Security concerns with WordPress sites

35 replies
  • WEB DESIGN
  • |
I just had one of my WordPress sites hacked and I'm in the middle of straightening everything out.

Then it occurred to me . . . if I had an HTML site rather than a WP site, would I be less vulnerable? Seems like WordPress sites have some downsides, and I'm curious what others might have to say about it.

Are there inherent advantages to having an HTML site versus a WP site? Plugins are great but compatibility seems to always be a looming issue when you update. Same thing with the new WordPress updates.

Thanks for any insights or recommendations based on your experience.
#concerns #security #sites #wordpress
  • Profile picture of the author dazkat
    Yeah I have had a few of my wordpress sites hacked and it is very frustrating. For me the flexibility I have with wordpress sites still wins me over every time. With regards to the plugins I don't really have any real compatibility issues with any of the plugins I use. I think I just like the simplicity & convenience of wordpress. Sometimes you need to take the good with the bad hey.
    {{ DiscussionBoard.errors[5742650].message }}
  • Profile picture of the author Deepak Media
    Just make sure you follow all the security steps and you should be fine. Keep your domain ultra secure and take regular backups. Wordpress can't be beaten!
    Signature
    Digital Marketing Author | Speaker | Consultant

    Read my Blog: DigitalDeepak.com

    @ Bangalore, India.
    {{ DiscussionBoard.errors[5742717].message }}
    • Profile picture of the author Radical Codes
      Originally Posted by Deepak Media View Post

      Just make sure you follow all the security steps and you should be fine. Keep your domain ultra secure and take regular backups. Wordpress can't be beaten!
      agree..

      i am using wordpress for all of my client and none of them got hacked.

      my advice :
      1. update your wordpress version regularly
      2. do not using too much unnecessary plugins, especially free ones (but some of them are great and worth to used)
      3.be careful when you got spam comments or email from your contact form.
      4. don't often save/remember your password on your browser


      then you will be fine

      Cheers
      {{ DiscussionBoard.errors[5761580].message }}
      • Profile picture of the author BlueLayerHost
        As many people said keeping the site and plugins up to date is most important. Here's a quick overview and some other resources for keeping your site secure.
        Signature
        BlueLayerHost - Shared + Managed VPS Hosting
        BlueLayerMedia - Web Development
        WPMalware - Resource for WordPress Seurity + Exploits
        {{ DiscussionBoard.errors[5785971].message }}
  • Profile picture of the author Cataclysm1987
    Another thing to check for is that you are updated fully and all your plugins are updated fully.

    Wordpress makes it harder to hack with each update as do the plugin creators. Having Wordpress updated completely makes this less likely to happen.

    Check with your host as well to see if it was a server related incident.
    Signature

    No signature here today!

    {{ DiscussionBoard.errors[5742755].message }}
  • Profile picture of the author FreeMeal
    In a way WordPress has been a victim of it's own success really.

    I always try and keep plugins to a minimum if possible. I have recently started installing "Login Lockdown" on all my WP installations. Hopefully that adds a little extra security.
    {{ DiscussionBoard.errors[5742826].message }}
  • Profile picture of the author obin94
    There are a couple of things that you can do to keep your WP site more secure.

    Make sure you always update WP and all of the plugins, because all of the old versions of WP have known and easy hacks.

    Make sure that readme.html is not accessible because this shows the version # if you haven't updated yet!

    Make sure that the wp-config.php file is not readable (you should get a 404 error not a blank page) yourdomain.com/wp-config.php

    Make sure that wp-login.php is not publicly accessible. It is best to limit this by IP address.

    Make sure that if you have wp-login.php publicly accessible, don't have it display the error message of "invalid username" or "the password you entered for the username ____ s incorrect"

    DON'T HAVE YOUR USERNAME BE ADMIN!!

    Make sure that wp-admin/install.php is not still installed.

