42 {{ upvoteCount | shortNum }}
42 {{ upvoteCount | shortNum }}

Securing Wordpress

by Sleika
35 replies
Hi Guys,

Finally getting strarted, got the domain i wanted, hosting, paypal sorted out and decent amount of research done to start ( thanks btw to the warriors that helped me out )

Gonna start working on my site using wordpress - any suggestions for securing the site ?
#securing #wordpress
  • Profile picture of the author threezerozero
    take a look at Better WP Security. i been using it lately and i personally love it. it's free and it does a pretty decent job addressing security issues.

    WordPress › Better WP Security « WordPress Plugins
    {{ DiscussionBoard.errors[6758457].message }}
    • Profile picture of the author Sleika
      checking it out, ty
      {{ DiscussionBoard.errors[6758536].message }}
  • Profile picture of the author Abledragon
    There are lots of things you can do to strengthen your WordPress site's security.

    You need to make sure you don't have a user named 'admin', change the database table prefix, use SFTP rather than FTP, place a .htaccess file in your Admin directory, blank index.html files in your plugins and themes directories, and so on.

    The second part of this article goes into more detail:

    WordPress Security: How to Fix Your Site if it is Hacked | WealthyDragon

    Cheers,

    Martin.
    Signature
    WealthyDragon - Earning My Living Online
    {{ DiscussionBoard.errors[6759110].message }}
    • Profile picture of the author DJL
      Originally Posted by Abledragon View Post

      ...
      You need to make sure you don't have a user named 'admin', change the database table prefix, use SFTP rather than FTP, place a .htaccess file in your Admin directory, blank index.html files in your plugins and themes directories, and so on.
      ...
      I've done all of the above, yet today the Wordfence security plugin reported about 20 login attempts that were blocked because they used an invalid username.
      My question is, how did they get past my .htaccess file (in the wp-admin folder) that reads as follows:
      --------------------------------------
      order deny,allow
      deny from all
      allow from xx.xx.xx.xxx (My IP Address)
      --------------------------------------
      I would really appreciate it if anybody can explain this.
      Signature

      None are more hopelessly enslaved than those who falsely believe they are free.
      --Johann Wolfgang von Goethe, Elective Affinities (1809)

      {{ DiscussionBoard.errors[6789575].message }}
  • Profile picture of the author Pecan
    I'd make a habit of backing it up often, especially if you plan on playing around with different plugins and themes.

    That way you have something to fall back on if things get too messed up.
    {{ DiscussionBoard.errors[6759161].message }}
  • Profile picture of the author AttilaTheHun
    If you have some linux skills you can check the final build with wpscan - wpscan.org for vulnerabilities.
    {{ DiscussionBoard.errors[6785469].message }}
  • Profile picture of the author marketwarrior06
    Banned
    Don't really get it. I have never done this cause its not a big deal. Why you have to secure your site? The normal protection from your hosting is enough I think.
    {{ DiscussionBoard.errors[6785598].message }}
    • Profile picture of the author threezerozero
      Originally Posted by marketwarrior06 View Post

      Don't really get it. I have never done this cause its not a big deal. Why you have to secure your site? The normal protection from your hosting is enough I think.
      that's what a few people have told me before until they're sites got hacked. believe me, its better to be safe than sorry...imagine all the hard work and effort you put over a few months destroyed within a few minutes and hours.....

      if you think you're safe.....then you'll be in for a rude surprise. im not trying to bash you, but im trying to give you a heads up. installing security measures will be well worth your while in the long run. you may not get hacked immediately....but at some point in the future, someone will try.

      i looked at my look on better wp security and within 2 hours of putting up my site, someone was already trying to log into my account. keep in mind i didnt tell anyone i was launching this. be safe out and always keep an eye out for these things.
      {{ DiscussionBoard.errors[6788343].message }}
    • Profile picture of the author AttilaTheHun
      Originally Posted by marketwarrior06 View Post

