels
      Creative Web Development and Design, NOT A FIXED PRICE SERVICE, if you want the best don't settle for an off the shelf solution.

      We provide cutting edge design, web development with WordPress, WHMCS, PHP, HTML, CSS, jQuery, and personalised hosting solutions to suit any needs.
      {{ DiscussionBoard.errors[3679138].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by iwantmore View Post

      Great information coming through in this thread.

      I was directed here by one of my plugin owners as they think it would be a good idea to make you all aware of what my plugin can offer in terms of security.

      As the thread owner has already said "almost" unhackable is the keyword. everything can be breached, its all about make it very difficult.

      The information provided is a great start to securing your WordPress install, but you can go much, much further.

      The plugin i have developed has alot of features aimed at securing WordPress. All of which require no file editing, no ftp access, no manual labour.

      All you have to do is install the plugin, and then setup the options from the WordPress admin.

      Im trying not to turn this into a "look at my product" post but i do think many readers on this thread would benifit from reading about the features available with my plugin.


      The Quick Site Setup Plugin
      WordPress Security at its Best



      Keep the security ideas coming, i might be able to intergrate them into my plugin in the future
      I got your plugin and I have to say that I am absolutely blown away! By far the best plugin I have ever used and one that everyone should seriously take a look at. As you mentioned, I did see the area in your plugin for changing the table prefix. I did not try it.. but still very cool. All of the other options have me so excited though!
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3741096].message }}
  • {{ DiscussionBoard.errors[3679198].message }}
  • Profile picture of the author celente
    this is great for anyone with a blog.

    I have just followed along with this. I have a very big high traffic niche blog and it gets spam and heaps of it. So I am worried it might lead to hackers coming along. Thanks for this but, great stuff.
    {{ DiscussionBoard.errors[3679742].message }}
  • Profile picture of the author Matt Woityra
    Take it from me, it's not fun getting hack. My one blog got hack with 3 small iframe redirects. At least thats all that I found. Any new ways to make it more secure I am thankful for.
    {{ DiscussionBoard.errors[3680298].message }}
  • Greetings To All,

    First off, I hope I am responding to this post correctly; I am new to your forum. What an "unbelievably informative" post. I can't believe how much I learned that I was doing wrong. I'm going to go back and impliment what you suggested.

    Okay, let me appologize in advance for the length of this first post; I will make any future posts much more consise. Like I said, I am an older gent that is amazed at what you younger folks have accomplished with Internet Marketing; it truly is amazing and you need to be proud of yourselves.

    I am getting ready to launch my first ebook. I am creating several ebooks (and videos later) in the DIY and Handyman niches. I am using a WordPress platform with a template to create my salespage/minisite. I am using the "WP-SalesPage" template and have set this home page as the "static" page.

    I have another separate, but related domain name which I have also set-up on a templated WordPress platform. I use this one as my squeeze/opt-in page which directs folks to my main site. It has a (high quality) free ebook give-a-way for the opt-in. I have put considerable time and energy into both the free ebook as well as my main product.

    Just as an aside, I have acquired three more domain names which I plan to use in three more squeeze pages to direct to my main sales page (I'm assuming this will work, if not please let me know if this is a bad idea).

    You mentioned several ways that I can secure my WordPress Site and I am going to impliment them. My big frustration lately is to find a, not to difficult to install, yet effective way to protect my thank you/download pages for my main product as well as the free ebook. I am not concerned with affiliate marketing, at this point, and will only be using PayPal to handle the orders (possibly Google Checkout later). I'm also using AWeber for my autoresponder.

    The other issues that are important to me is that I am able to use my own custom thank you/download pages as well as my custom "Add To Cart" buttons. As I said earlier, I have really been frustrated in trying to find something that will work for both my squeeze page and salespage.

    I have looked at several products and purchased several, only to find out that they aren't really adapted to work with WordPress. I have been looking at DLGuard. It is a fine product, but a little more than what I want to pay right now. Any and all help will be greatly appreciated.

