How to test if your Wordpress Site is secure?

14 replies
  • SEO
  • |
I have had atleast 3 of my sites hacked .one of them even after installing Wp bulletproof .... . by some ISALMHACK team.. (I aint making no movies man ..why me??...)..ya i know i might not have been like supre secure ..but umm even if I install plugins ..I get so many messages like ..htaccess is not secure.then I do the changes as suggested ...then the status becomes green ...then again if I check after few days then the status again becomes RED..
So I mean is there a TESTTNG site which can test and tell that the site is secure or not
#hacked #secure #site #wordpress
  • Profile picture of the author zicer
    Try to search for plugin!!! There is free plugins to test your WP site and tell you which files are infected by any malware. Also DO NOT upload nulled or other suspicious plugins! Use ones from WordPress site or buy from original source, other way your blog could be hacked easy!
    Signature
    WHY WOULD YOU BUY TWITTER FOLLOWERS. GET THEM FREE
    Visit My Blog, who knows maybe you find something interesting :)
    {{ DiscussionBoard.errors[7000443].message }}
  • Profile picture of the author zicer
    go to your admin > plugins > add new | Search for this two plugins to fix your problems:
    1. Anti-Malware by ELI
    2.
    Exploit Scanner

    It should help you
    Signature
    WHY WOULD YOU BUY TWITTER FOLLOWERS. GET THEM FREE
    Visit My Blog, who knows maybe you find something interesting :)
    {{ DiscussionBoard.errors[7000595].message }}
  • Profile picture of the author ProAffiliate01
    I would say the first step is to be careful what plugins you install. They have to come from trustworthy sources. I'm going to take the recommendations given by Zicer, probably unless there are other suggestions.
    {{ DiscussionBoard.errors[7000625].message }}
  • Profile picture of the author so11
    Hello,

    Sorry to hear about your sites…

    Unfortunately, in your case the problem is your misunderstanding of what security is.
    Installing a security plug-in is a good start, but not enough…

    Security is a complex set of secure configurations, techniques and practices…

    To answer your question: yes there are services that allow you to scan your website for security holes/vulnerabilities. Try researching this forum or Internet for “website security scan”. There are many free and not tools/services.

    Now… to achieve security, you must periodically scan your sites and correct identified problems.

    So11
    Signature
    www.groupesoloviev.com
    We help businesses manage cyber risk and compliance requirements.
    {{ DiscussionBoard.errors[7000761].message }}
    • Profile picture of the author Ian Levings
      Thanks Zicer, those plugins worked for me, having been hacked before I am now a little nervous it might happen again despite all my security I now have in place. thankfully nothing found.
      {{ DiscussionBoard.errors[7000905].message }}
      • Profile picture of the author zicer
        Originally Posted by Ian Levings View Post

        Thanks Zicer, those plugins worked for me, having been hacked before I am now a little nervous it might happen again despite all my security I now have in place. thankfully nothing found.
        Glad you are safe now. And as i said, main problem could be using third party plugins!!! Always try to use original trustworthy source to get your plugin. I had this problem before....
        Signature
        WHY WOULD YOU BUY TWITTER FOLLOWERS. GET THEM FREE
        Visit My Blog, who knows maybe you find something interesting :)
        {{ DiscussionBoard.errors[7002921].message }}
  • Profile picture of the author Adie
    Originally Posted by justhandsome View Post

    I have had atleast 3 of my sites hacked .one of them even after installing Wp bulletproof .... . by some ISALMHACK team.. (I aint making no movies man ..why me??...)..ya i know i might not have been like supre secure ..but umm even if I install plugins ..I get so many messages like ..htaccess is not secure.then I do the changes as suggested ...then the status becomes green ...then again if I check after few days then the status again becomes RED..
    So I mean is there a TESTTNG site which can test and tell that the site is secure or not
    Don't use Admin as the username... Install wordpress manually..
    Signature



    Moderator's Note: You're only allowed to put your own products or sites in your signature.