      Don't really get it. I have never done this cause its not a big deal. Why you have to secure your site? The normal protection from your hosting is enough I think.
      Well.. why are you looking left and right before cross the road? To prevent an accident. Similarly we are securing wp sites to prevent hacking. Default WP install is modestly secure. You are installing theme, plugins and increasing the attack surface. You never know when someone will find a software security bug (vulnerability) in the core wp or in any plugin. If you do some preventive measures - rename admin, control unsuccessful logins, change db prefix etc. see above - you can limit the damage and / or make harder an automated attack.
      There is no such as "normal protection" at hosting companies for WP. They are protecting their network, securing their host operating system, but in 99% case, that's it. You get a default install of wordpress.
      {{ DiscussionBoard.errors[6788358].message }}
  • Profile picture of the author ArielT
    Originally Posted by Sleika View Post

    Hi Guys,

    Finally getting strarted, got the domain i wanted, hosting, paypal sorted out and decent amount of research done to start ( thanks btw to the warriors that helped me out )

    Gonna start working on my site using wordpress - any suggestions for securing the site ?
    Yes, I also suggest you "Best WP security", I was reading some days ago this site that talks about and found it useful Best WordPress Security Plugin - Better WP Security Plugin (this isn't a site of mine)
    {{ DiscussionBoard.errors[6788394].message }}
  • Profile picture of the author Sleika
    didnt expect this post to show back up, but agree, rather cover you ass ahead of time as best as possible, not saying cant happen but why not look ahead

    anyhow, another shout out to the WF forum for some quality advice .... went ahead and installed the Better WP security and been doing back ups
    {{ DiscussionBoard.errors[6788744].message }}
  • Profile picture of the author jtprattmedia
    +1 to better WP security plugin (free)

    also read our free guide to fixing a hacked WP blog, there are steps you can use to secure and harden your website (before an attack): How to Fix a Hacked Wordpress Blog | JTPRATT Wordpress Consultant
    {{ DiscussionBoard.errors[6801754].message }}
  • Profile picture of the author Marketer Matt
    I found this pretty helpful: http://wp.tutsplus.com/tutorials/11-...ordpress-site/

    BulletProof security plugin takes care of a lot of this.
    Signature
    {{ DiscussionBoard.errors[6844376].message }}
  • Profile picture of the author mdan287
    Use login attempts. I have set a restriction that after 5 time failure of login attempt within 1hour the user will be banned for next 24 hours.
    {{ DiscussionBoard.errors[6845062].message }}
  • Profile picture of the author DWaters
    Originally Posted by marketwarrior06
    Don't really get it. I have never done this cause its not a big deal. Why you have to secure your site? The normal protection from your hosting is enough I think.
    It is a very big deal. There is no such thing as "normal protection" from your hosting. After I was hacked my hosting company explained that WP hacking is relatively common becasue WP is so common, the hackers go after you.
    The Login Lockdown plug, which I recently added, is supposed to help keep out malicilous log in attempts.
    Signature
    How I really Make Money With Amazon

    Want to get rich with top rated FREE Super Affiliate Training?
    {{ DiscussionBoard.errors[6845123].message }}
    • Profile picture of the author ArielT
      Originally Posted by DWaters View Post

      The Login Lockdown plug, which I recently added, is supposed to help keep out malicilous log in attempts.
      I've read that plug in isn't enough protection, maybe the Better WP security covers all or almost
      {{ DiscussionBoard.errors[6846107].message }}
  • Profile picture of the author DWaters
    I've read that plug in isn't enough protection, maybe the Better WP security covers all or almost
    Yes, login lock down only deals with one specific issue so it is limited.
    WP Firewall 2 was highly recommended on another thread and I recently added that to my WP sites.
    Signature
    How I really Make Money With Amazon

    Want to get rich with top rated FREE Super Affiliate Training?
    {{ DiscussionBoard.errors[6848845].message }}
  • Profile picture of the author Leslie B
    Keeping your WP site secure starts the moment you install it. Don't use scripts like Fantastico that install the blogs for you, but do it manually so you can begin adding security right from the start. Use secure usernames and passwords, not only for your wordpress login, but also for your database and your hosting account itself.

