1. Welcome to DNTrade. If you want to find out about the latest domain name industry news or talk, share, learn, buy, sell, trade or develop domain names - then you've come to the right place. It's a diverse and active community, with domain investors, web developers and online marketers - and it's free! Click here to join now.
    Dismiss Notice

WordPress Security Tips

Discussion in 'Guest Articles' started by FirstPageResults, May 30, 2012.

  1. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,664
    Likes Received:
    422
    auDA Member:
    Yes
  2. DnEbook

    DnEbook Membership: VIP

    Joined:
    Jun 26, 2008
    Messages:
    6,296
    Likes Received:
    805
    Logged on to email just as i received 22 hack reports for my wordpress site www.ohthankgod.com and although the hacks were averted i instantly went to hosting and banned that suckers ip address ........just as i got hack report 23
     
  3. helloworld

    helloworld Membership: VIP

    Joined:
    Apr 21, 2012
    Messages:
    1,116
    Likes Received:
    165
    In Russia, wordpress hacks you...****in
     
  4. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,253
    Likes Received:
    829
    auDA Member:
    Yes
  5. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,664
    Likes Received:
    422
    auDA Member:
    Yes
    This is available in InfiniteWP too.
     
  6. chris

    chris Administrator

    Joined:
    Mar 7, 2010
    Messages:
    2,253
    Likes Received:
    829
    auDA Member:
    Yes
    I really like the idea of being able to self-host InfiniteWP. A big plus.

    Cheers,
    Chris
     
  7. aus11

    aus11 Membership: VIP

    Joined:
    Dec 2, 2011
    Messages:
    382
    Likes Received:
    20
    +1

    I set InfiniteWP up on a spare domain I had, and have it running for all my sites now. Makes updating an absolute breeze!
     
  8. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,664
    Likes Received:
    422
    auDA Member:
    Yes
    I can't stress this enough for all the new users out there.

    http://screencast.com/t/ARS1MHDBX

    I have Wordfence set to automatically block users who use an invalid username to try login. But it's annoying the amount of times they try.

    Paul.
     
  9. petermeadit

    petermeadit Membership: VIP

    Joined:
    Jul 13, 2012
    Messages:
    893
    Likes Received:
    153
    auDA Member:
    Yes
    Yup blog any and all brute force...

    I will second that. So important to use something like Wordfence, and block any brute force attacks.

    I often block entire countries because nothing useful come from there but repeated login attempts and fake google bots.

    Dare you to turn on email notifications for each invalid login attempt... :D
     
  10. Blue Wren

    Blue Wren Membership: VIP

    Joined:
    Jan 23, 2012
    Messages:
    909
    Likes Received:
    107
    One of the best purchases I made last year: InfiniteWP.
     
  11. johno69

    johno69 Membership: VIP

    Joined:
    Nov 29, 2008
    Messages:
    2,664
    Likes Received:
    422
    auDA Member:
    Yes
    I have them on. I have it set to block anyone who tries an invalid username for 24 hours. Then I generally block them permanently.
     
  12. petermeadit

    petermeadit Membership: VIP

    Joined:
    Jul 13, 2012
    Messages:
    893
    Likes Received:
    153
    auDA Member:
    Yes
    How do you reckon it stacks up again ManageWP? Or Worpit?

    Like: ManageWP vs. InfiniteWP vs. Worpit.

    be interested to hear opinions.
     
  13. Blue Wren

    Blue Wren Membership: VIP

    Joined:
    Jan 23, 2012
    Messages:
    909
    Likes Received:
    107
    I haven't used the others so I couldn't give a fair assessment. :)
     
  14. petermeadit

    petermeadit Membership: VIP

    Joined:
    Jul 13, 2012
    Messages:
    893
    Likes Received:
    153
    auDA Member:
    Yes
    I have ManageWP up and running and loving it. Worth the money I'd say.
     
  15. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,407
    Likes Received:
    1,579
    auDA Member:
    Yes
    the thread is old but still bloody good value to read, starting with chris's contribution.

    i'm winding down for 2014, looking towards 2015 and wondering were i should head with security on WP as its been my BIGGEST headache this year.

    wordfence has done a great job, i dabbled into infinitewp but didn't go whole hog but i'm leaning towards it now over the xmas break.

    just wanted to reignite the question again, wordfence / managewp / infinitewp / sucuri + others , whats the general feeling of a good combination ?

    tim
     
    petermeadit likes this.
  16. Christopher

    Christopher Membership: Community

    Joined:
    Jun 13, 2014
    Messages:
    467
    Likes Received:
    178
    Your right @findtim really old thread but a goodie. Probably wasn't wise to post your exact password methods in hindsight.
    At any rate reading the ops thread.

    Setting your server file permisions to 666 is a bad idea, which is read and write, user, group, others. Your giving front end attacks write permissions. The recommended lockdown file permission is 444 which is read user, group, others. 444 means that even if someone breaks into your site they can't change your htaccess file, or any other file with that permission. Ie the wp-config file. If you look closely at ithemes security, this is the permission it changes the files too, on a complete lock down. And you generally realize this, when your cache plugin wants to write to it and fails.

    And the dreaded 777 mentioned as well, is read write and execute, user (your ftp or control panel) group (your site internal access) others (external web traffic). Typically a site falls victim to shell scripts that then leave this shiny great big door open, for others to penetrate the server and reek havoc network wide.

    If your host supports Jail host, I suggest implementing it per site. Jail host is a way of sand boxing every domain in your vps, or shared hosting plan, as if it was in its own vps plan. So the highest level some with a shell script can go is the root of your domain. Here is a good wiki write up on Jail host. https://en.wikipedia.org/wiki/FreeBSD_jail
     
  17. findtim

    findtim Membership: VIP

    Joined:
    Dec 13, 2011
    Messages:
    7,407
    Likes Received:
    1,579
    auDA Member:
    Yes
    what else have i been doing in 2016 which has helped?
    move login plugin, i saw instant results https://wordpress.org/plugins/sf-move-login/
    change wp prefix, https://wordpress.org/plugins/db-prefix-change/, very simpleeeeee
    wordfence, free version, take the time to look at setup intrustions or watch a youtube on it, block "admin" but also block the letters " .com" , ".com.au"
    sucuri, free version, its pretty gutless but does give you some warnings, the "hardening" page is the best part of it.
    infinitewp is good, just make sure you have allocated enough space on your server to hold at least 3 packups.
    don't let website owner use their name as admin login + use nickname field for posts " team, staff, owner, kanagroo :) "

    tim
     
    Christopher likes this.
  18. Christopher

    Christopher Membership: Community

    Joined:
    Jun 13, 2014
    Messages:
    467
    Likes Received:
    178
    Don't use the admin role at all for posting, If its your site or client, set up an editor account. If that gets hacked into, because it is the one posting, their is not much they can do, except delete posts, which you would have a backup of. And never log into your site as admin on an open of free wifi hotspot. Even most private wifi routers broad cast some packets in plain text. When you log in via standard ftp the credentials can be intercepted. So hense have an editor role for content production.
     
  19. robert

    robert Membership: Community

    Joined:
    Sep 24, 2014
    Messages:
    258
    Likes Received:
    179
    auDA Member:
    Yes
    I swear by WordFence plugin (setup correctly and change login attempts to 3 and reset every 10 days) and also as Johnno said, never leave ADMIN as the login. I literally have THOUSANDS of attacks every day across 120 wordpress sites and WordFence never fails me.