    Gary
    {{ DiscussionBoard.errors[3688227].message }}
  • Profile picture of the author Brent Jacoby
    Wow.. what a great first post Gary! You may be amazed at what some younger people have accomplished, but I am amazed at what YOU have accomplished!

    With that said, I don't know if you will really find the answers you are looking for in this exact thread. You should probably start a new thread with your questions and I know you will be able to get some warriors who will have some good answers for you.

    Also, don't worry about your posts being too long. I actually enjoyed your post and look forward to many more.
    Signature
    Coming Soon!
    {{ DiscussionBoard.errors[3688260].message }}
    • Brent,

      Thanks for the kind words. I feel like a total idiot; I did a little more reading on WF and concluded (duh) that I need to start my own thread, is that correct?

      Gary B
      {{ DiscussionBoard.errors[3691687].message }}
    • Brent,

      This is Gary B again, could you give a hint on how to start a thread?

      Thanks in advance

      Gary
      {{ DiscussionBoard.errors[3691735].message }}
      • Profile picture of the author Brent Jacoby
        Originally Posted by two dogs and a man View Post

        Brent,

        This is Gary B again, could you give a hint on how to start a thread?

        Thanks in advance

        Gary
        Hey Gary,

        When you go into the Main Internet Marketing Discussion Forum, there should be a black button near the top left of the forum threads. It will say "New Thread".

        Although, I'm not sure if you have to have a certain amount of posts until you actually see it.. which may be the case if you don't see it.

        If you don't see it.. you'll have to wait till you get enough posts. It may be just 10.. but I am not sure.

        Sorry I couldn't help more.
        Signature
        Coming Soon!
        {{ DiscussionBoard.errors[3691773].message }}
  • Profile picture of the author Brent Jacoby
    Don't feel like an idiot! Yes, I think you should start your own thread. You have some very valid questions and I'm sure you will have a much better chance at getting the answers you are looking for.
    Signature
    Coming Soon!
    {{ DiscussionBoard.errors[3691694].message }}
  • Profile picture of the author Giani
    Thanks for a very good information
    Signature

    {{ DiscussionBoard.errors[3691718].message }}
  • Profile picture of the author AFI
    Now you're setting yourself up to get hacked just to prove they can.

    Very good guide though. Great information.
    Signature

    Learn about Internet Marketing from my dofollow comment blog.....Make Extra Money At Home...
    I WILL BUILD YOU YOUR OWN CUSTOM AMAZON REVIEW SITE - HUNDREDS SOLD!
    {{ DiscussionBoard.errors[3705856].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by AFI View Post

      Now you're setting yourself up to get hacked just to prove they can.

      Very good guide though. Great information.
      LOL! I better never share any of my sites then!

      Thanks, I appreciate that.
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3705871].message }}
  • Profile picture of the author Istvan Horvath
    The "almost" part of title is important to remember...

    The BIG wordpress site (wordpress.com) run by the dev's company has been just hacked
    Signature

    {{ DiscussionBoard.errors[3705885].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by Istvan Horvath View Post

      The "almost" part of title is important to remember...

      The BIG wordpress site (wordpress.com) run by the dev's company has been just hacked
      Wow. Very true Istvan.

      I know Istvan is very good at wordpress.. so this isn't directed to him. But for everyone else, don't just stop with what I recommended or what others have recommended. Do some research and become more educated in website security.. because like Istvan says.. there is no way to be "unhackable" but it doesn't hurt to be as protected as possible. Most importantly always do regular back ups of you sites!
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3705924].message }}
  • Profile picture of the author Moneyerr
    Amazing post. All tips are very good, some of them are not in my knowledge. I will implement these things in my wordpress sites asap.
    {{ DiscussionBoard.errors[3706247].message }}
  • Profile picture of the author Valuable Solos
    I have had 5 wordpress sites hacked in the last four weeks. I wish I saw this thread earlier. Is Wordpress hacking on the rise or have I been lucky until recently?
    {{ DiscussionBoard.errors[3706291].message }}
  • Profile picture of the author Sweely99
    Wow! I've really missed out on a lot when it comes to WP security. Thanks.
    {{ DiscussionBoard.errors[3707343].message }}
  • Profile picture of the author WPpro
    Originally Posted by Brent Jacoby View Post