    These things will make your WP site much more secure!
    {{ DiscussionBoard.errors[5743057].message }}
  • Profile picture of the author Valdor Kiebach
    Originally Posted by BillyBee View Post

    Are there inherent advantages to having an HTML site versus a WP site?
    Depends on the site function, if it is a blog then no but if the site is a salespage for a product then go with html.

    I don't understand why people install wordpress to use it as a sales page. Its like using a sledghammer to kill an ant.
    {{ DiscussionBoard.errors[5743101].message }}
    • Profile picture of the author magiclouie
      Originally Posted by Valdor Kiebach View Post

      Depends on the site function, if it is a blog then no but if the site is a salespage for a product then go with html.

      I don't understand why people install wordpress to use it as a sales page. Its like using a sledghammer to kill an ant.
      If I may put my 2 cents in?

      If not all, most of our salespages are done using wordpress and so far they convert well. I think it varies from one person to the other.
      {{ DiscussionBoard.errors[5748092].message }}
      • Profile picture of the author Istvan Horvath
        Originally Posted by magiclouie View Post

        most of our salespages are done using wordpress and so far they convert well.
        But not because they are made with WordPress!

        Sorry, Louie, your argument has nothing to do with what Valdor said, namely that WP might be an overkill to build a one-page salespage.
        I agree with him: for a simple squeeze page or a simple salespage no need for a whole CMS - just do it in good old HTML.

        The conversion of a salespage never ever depends on what did you use to build it; i.e. whether it's HTML or WP. It will always depend on your copy, on your offer, on your traffic sources... Happy buyers don't give a sh*t about what the salespage was built with
        Signature

        {{ DiscussionBoard.errors[5749626].message }}
        • Profile picture of the author BillyBee
          Is there a way to find out when you've been hacked right away? I mean, is there an alert I can receive or something?

          I used to subscribe to a service that gave me an email or text alert whenever my website was down and I wonder if the same can be done for when my site gets hacked.
          {{ DiscussionBoard.errors[5749648].message }}
  • Profile picture of the author IMAdam
    Yes, by using wordpress you do put your self at greater risk of being hacked, due to the WP plug-ins, but make sure everything is properly setup and up to date by following these steps..

    - use the latest version of wordpress

    - update all plug-ins

    - be SURE to install this plug-in ---> WordPress › BulletProof Security « WordPress Plugins and configure it properly.


    At this stage, you shouldn't have much to worry about.
    Signature

    "Whether You Think You Can or Can't, You're Right" - Henry Ford

    {{ DiscussionBoard.errors[5746644].message }}
  • Profile picture of the author JOSourcing
    Banned
    I'm speaking from pure conjecture here, but I believe because WordPress is so php-dependent and open (source), it's simply easier to hack. All websites are vulnerable.
    {{ DiscussionBoard.errors[5746712].message }}
  • Profile picture of the author Rally Writer
    Originally Posted by BillyBee View Post

    I just had one of my WordPress sites hacked and I'm in the middle of straightening everything out.

    Then it occurred to me . . . if I had an HTML site rather than a WP site, would I be less vulnerable? Seems like WordPress sites have some downsides, and I'm curious what others might have to say about it.

    Are there inherent advantages to having an HTML site versus a WP site? Plugins are great but compatibility seems to always be a looming issue when you update. Same thing with the new WordPress updates.

    Thanks for any insights or recommendations based on your experience.
    I am new in WF.
    How do I know if my Worpress site are hacked or have been hacked?
    Appreciate your reply.
    Thanks
    {{ DiscussionBoard.errors[5746743].message }}
  • Profile picture of the author Alex Guzman
    If you are using hostgator, then you should not use fantastico, there is a script installer called quick install that works just great for this and it is up to date. Fantastico does not give you an up to date version of wordpress. I realy like using wordpress because the benefits outweigh the risks. Making sales pages and squeeze pages with wordpress is also good if you are using Optimize Press.