    Signature edited.
    {{ DiscussionBoard.errors[7000784].message }}
  • Profile picture of the author laracoates28
    I would suggest you to going through the thread

    http://www.warriorforum.com/website-...+security+tips
    {{ DiscussionBoard.errors[7000902].message }}
  • I use bullet proof security pro, just make sure all the settings are set I mean ALL and you should not have a problem. I use everything except the auto-restore/quarantine options. I had the issue where I thought I had it all correct and and green but then the status changed.. it was due to me not having all settings in place and in my case the "file locking" feature had to be on certain wordpress core files.

    I would if possible, start over, don't install anything but wordpress and then bullet proof security pro right from the start don't mess with anything else until this plugin is fully setup.. Check settings over and over.. the plugin can be rough to setup at first.. and yes make sure you do not have an "admin" user name called admin OR any other username on user1 default.. meaning whatever the first user is delete it.. well first add your second admin don't use "admin" as name though (if first user was something else) and then delete first user.

    This is because when hackers use automated software tools it always tries the first wordpress user ID so by using a different ID number "2" you are a little safer.. they always go after "admin" user ID 1 and try to brute force the login so have a complex password as well.
    {{ DiscussionBoard.errors[7001399].message }}
  • Profile picture of the author Rbtmarshall
    how secure is your password for /wp-admin?
    {{ DiscussionBoard.errors[7001408].message }}
  • Profile picture of the author 36burrows
    I use the plugin "Limit Login Attempts"

    It will lockout anyone who uses an incorrect password multiple times, then will record their IP address.

    Never had a problem.
    {{ DiscussionBoard.errors[7001872].message }}
  • Profile picture of the author Rehmat
    Don't use common names like "Admin" for administrator. Secondly, create an additional account and make posts in your blog using that. Don't install plugins without prior knowledge, install plugins from trusted websites only. If you think that your website is being hacked by brute-force attacks, then create complex passwords (by mixing small and capital letters, numbers etc). Don't access your control panel/dashboard from in-secure computers. Sometimes, infected files may also take the malware to the website, if they are uploaded to it. So upload files to the website only from your personal computer or any other trusted computer.
    {{ DiscussionBoard.errors[7001963].message }}
  • Profile picture of the author mego818
    I had the same problem as you last week. I got my sites hacked by various arabs and turks. (TimThumb Vunerability).

    Get Better WP Security. It is much better than the others.
    Signature
    Need High Quality Content?
    BOSScontent
    {{ DiscussionBoard.errors[7002994].message }}
  • Profile picture of the author Igal Zeifman
    Funny thing, I`ve just finished answering a very similar question on Quora (so seems like WP hacks are the latest trend...)

    First of, as far as I know, WP Security is probably the best security plugin today.
    Having said that, its far from perfect.

    This is why:

    A. WP Security will blacklist bot and user IPs and this is not an effective way to protect yourself.
    Keep in mind, IP are very easily spoofed an average attacker will never use his/hers true IP for the attack.
    Also, "Good" bot will use strange IP ranges so there is a good chance for false-positives (i.e. Goolgebot will use Chinesse IPs)

    The smart way to do this, is by using a combo of behavior monitoring + signature recognition + challenges (JS,Coockie or even CAPTCHA).

    This is how we do it here (in Incapsula) and from personal experience I can say that this multi-layer approach will drastically minimize false-positives.
    This approach will also provide better protection against new and yet unknown threats, as it will look for suspicious patterns instead of trusing generalized rules.


    B. It will not provide injection (and other Illegal Resource Access) protection.
    Yes, vulnerability scans are a good place to start, but they are never as good as proactive protection and even when they detect something, you'll still need to spend time and effort (and have decent understanding of PHP/WP coding) to close the gap.

    I don't want to make it too long, so I`ll stop here.

    I will say again that "WP Security" is a great plugin, but it will only go so far and for more advance features I would recommend looking into 3rd party security services.

    PM me if you need any help.

    GL
    Signature

    Igal Zeifman
    ----------------
    Community Manager / SEO @Incapsula - Cloud Security and Acceleration | DDoS Protection

    {{ DiscussionBoard.errors[7012221].message }}

Trending Topics