    I thought I'd put together a little guide for everyone on the warrior forum who use wordpress for their websites.
    Hi Brent, I'd like to add to the perspective here based on my own experiences with WordPress - which span nearly 8 years of daily WordPress code development and customer site management, plus 17 years of dealing directly with system and network security. I lost of count of how many bad guys I've chased off or corralled.

    A few points:

    • Changing the wp_ table prefix is a good idea. But it won't stop the savvy intruders.
    • Using tools to rename the 'admin' account and tools to block access to the WP admin panel is good. But again, savvy intruders will never waste their time on such obvious points of entry. They like weaknesses. The WP admin login screen is not much of a point of weakness. Trying to brute force attack usernames and password is a pain in the arse and a waste of time.
    • Savvy intruders don't care about what version of WP you're using, because the typically aren't looking for that sort of info.
    More often than not what happens is this:

    • One or more psychopathic bad guys (who sometimes refer to themselves as hackers) band together.
    • They have many motives, but 3 motives stand far and above the others: Profit, fame, and resource assimilation
    • Those after profit will either try to steal your customers' info, or inject hidden links into your site to increase page rank for illicit sites, or inject scripts that attempt to infect the computers of your site visitors - all in hopes of monetary gain.
    • Those after fame will - most of the time - simply deface your site, to your great embarrassment. And they run scripts to do the defacing so they can cut the script loose at night then wake up in the morning and brag to their buddies on underground forums that they hacked 857 sites overnight.
    • Those into resources assimilation look to gain access to your site so that they can use your disk space and bandwidth to move all sorts of troublesome data (stolen credit cards, pirated software, porn, etc)

    Almost invariably these so-called 'hot shot intruders' travel the Internet using a dragnet in the form of scripts. They write automation scripts that discover sites in a variety of ways (search engines, site comment links, online directories, email messages, network sniffers, and so on). The scripts then try a number of different exploits against nearly every site in the list of sites they build. They don't care if YOUR site is vulnerable, or running ancient WordPress 1.5, or whatever. All they care about is how many sites they can infiltrate in the shortest amount of time. It's all about volume.

    These bad guy 'creatures' and these tactics are the most common source of hacked Web sites.

    Granted, once in a while there are highly targeted hacks aimed directly at specific sites (WordPress.com was root hacked overnight April 12-13, 2011). But if we think about it a moment - why would a bad guy waste time targeting my simple sales page when it's glaringly obvious on the page that I use a third-party payment gateway (e.g. no credit card info stored on the site), and that I use a third-party list service (e.g. no mailing list o the site to steal or spam), and/or that my site consists of text, images, and videos and nothing more? Well, there's almost no motive, unless there's a personal vendetta.

    So, the overall point here is that your advice is reasonable and should come in handy for some folks. But, the biggest point of entry isn't even WordPress itself - not based on my experiences anyway.

    Good write up though!

    __________________________________________________ ______________
    All my posts are Copyright (c) 2011 - WPpro - All Rights Reserved ;-)
    {{ DiscussionBoard.errors[3708945].message }}
    • Profile picture of the author paulie888
      Originally Posted by WPpro View Post




      Granted, once in a while there are highly targeted hacks aimed directly at specific sites (WordPress.com was root hacked overnight April 12-13, 2011). But if we think about it a moment - why would a bad guy waste time targeting my simple sales page when it's glaringly obvious on the page that I use a third-party payment gateway (e.g. no credit card info stored on the site), and that I use a third-party list service (e.g. no mailing list o the site to steal or spam), and/or that my site consists of text, images, and videos and nothing more? Well, there's almost no motive, unless there's a personal vendetta.

