What's new

WordPress Security Tips

Data Glasses

Top Contributor
Logged on to email just as i received 22 hack reports for my wordpress site www.ohthankgod.com and although the hacks were averted i instantly went to hosting and banned that suckers ip address ........just as i got hack report 23
 

helloworld

Top Contributor
To the russian hacker who tried no less than 39 times to hack my sites yesterday

.......GET STUFFED

It seems wordpress firewall 2 and secure wordpress did their job

once more .......... GET STUFFED !

In Russia, wordpress hacks you...****in
 

aus11

Top Contributor
I really like the idea of being able to self-host InfiniteWP. A big plus.

Cheers,
Chris

+1

I set InfiniteWP up on a spare domain I had, and have it running for all my sites now. Makes updating an absolute breeze!
 

petermeadit

Top Contributor
Yup blog any and all brute force...

I can't stress this enough for all the new users out there.

http://screencast.com/t/ARS1MHDBX

I have Wordfence set to automatically block users who use an invalid username to try login. But it's annoying the amount of times they try.

Paul.

I will second that. So important to use something like Wordfence, and block any brute force attacks.

I often block entire countries because nothing useful come from there but repeated login attempts and fake google bots.

Dare you to turn on email notifications for each invalid login attempt... :D
 

petermeadit

Top Contributor
How do you reckon it stacks up again ManageWP? Or Worpit?

Like: ManageWP vs. InfiniteWP vs. Worpit.

be interested to hear opinions.
 

findtim

Top Contributor
the thread is old but still bloody good value to read, starting with chris's contribution.

i'm winding down for 2014, looking towards 2015 and wondering were i should head with security on WP as its been my BIGGEST headache this year.

wordfence has done a great job, i dabbled into infinitewp but didn't go whole hog but i'm leaning towards it now over the xmas break.

just wanted to reignite the question again, wordfence / managewp / infinitewp / sucuri + others , whats the general feeling of a good combination ?

tim
 

Christopher

Top Contributor
Your right @findtim really old thread but a goodie. Probably wasn't wise to post your exact password methods in hindsight.
At any rate reading the ops thread.

Setting your server file permisions to 666 is a bad idea, which is read and write, user, group, others. Your giving front end attacks write permissions. The recommended lockdown file permission is 444 which is read user, group, others. 444 means that even if someone breaks into your site they can't change your htaccess file, or any other file with that permission. Ie the wp-config file. If you look closely at ithemes security, this is the permission it changes the files too, on a complete lock down. And you generally realize this, when your cache plugin wants to write to it and fails.

And the dreaded 777 mentioned as well, is read write and execute, user (your ftp or control panel) group (your site internal access) others (external web traffic). Typically a site falls victim to shell scripts that then leave this shiny great big door open, for others to penetrate the server and reek havoc network wide.

If your host supports Jail host, I suggest implementing it per site. Jail host is a way of sand boxing every domain in your vps, or shared hosting plan, as if it was in its own vps plan. So the highest level some with a shell script can go is the root of your domain. Here is a good wiki write up on Jail host. https://en.wikipedia.org/wiki/FreeBSD_jail
 

findtim

Top Contributor
what else have i been doing in 2016 which has helped?
move login plugin, i saw instant results https://wordpress.org/plugins/sf-move-login/
change wp prefix, https://wordpress.org/plugins/db-prefix-change/, very simpleeeeee
wordfence, free version, take the time to look at setup intrustions or watch a youtube on it, block "admin" but also block the letters " .com" , ".com.au"
sucuri, free version, its pretty gutless but does give you some warnings, the "hardening" page is the best part of it.
infinitewp is good, just make sure you have allocated enough space on your server to hold at least 3 packups.
don't let website owner use their name as admin login + use nickname field for posts " team, staff, owner, kanagroo :) "

tim
 

Christopher

Top Contributor
what else have i been doing in 2016 which has helped?
move login plugin, i saw instant results https://wordpress.org/plugins/sf-move-login/
change wp prefix, https://wordpress.org/plugins/db-prefix-change/, very simpleeeeee
wordfence, free version, take the time to look at setup intrustions or watch a youtube on it, block "admin" but also block the letters " .com" , ".com.au"
sucuri, free version, its pretty gutless but does give you some warnings, the "hardening" page is the best part of it.
infinitewp is good, just make sure you have allocated enough space on your server to hold at least 3 packups.
don't let website owner use their name as admin login + use nickname field for posts " team, staff, owner, kanagroo :) "

tim
Don't use the admin role at all for posting, If its your site or client, set up an editor account. If that gets hacked into, because it is the one posting, their is not much they can do, except delete posts, which you would have a backup of. And never log into your site as admin on an open of free wifi hotspot. Even most private wifi routers broad cast some packets in plain text. When you log in via standard ftp the credentials can be intercepted. So hense have an editor role for content production.
 

robert

Top Contributor
I swear by WordFence plugin (setup correctly and change login attempts to 3 and reset every 10 days) and also as Johnno said, never leave ADMIN as the login. I literally have THOUSANDS of attacks every day across 120 wordpress sites and WordFence never fails me.
 

Community sponsors

Domain Parking Manager

AddMe Reputation Management

Digital Marketing Experts

Catch Expired Domains

Web Hosting

Members online

No members online now.

Forum statistics

Threads
11,098
Messages
92,044
Members
2,394
Latest member
Spacemo
Top