    Once your site is up there are a few things to keep in mind, I've written an article on that a few weeks back on my site that you can read here: Tips to Secure and Maintain Your WordPress Blogs | Lady WordPress

    Leslie
    Signature
    Taking it one day at a time!
    {{ DiscussionBoard.errors[6849181].message }}
    • Profile picture of the author Sleika
      Hi Leslie

      Checked out your article, great read
      {{ DiscussionBoard.errors[6851152].message }}
    • Profile picture of the author ArielT
      Originally Posted by Leslie B View Post

      Don't use scripts like Fantastico that install the blogs for you, but do it manually so you can begin adding security right from the start.
      Leslie
      Hello Leslie, what advantage in security by intalling it manually?

      And do you use any plugin for security? like for example "better WP security"
      {{ DiscussionBoard.errors[6859658].message }}
  • Profile picture of the author Leslie B
    Just a few reasons why not to use fantastico:
    * your database name, username and password aren't secure
    * your table prefix will always be the same one (something I change when I install it manually)

    Those are things hackers will look for when trying to get access to a WP site. After that, comes the passwords and usernames for the wp-admin that aren't secure enough (although, these days you can choose your own username and password in Fantastico, I believe, not completely sure since I don't use it).

    You can change that afterwards, of course, but that's more hassle then just taking the 5 minutes to install WP manually and do it right from the start. People always say that they use Fantastico because it's, fast, but honestly, I timed myself the very first time i did it manually and it took me about 10 minutes, now it takes me 5 minutes. Fantastico isn't that much faster.

    Leslie
    Signature
    Taking it one day at a time!
    {{ DiscussionBoard.errors[6860666].message }}
    • Profile picture of the author ArielT
      Originally Posted by Leslie B View Post

      Just a few reasons why not to use fantastico:
      * your database name, username and password aren't secure
      * your table prefix will always be the same one (something I change when I install it manually)

      Those are things hackers will look for when trying to get access to a WP site. After that, comes the passwords and usernames for the wp-admin that aren't secure enough (although, these days you can choose your own username and password in Fantastico, I believe, not completely sure since I don't use it).

      You can change that afterwards, of course, but that's more hassle then just taking the 5 minutes to install WP manually and do it right from the start. People always say that they use Fantastico because it's, fast, but honestly, I timed myself the very first time i did it manually and it took me about 10 minutes, now it takes me 5 minutes. Fantastico isn't that much faster.

      Leslie
      After making this do you think a security plugin is required or not?
      {{ DiscussionBoard.errors[6865133].message }}
      • Profile picture of the author Leslie B
        Originally Posted by ArielT View Post

        After making this do you think a security plugin is required or not?
        I still use security plugins, yes, mostly ones that do what I didn't do manually already. If you're making money from your site you owe it to yourself to make sure you did everything you could to keep them from breaking your site. I learned that the hard way when I had a site hacked that made me a decent amount of money and it took me a week to clean it and over a month to get my ranking back.

        Leslie
        Signature
        Taking it one day at a time!
        {{ DiscussionBoard.errors[6866285].message }}
        • Profile picture of the author ArielT
          Originally Posted by Leslie B View Post

          I still use security plugins, yes, mostly ones that do what I didn't do manually already. If you're making money from your site you owe it to yourself to make sure you did everything you could to keep them from breaking your site. I learned that the hard way when I had a site hacked that made me a decent amount of money and it took me a week to clean it and over a month to get my ranking back.

          Leslie
          What plug-in you would recommend me after making those things manually?
          {{ DiscussionBoard.errors[6868227].message }}
          • Profile picture of the author Walter Parrish
            Just a sidenote;

            I got that WP Better Security and I loved the program, but I got locked out lolol. I thought I had a secure cert and enabled that and was unable to get back on my site until I went and paid for the cert and installed it. Other than that great program.