      So, the overall point here is that your advice is reasonable and should come in handy for some folks. But, the biggest point of entry isn't even WordPress itself - not based on my experiences anyway.

      Good write up though!
      You make a good point there, unless our sites somehow became something of interest to these hackers, they'd be passed up in favor of more lucrative and/or interesting blogs that catch their eye.
      Signature
      >>> Features Jason Fladlien, John S. Rhodes, Justin Brooke, Sean I. Mitchell, Reed Floren and Brad Gosse! <<<
      {{ DiscussionBoard.errors[3708977].message }}
      • Profile picture of the author WPpro
        Originally Posted by paulie888 View Post

        You make a good point there, unless our sites somehow became something of interest to these hackers, they'd be passed up in favor of more lucrative and/or interesting blogs that catch their eye.
        Ya, but only in situations of targeted attacks.

        All sites are still susceptible to being targeted by the dragnet-types of automated attacks. It doesn't mean any particular site would get hacked, but their automation would try anyway since it is basically non-prejudiced.
        {{ DiscussionBoard.errors[3708997].message }}
    • Profile picture of the author Brent Jacoby
      Originally Posted by WPpro View Post

      Hi Brent, I'd like to add to the perspective here based on my own experiences with WordPress - which span nearly 8 years of daily WordPress code development and customer site management, plus 17 years of dealing directly with system and network security. I lost of count of how many bad guys I've chased off or corralled.

      A few points:

      • Changing the wp_ table prefix is a good idea. But it won't stop the savvy intruders.
      • Using tools to rename the 'admin' account and tools to block access to the WP admin panel is good. But again, savvy intruders will never waste their time on such obvious points of entry. They like weaknesses. The WP admin login screen is not much of a point of weakness. Trying to brute force attack usernames and password is a pain in the arse and a waste of time.
      • Savvy intruders don't care about what version of WP you're using, because the typically aren't looking for that sort of info.
      More often than not what happens is this:

      • One or more psychopathic bad guys (who sometimes refer to themselves as hackers) band together.
      • They have many motives, but 3 motives stand far and above the others: Profit, fame, and resource assimilation
      • Those after profit will either try to steal your customers' info, or inject hidden links into your site to increase page rank for illicit sites, or inject scripts that attempt to infect the computers of your site visitors - all in hopes of monetary gain.
      • Those after fame will - most of the time - simply deface your site, to your great embarrassment. And they run scripts to do the defacing so they can cut the script loose at night then wake up in the morning and brag to their buddies on underground forums that they hacked 857 sites overnight.
      • Those into resources assimilation look to gain access to your site so that they can use your disk space and bandwidth to move all sorts of troublesome data (stolen credit cards, pirated software, porn, etc)

      Almost invariably these so-called 'hot shot intruders' travel the Internet using a dragnet in the form of scripts. They write automation scripts that discover sites in a variety of ways (search engines, site comment links, online directories, email messages, network sniffers, and so on). The scripts then try a number of different exploits against nearly every site in the list of sites they build. They don't care if YOUR site is vulnerable, or running ancient WordPress 1.5, or whatever. All they care about is how many sites they can infiltrate in the shortest amount of time. It's all about volume.

      These bad guy 'creatures' and these tactics are the most common source of hacked Web sites.

      Granted, once in a while there are highly targeted hacks aimed directly at specific sites (WordPress.com was root hacked overnight April 12-13, 2011). But if we think about it a moment - why would a bad guy waste time targeting my simple sales page when it's glaringly obvious on the page that I use a third-party payment gateway (e.g. no credit card info stored on the site), and that I use a third-party list service (e.g. no mailing list o the site to steal or spam), and/or that my site consists of text, images, and videos and nothing more? Well, there's almost no motive, unless there's a personal vendetta.

