1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress Security

Discussion in 'BlackHat Lounge' started by MaxWeber, Sep 29, 2010.

  1. MaxWeber

    MaxWeber Regular Member

    Joined:
    May 26, 2008
    Messages:
    267
    Likes Received:
    5,133
    It is time to update the security on WP.

    Could some of the more tech savvy / coders please comment and
    advise our members on the best of the following suggestions,
    or indeed please feel free to add your own suggestions to help with Wordpress security.
    I found these:

    Code:
    http://wordpress.org/extend/plugins/tac/
    
    http://wordpress.org/extend/plugins/wp-security-scan/
    
    http://wpantivirus.com/
    
    http://www.seoegghead.com/software/wordpress-firewall.seo
    
    http://ocaoimh.ie/exploit-scanner/
    
    http://wordpress.org/extend/plugins/exploit-scanner/
    Specifically, I want to know which is the most recommended,
    and if there are any compatibilty issues etc...
     
  2. royalmice

    royalmice BANNED BANNED

    Joined:
    Aug 23, 2007
    Messages:
    1,186
    Likes Received:
    982
    Hi

    I personally use Login LockDown - A WordPress Enhanced Login Security Plugin

    Below the description from their website:

    Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

    Version 1.5 released - Implemented wp_nonce security in the options and lockdown release forms in the admin screen. Fixed a security hole with an improperly escaped SQL query. Encoded certain outputs in the admin panel using esc_attr() to prevent XSS attacks. Fixed an issue with the 'Lockout Invalid Usernames' option not functioning as intended.

    Installation instructions:

    1. Extract login-lockdown.1.5.zip into your plugins directory into its own folder
    2. Activate the plugin in the Plugin options.
    3. Customize the settings from the Options panel, if desired.

    Requires at least WordPress 2.5, tested up to 2.8.6

    http://www.bad-neighborhood.com/login-lockdown.1.5.zip
     
    • Thanks Thanks x 1
  3. MaxWeber

    MaxWeber Regular Member

    Joined:
    May 26, 2008
    Messages:
    267
    Likes Received:
    5,133
    @royalmice
    thanks +rep for good solid advice.
    I will look into that.
    Cheers.

    anyone else got an opinion on this???
    I would like to have many advisors on this for our members.
     
  4. giansim

    giansim Registered Member

    Joined:
    Nov 4, 2009
    Messages:
    99
    Likes Received:
    17
    Hi,

    Thanks for this post! I always wanted to protect my WP and really don't know how =)

    Gian Sim
     
  5. Daniel0cean

    Daniel0cean Regular Member

    Joined:
    Aug 18, 2010
    Messages:
    477
    Likes Received:
    119
    Occupation:
    Freelance WebMaster
    Location:
    OnLine
    Home Page:
    all free ones are mainly useless
     
  6. MaxWeber

    MaxWeber Regular Member

    Joined:
    May 26, 2008
    Messages:
    267
    Likes Received:
    5,133
    thanks 4 that....
    but could you recommend the 3 best paid ones? please?
     
  7. topsytips

    topsytips Regular Member

    Joined:
    Aug 11, 2008
    Messages:
    334
    Likes Received:
    234
    Occupation:
    Self Employed
    Location:
    UK
    I also use Login Lockdown but was advised on another thread (sorry can't find which) that most of the security loopholes are in "scripts / code" and it is these defaults which are exploited rather than attempting to login.

    Wp Security Scan is what I was recommended plus also always updating your WP to the latest version.

    What can also happen is that subtle, but malicious code is added to your files which may not be easily apparent.
     
    • Thanks Thanks x 1