1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best practices to keep wordpress site secure

Discussion in 'Web Design' started by GoogleMarketing101, Mar 20, 2012.

  1. GoogleMarketing101

    GoogleMarketing101 Regular Member

    Joined:
    Nov 20, 2008
    Messages:
    378
    Likes Received:
    28
    Occupation:
    Guru
    Location:
    Orlando, FL
    I've had a nasty string of client's sites I setup getting hit by viruses, does anyone have any ways that they ensure that this will be less likely to happen to their websites? Hopefully there's a plugin I don't know about.
     
  2. dunker

    dunker Newbie

    Joined:
    Jun 16, 2010
    Messages:
    15
    Likes Received:
    1
    It's absolutely crucial that you always keep your WordPress instalations up to date.

    Keeping them up to date got much easier with version 2.9+ (if memory serves me right) and you can update your WordPress instalation by clicking one button in admin panel.

    What WordPress versions are you currently using?
     
  3. marketstud

    marketstud Junior Member

    Joined:
    Sep 19, 2010
    Messages:
    111
    Likes Received:
    104
    Location:
    Houston
    I use wp secure, login lock and secure login(not sure of the name here)

    I also don't use admin as a username.

    Would love for others to chime in. I recently found one of my sites had a mal file on them. Think it was because of the timthumb exploit. There's also a plugin to update and fix that. Just search timthumb.

    Any other suggestions peeps?
     
  4. marketstud

    marketstud Junior Member

    Joined:
    Sep 19, 2010
    Messages:
    111
    Likes Received:
    104
    Location:
    Houston
    Oh also thought I'd chime in that popup domination has been screwing my sites to hell. I just uninstalled it from every site. I couldn't figure out what was wrong with my sites until I started deleting plugins one by one. Which was not fun. It literally took my whole site down after an update.

    Since then I've started using wpclone to backup sites. It's amazing to say the least and really really helpful. Especially if you wanted to switch domains. Takes the headache out of manually changing wordpress configuration files.
     
  5. derfall

    derfall Registered Member

    Joined:
    Dec 27, 2009
    Messages:
    61
    Likes Received:
    81
    I've posted this elsewhere on BHW re: hacked sites. Go to my site secure-your-website dot com.
    Read "my written instructions" via a link towards the bottom. If you PM me, I'll give you everything
    you need at no charge to secure the sites.
     
  6. geist7

    geist7 Newbie

    Joined:
    May 1, 2012
    Messages:
    31
    Likes Received:
    4
    Keep WP up to date and use crazy passwords, stuff like P0uSzu~d
     
  7. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Joined:
    Jan 27, 2009
    Messages:
    2,468
    Likes Received:
    10,143
    Yes, but not only 8 characters ;)
     
  8. nonin

    nonin Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 26, 2010
    Messages:
    729
    Likes Received:
    497
    Gender:
    Male
    Location:
    I connect dots..
    Home Page:
    Use all 6 of them - and you will be much, much safer!!