    I had my one of my sites hacked and they were able to infect all of my domains because I had them as addon domains. If you are going to use wordpress in a shared hosting account then you need to make sure all of your wordpress accounts are secure. this will keep them from injecting malicious content into your server.
    Signature
    23 Year Old kid Discovers How To Drive Real Effective Traffic To His Blog>>> Click Here To Learn How He Did It!<<<
    {{ DiscussionBoard.errors[5746843].message }}
  • Profile picture of the author Kingfish85
    Fantastic, Softaculous or any other auto installer doesn't make it less secure. It's your responsibility to update the installation. None of those auto installers update your sites when Wordpress releases an update... they are simply there to make the installation process easier.


    ANY website is subject to being exploited. Wordpress is exploited more often because so many users do not take the steps to secure their install. Using junk, poorly coded plugins that aren't being updated anymore doesn't help, and neither does installing tons of plugins to do simple tasks.

    Regarding the wp-config file, it shouldn't be left in the public_html to begin with. This should be the first thing that gets moved after installing Wordpress.

    Too many people leave the default username as "Admin" and malicious users know that. Your admin login should have a lockout time period as well.

    Installing "free" themes you found on Google, most likely will have encoded links, malware etc.

    There's other things that I'm not going to go into detail about here on the forum that should be done as well.
    {{ DiscussionBoard.errors[5746919].message }}
    • Profile picture of the author cooler1
      Originally Posted by Kingfish85 View Post

      Fantastic, Softaculous or any other auto installer doesn't make it less secure. It's your responsibility to update the installation. None of those auto installers update your sites when Wordpress releases an update... they are simply there to make the installation process easier.


      ANY website is subject to being exploited. Wordpress is exploited more often because so many users do not take the steps to secure their install. Using junk, poorly coded plugins that aren't being updated anymore doesn't help, and neither does installing tons of plugins to do simple tasks.

      Regarding the wp-config file, it shouldn't be left in the public_html to begin with. This should be the first thing that gets moved after installing Wordpress.

      Too many people leave the default username as "Admin" and malicious users know that. Your admin login should have a lockout time period as well.

      Installing "free" themes you found on Google, most likely will have encoded links, malware etc.

      There's other things that I'm not going to go into detail about here on the forum that should be done as well.
      I thought Fantastico was not recommended because it installs Wordpress using the default wp_ table prefix.

      Problem regarding the wp-config file, the guide below says that it can't be moved if you use addon domains. As so many people use shared hosting thats a problem.

      Wordpress Security Doesn't Need To Be Difficult | Internet Marketing and Publishing
      Signature

      {{ DiscussionBoard.errors[5749095].message }}
      • Profile picture of the author Kingfish85
        Originally Posted by cooler1 View Post

        I thought Fantastico was not recommended because it installs Wordpress using the default wp_ table prefix.

        Problem regarding the wp-config file, the guide below says that it can't be moved if you use addon domains. As so many people use shared hosting thats a problem.

        Wordpress Security Doesn't Need To Be Difficult | Internet Marketing and Publishing
        To answer both of your questions, changing the prefix isn't really a big deal. Changing the db table prefix won't do anything to help when pages that rely on database connections will output errors. Sure it helps a little, but if someone wants to get in, they will.

        Every installation of WP that I have done, both for myself as well as customers works fine. You're not moving the config file, you're using an include in the original configuration file. The database details are stored in the file that's being included, which should be located OUT of the public_html.



        9 times out of 10 when you hear someones Wordpress site get's hacked it's for one of the following reasons:

        • out of date install
        • not updating plugins
        • using poorly written plugins
        • installing useless plugins, like ones to insert Google Analytics code
        • using weak passwords
        • using non-supported plugins
        • using "free" themes found from Google searching "free wordpress themes"

        the list goes on...
        {{ DiscussionBoard.errors[5753342].message }}
        • Profile picture of the author cooler1
          Originally Posted by Kingfish85 View Post

          Every installation of WP that I have done, both for myself as well as customers works fine. You're not moving the config file, you're using an include in the original configuration file. The database details are stored in the file that's being included, which should be located OUT of the public_html.
          Im confused. Why does Anne's security guide advise on moving the config file up one level?

