Security concerns with WordPress sites

Yeah I have had a few of my wordpress sites hacked and it is very frustrating. For me the flexibility I have with wordpress sites still wins me over every time. With regards to the plugins I don't really have any real compatibility issues with any of the plugins I use. I think I just like the simplicity & convenience of wordpress. Sometimes you need to take the good with the bad hey.

Just make sure you follow all the security steps and you should be fine. Keep your domain ultra secure and take regular backups. Wordpress can't be beaten!

Another thing to check for is that you are updated fully and all your plugins are updated fully.

Wordpress makes it harder to hack with each update as do the plugin creators. Having Wordpress updated completely makes this less likely to happen.

Check with your host as well to see if it was a server related incident.

In a way WordPress has been a victim of it's own success really.

I always try and keep plugins to a minimum if possible. I have recently started installing "Login Lockdown" on all my WP installations. Hopefully that adds a little extra security.

There are a couple of things that you can do to keep your WP site more secure.

Make sure you always update WP and all of the plugins, because all of the old versions of WP have known and easy hacks.

Make sure that readme.html is not accessible because this shows the version # if you haven't updated yet!

Make sure that the wp-config.php file is not readable (you should get a 404 error not a blank page) yourdomain.com/wp-config.php

Make sure that wp-login.php is not publicly accessible. It is best to limit this by IP address.

Make sure that if you have wp-login.php publicly accessible, don't have it display the error message of "invalid username" or "the password you entered for the username ____ s incorrect"

DON'T HAVE YOUR USERNAME BE ADMIN!!

Make sure that wp-admin/install.php is not still installed.

These things will make your WP site much more secure!

Depends on the site function, if it is a blog then no but if the site is a salespage for a product then go with html.

I don't understand why people install wordpress to use it as a sales page. Its like using a sledghammer to kill an ant.

Yes, by using wordpress you do put your self at greater risk of being hacked, due to the WP plug-ins, but make sure everything is properly setup and up to date by following these steps..

- use the latest version of wordpress

- update all plug-ins

- be SURE to install this plug-in ---> WordPress › BulletProof Security « WordPress Plugins and configure it properly.


At this stage, you shouldn't have much to worry about.

I'm speaking from pure conjecture here, but I believe because WordPress is so php-dependent and open (source), it's simply easier to hack. All websites are vulnerable.

I am new in WF.
How do I know if my Worpress site are hacked or have been hacked?
Appreciate your reply.
Thanks

If you are using hostgator, then you should not use fantastico, there is a script installer called quick install that works just great for this and it is up to date. Fantastico does not give you an up to date version of wordpress. I realy like using wordpress because the benefits outweigh the risks. Making sales pages and squeeze pages with wordpress is also good if you are using Optimize Press.

I had my one of my sites hacked and they were able to infect all of my domains because I had them as addon domains. If you are going to use wordpress in a shared hosting account then you need to make sure all of your wordpress accounts are secure. this will keep them from injecting malicious content into your server.

Fantastic, Softaculous or any other auto installer doesn't make it less secure. It's your responsibility to update the installation. None of those auto installers update your sites when Wordpress releases an update... they are simply there to make the installation process easier.


ANY website is subject to being exploited. Wordpress is exploited more often because so many users do not take the steps to secure their install. Using junk, poorly coded plugins that aren't being updated anymore doesn't help, and neither does installing tons of plugins to do simple tasks.

Regarding the wp-config file, it shouldn't be left in the public_html to begin with. This should be the first thing that gets moved after installing Wordpress.

Too many people leave the default username as "Admin" and malicious users know that. Your admin login should have a lockout time period as well.

Installing "free" themes you found on Google, most likely will have encoded links, malware etc.

There's other things that I'm not going to go into detail about here on the forum that should be done as well.

I love WordPress but I only recently started learning about security and working to secure my sites. I had a Joomla site hacked, and that's what prompted me to take the time to work on security. I know I still have a lot to learn, but there is a lot of good information out there about WP security. Thanks to all who shared on this thread!

Thanks to everyone for the great information on my original question! This really helps a lot.

What you guys think about Password Protect wp-admin directory ?

Always updated, just a couple (updated and supported) plugins, unique username, unique password, etc etc makes it less "attractive" for exploits.

Give proper permissions to files and directories. Use .htaccess method to prevent your blog from hackers. Take a backup of wp-config.php, .htaccess, wp-content folder and sql database regularly.

Tips & Preautions For The Wordpress Security

1. Back Up

2. Change Passwords.

3. Use WP Security Scanner.

4. Update With New plugins and versions.

5. Protect Your .htaccess.

6. Stop Directory Browsing or Limited access to Directories

7. Prevent Script Injection.

8. Protect Your Admin Files.

Hope This Will Help You.

Update your all plug-ins also use latest WP, oh don't forget to collect a backup copy of previous works.