            I didn't like bullet proof because it seemed that I couldn't password protect my admin directory via htaccess which I'm used to doing.
            Signature
            Use Feeder Sites, Articles, And Social Media Sites To Generate Unstoppable Traffic, FREE! Click Here Now To Get It For FREE
            {{ DiscussionBoard.errors[6868442].message }}
  • Profile picture of the author Patrick Batty
    Hey Sleika.
    Fellow warrior, Shane Melaugh, wrote a fantastic post a few months back, taking people through EVERYHING they need to do to secure WordPress. (Thanks Shane!)
    Just follow his instructions.. there's nothing needed to buy.. I did it on all my sites.
    WordPress Security: How to Lock Down Your WordPress Site - IM Impact

    Worked like a charm.
    All the best,
    Patrick
    {{ DiscussionBoard.errors[6860699].message }}
  • Profile picture of the author jakeb
    Dynamicnet.net has a killer .htaccess file for Wordpress. Unfortunately I'm too new to post links. It's super easy to find though, I use it for all my installs.
    {{ DiscussionBoard.errors[6865805].message }}
  • Profile picture of the author WinsonYeung
    Try wordpress login lock down plugin here

    Bad Neighborhood - Login LockDown WordPress Security Plugin (not my affiliate)
    Signature
    [WSO of The Day] Discount How To Generate 172.56% Positive Return OR build your List for FREE!

    "Case Study: Discover You Can Make $1371.66 With A Simple Blog Post by Clicking Here"
    {{ DiscussionBoard.errors[6866963].message }}
  • Profile picture of the author MatthewWoodward
    I had a wordpress site that was repeatedly getting hacked over and over no matter what I did to lock it down.

    In the end I discovered WordPress › WordPress Firewall 2 « WordPress Plugins which stopped the hacks. It is surprsing how many e-mails you get of people trying to hack sites :S
    Signature
    {{ DiscussionBoard.errors[6867549].message }}
  • Profile picture of the author Dave3110
    Would recommend better WP security.
    {{ DiscussionBoard.errors[6867676].message }}
  • Profile picture of the author eb219
    I see some great recommendations here already, like WP Better Security. Wordpress users should also consider the importance of malware scanning. I personally use Sucuri Scanner (free) and Anti-Malware (also free) plugins, they both work great.

    Since I host a few WPMS installs, the importance of lock-tight security cannot be understated when you're working with 20-30 sites on one host
    Signature

    "Do or do not. There is no try." -Yoda

    {{ DiscussionBoard.errors[6868543].message }}
  • Profile picture of the author Dan Grossman
    I'm surprised nobody's said the obvious but most important task to securing WordPress:

    Keep it up to date!

    Most website hacking is completely automated. People are running scanners that check for known vulnerabilities in common software like WordPress by making the same requests to thousands of different domains a day. When they find someone running vulnerable software, they can exploit that to hack the site to add spam links or whatever their goal was.

    If you're not always running the newest version of WordPress you are, by definition, vulnerable because virtually all WordPress updates include security fixes. That means the previous version had vulnerabilities to fix -- and publishing the update fixing them points out what the vulnerabilities were to everyone in the world. Now the people writing the vulnerability scanners can figure out how to exploit it and add it to their scanner.

    So subscribe yourself to the release notification e-mail list, and when an update comes out, log in to your blog and install it.

    WordPress › Download
    Signature
    Improvely: Built to track, test and optimize your marketing.

    {{ DiscussionBoard.errors[6869443].message }}
  • Profile picture of the author lerxtjr
    If people would just get away from using the "1-click-install" features of the big web hosts out there, half the battle would be won. Install manually and you don't have to accept all of those default settings that are so easy for a hacker to find and break in.
    Signature

    Come practice your public speaking skills with us FREE every week! SpeakersSpeakLIVE.com >>

    {{ DiscussionBoard.errors[6869918].message }}
    • Profile picture of the author Walter Parrish
      Originally Posted by lerxtjr View Post

      If people would just get away from using the "1-click-install" features of the big web hosts out there, half the battle would be won. Install manually and you don't have to accept all of those default settings that are so easy for a hacker to find and break in.
      I think softlicious does a better install than fantastico, but you are correct the manual install is always the best.

      I was surprised being a joomla user coming into wordpress at the lack of security info as wordpress is used more as a platform. Even if we snatched the latest wso's I have never heard anyone mention securing wordpress, heck they could have at least said make backups lol
      Signature
      Use Feeder Sites, Articles, And Social Media Sites To Generate Unstoppable Traffic, FREE! Click Here Now To Get It For FREE
      {{ DiscussionBoard.errors[6869945].message }}

Trending Topics