          Move the wp-config.php file up one level from ~/home/user/public_html/wp-config.php to ~/home/user/wp-config.php;
          Do you have any link to a guide which explains how to use an include in the original configuration file as im not sure how to do that.
          Signature

          {{ DiscussionBoard.errors[5760939].message }}
          • Profile picture of the author Kingfish85
            Originally Posted by cooler1 View Post

            Im confused. Why does Anne's security guide advise on moving the config file up one level?



            Do you have any link to a guide which explains how to use an include in the original configuration file as im not sure how to do that.
            You can move it as well. I prefer to use an include.
            {{ DiscussionBoard.errors[5760997].message }}
          • Profile picture of the author Lee M
            Can someone provide a quick guide which explains how to use an include in the original configuration file as im not sure how to do that.
            Yes, I would like clarification on this too, if possible.
            Signature
            Working from Home since 1991
            (Well before anyone knew it could be done!)

            “Observe your competitors, for they first find your faults.”
            {{ DiscussionBoard.errors[5899545].message }}
  • Profile picture of the author lindafulkerson
    I love WordPress but I only recently started learning about security and working to secure my sites. I had a Joomla site hacked, and that's what prompted me to take the time to work on security. I know I still have a lot to learn, but there is a lot of good information out there about WP security. Thanks to all who shared on this thread!
    Signature

    Blog Coach | Social Media Manager | Learn about Blogging -- OnBloggingWell.com

    {{ DiscussionBoard.errors[5746954].message }}
  • Profile picture of the author BillyBee
    Thanks to everyone for the great information on my original question! This really helps a lot.
    {{ DiscussionBoard.errors[5749419].message }}
  • Profile picture of the author Pakiisp
    What you guys think about Password Protect wp-admin directory ?
    {{ DiscussionBoard.errors[5750483].message }}
  • Profile picture of the author Fernando Veloso
    Always updated, just a couple (updated and supported) plugins, unique username, unique password, etc etc makes it less "attractive" for exploits.
    Signature
    People make good money selling to the rich. But the rich got rich selling to the masses.
    {{ DiscussionBoard.errors[5750526].message }}
  • Profile picture of the author namaserajesh
    Give proper permissions to files and directories. Use .htaccess method to prevent your blog from hackers. Take a backup of wp-config.php, .htaccess, wp-content folder and sql database regularly.
    {{ DiscussionBoard.errors[5750897].message }}
    • Profile picture of the author Lloyd Buchinski
      Originally Posted by BillyBee View Post

      Thanks for any insights or recommendations based on your experience.
      I can't say from experience as I've never had a site hacked but I did do a lot of reading and it was obvious that wp blogs had a problem with security. 'Help, my blog was hacked. How do I get it back?' was almost a daily topic at times.

      Even when the topic said something about 'my site was hacked' I would read far enough to find out if it was actually a wp blog, and it always was. Html sites do get hacked too, but usually from different problems, like a key logger on the computer, or malware that taps into your ftp program. They are equal to wp there.

      Keeping everything up to date would be difficult for me. I am sometimes offline for up to a month at a time. I don't want to spend that time wondering if wp has a new update that I should be taking care of.

      I went with html.
      Signature

      Do something spectacular; be fulfilled. Then you can be your own hero. Prem Rawat

      The KimW WSO

      {{ DiscussionBoard.errors[5753200].message }}
  • Profile picture of the author shantanu
    Tips & Preautions For The Wordpress Security

    1. Back Up

    2. Change Passwords.

    3. Use WP Security Scanner.

    4. Update With New plugins and versions.

    5. Protect Your .htaccess.

    6. Stop Directory Browsing or Limited access to Directories

    7. Prevent Script Injection.

    8. Protect Your Admin Files.

    Hope This Will Help You.
    {{ DiscussionBoard.errors[5750951].message }}
  • Profile picture of the author BlackWar
    Banned
    Update your all plug-ins also use latest WP, oh don't forget to collect a backup copy of previous works.
    {{ DiscussionBoard.errors[5786528].message }}

Trending Topics