      So, the overall point here is that your advice is reasonable and should come in handy for some folks. But, the biggest point of entry isn't even WordPress itself - not based on my experiences anyway.

      Good write up though!

      __________________________________________________ ______________
      All my posts are Copyright (c) 2011 - WPpro - All Rights Reserved ;-)
      Wow! Now this is what I call a valuable post!

      I do really appreciate you giving out your perspective. I started this thread to show others what I had learned from my own research about WP security. During my research everything I came across was pretty basic... and I never saw anyone talking about the stuff like in your post.

      There have been some amazing insights from other warriors posting in here. Your post and someone else mentioning the problems (besides the table prefix) with fantastico.

      Thanks for taking the time to write this up!
      Signature
      Coming Soon!
      {{ DiscussionBoard.errors[3711134].message }}
  • Profile picture of the author EliteWealth
    Decided to check back in, I see that this topic is still hot. It is a very realistic concern. Tell me this, what are the chances of your WP Blog getting hacked. You would think that the hackers would shoot for the high ranking blogs or does it really matter.
    {{ DiscussionBoard.errors[3714421].message }}
    • Profile picture of the author WPpro
      Originally Posted by EliteWealth View Post

      Decided to check back in, I see that this topic is still hot. It is a very realistic concern. Tell me this, what are the chances of your WP Blog getting hacked. You would think that the hackers would shoot for the high ranking blogs or does it really matter.
      The answer depends on what measures you take to keep your sites secure. The overwhelming majority of people don't do enough. They THINK they do enough, but unfortunately they don't REALLY do enough. And it's not their fault -- they don't know what "enough" is, and they've been misled by other people along the way.
      {{ DiscussionBoard.errors[3714465].message }}
  • Profile picture of the author Rob Marr
    Hi Brent. Thanks for this post. This is a cool tip that I can use.
    {{ DiscussionBoard.errors[3714925].message }}
  • Profile picture of the author Deepak Media
    Originally Posted by Brent Jacoby View Post

    Next up you can create a file that only lets you see your wordpress admin log in page. I started doing this on all of my sites and quickly found out I couldn't do it anymore because my ip address changes often.

    So this method is for people if you know your ip address doesn't change. If someone tries to go to your admin log in page they will only see a blank page.

    Here is how you do it:

    1. Open up notepad
    2. Paste in

    order deny,allow
    deny from all
    allow from xx.xx.xx.xx

    3. Change xx.xx.xx.xx with your ip address
    4. If you don't know what your ip address is then go to What Is My IP Address - Shows Your IP Address
    5. Copy what they tell you your ip address is (make sure you aren't using any proxies at the time) and paste it over xx.xx.xx.xx
    6. Save the text file as .htaccess
    7. Upload it to your websites wp-admin folder through ftp
    8. You may have to edit the name because for me when I upload it it changes to .htaccess.txt so just edit the name and take off the .txt part
    9. Go to yourdomain.com/wp-admin, if it loads fine then you are good to go
    10. If you only see a blank page then something went wrong, don't panic just go back into your ftp and make sure you put the right ip address in the .htaccess file
    11. If you still can't figure out whats wrong then just delete the file

    This method blocks everyone trying to go to your admin log in page unless their ip address is allowed in the .htaccess file. You can add more than 1 ip address in the file if you need to. Just add in another allow from xx.xx.xx.xx in the next line.
    Did you know that your ISP changes the IP everytime you connect but the first 2 parts of the IP doesn't change most of the time.

    This method also allows you to assign wild cards.

    Ex: order deny,allow
    deny from all
    allow from xx.xx

    or

    order deny,allow
    deny from all
    allow from 291.221

    This will allow all IPs starting with 291.221...
    Signature
    Digital Marketing Author | Speaker | Consultant

    Read my Blog: DigitalDeepak.com

    @ Bangalore, India.
    {{ DiscussionBoard.errors[3716913].message }}

Trending Topics