    1. Aksimet

    2. Antispam for all fields - mark spam words


    Paste these basic spamwords:
    Code:
    *viagra**drug*
    *casino*
    *porn*
    *pill*
    *.by*
    *PHENTERMINE*
    *penis*
    *SEOPlugins.org*
    *penis*
    *kamagra*
    *klonopin*
    *clonazepam*
    *mephedrone*
    *hydrochloride*
    *ritalin*
    *restoril*
    *temazepam*
    *mogadon*
    *lexotanil*
    *dormicum* *midazolam*
    *codeine*
    *lorazepam*
    *ativan*
    *erectile*
    *Amphetamine*
    *Anabolic Steroids*
    *Anorectic Drugs*
    *Barbiturates*
    *Benzodiazepines*
    *Butorphanol*
    *Buprenorphin*
    *Bufotenine*
    *Chloral Hydrate*
    *Coca Leaf*
    *Codeine*
    *Crack*
    *Depressants*
    *Dextropropoxyphene*
    *DET*
    *DOB*
    *DOM*
    *DXM*
    *Ecstasy*
    *Ephedrine*
    *Fentanyl Citrate*
    *Flunitrazepam*
    *Foxy*
    *GBL*
    *GHB*
    *Glutethimide*
    *Hallucinogens*
    *Hashish*
    *Hash Oil*
    *Heroin*
    *Hemp*
    *Hydrocodone*
    *Hydromorphone*
    *Ketamine*
    *Khat*
    *LAAM*
    *LSD*
    *Marijuana*
    *Magic Mushrooms*
    *MDA*
    *MDAI*
    *Mephedrone*
    *Meprobamate*
    *Mescaline*
    *Methadone*
    *Methamphetamine*
    *Methcathinone*
    *Methaqualone*
    *Meth Labs*
    *Methylphenidate*
    *Morphine*
    *Narcotics*
    *NEXUS*
    *Opium*
    *Opium Poppy*
    *Oxycodone*
    *OxyContin*
    *Paraldehyde*
    *PCP*
    *Pentazocine*
    *Peyote*
    *Prescription Drugs*
    *Ritalin*
    *Rohypnol*
    *Salvia Divinorum*
    *San Pedro Cacti*
    *STP*
    *Thebaine*
    *Tryptamines*
    *1,4 butane diol*
    *2C-B*
    *5MeO-AMT*
    3. Kitten's Spam Words

    4. User spam remover (removes users with 0 posts)

    5. WP-Ban - ban certain IP addresses


    Sample of few Banned IP addresses from 1 of my UK websites
    Code:
    120.56.135.188
    109.73.65.203
    122.173.44.12
    117.196.225.147
    117.196.246.65
    202.133.58.55
    41.113.20.70
    202.164.57.194
    173.192.232.169
    117.205.0.57
    41.92.153.19
    195.24.209.21
    195.24.208.143
    195.24.209.20
    195.24.209.22
    195.24.209.77
    195.24.209.86
    195.24.209.89
    195.24.209.96
    195.24.209.98
    195.24.209.99
    195.24.209.102
    195.24.209.103
    195.24.209.104
    195.24.209.105
    195.24.209.110
    195.24.209.117
    195.24.209.118
    195.24.209.126
    195.24.209.130
    195.24.209.134
    195.24.209.137
    195.24.209.138
    195.24.209.140
    195.24.209.149
    195.24.209.161
    195.24.209.166
    195.24.209.198
    195.24.209.202
    195.24.209.212
    195.24.209.225
    195.24.209.226
    195.24.209.228
    195.24.209.243
    195.24.210.14
    196.202.236.217
    41.205.25.120
    117.207.95.230
    122.175.35.3
    122.179.142.53
    117.199.112.254
    119.93.231.188
    117.207.84.65
    184.22.198.7
    116.71.54.50
    109.75.171.73
    
    6. WP-reCAPTCHA - no comments needed :)
     
  9. Zapdos

    Zapdos Power Member

    Joined:
    Oct 22, 2011
    Messages:
    597
    Likes Received:
    708
    Location:
    Eastern North Carolina
    1) Keep it updated
    2) Watch security trackers for notices of holes that your site or server use and update the software for it
    3) Use 12+ character passwords with random generation. I use PasswordSafe to generate and store all my passwords which are normally 14+ characters long.
    4) Avoid using lots of addons. Just because many people have it doesn't mean the creator took all precautions to sanitize input.
    5) Don't use "nulled" scripts. They likely put their own backdoors in
    6) Password protect the admin directories using htaccess
    7) Block admin panel from all IPs except yours. Even better if you get a VPN and block all IPs except that.
    8) Backup your site every week or less. Keep multiple backups. If you don't change files alot, do a diff on 2 backups and monitor for changes to see if anything was inserted silently.
    9) Disable anything you don't use.
    10) Consider auditing from PCI compliance companies like SecurityMetrics. They can scan your site to look for common pitfalls.
    11) Disable anonftp
    12) Dont use the same username and password as you do on other sites.
     
  10. aa026

    aa026 Newbie

    Joined:
    Apr 10, 2012
    Messages:
    15
    Likes Received:
    2
    Some good info, thanks alot