1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress security

Discussion in 'Web Hosting' started by Lionel36, Nov 10, 2016.

  1. Lionel36

    Lionel36 Registered Member

    Joined:
    Nov 1, 2016
    Messages:
    50
    Likes Received:
    1
    How do you protect your Wordpress websites?
     
  2. SharkServers

    SharkServers Jr. VIP Jr. VIP

    Joined:
    Jun 29, 2014
    Messages:
    406
    Likes Received:
    194
    Occupation:
    Web Hosting
    Location:
    DMCA? Pff! www.SuckMyBallsDM.CA
    Home Page:
    The most obvious thing would be to keep Wordpress, all plugins and themes updated. Once that is taken care of, the next thing to look at is to avoid use of any nulled stuff - many people use nulled plugins or themes for Wordpress as they're free. But there's a catch - many of these are infected with malware, and you'll only end up with a hacked site after a while - definitely not worth it. One more thing to mention - Wordfence - a Wordpress plugin for security. This analyzes your site for changes to Wordpress core files, which may indicate that your site is infected with malware or other bad stuff. Once you got an alert, you can easily delete the affected file, or restore it with the original from Wordpress repositories.

    There are many other things to consider regarding WP security, but this has been talked about a lot. There are also some recommendations at https://codex.wordpress.org/Hardening_WordPress
     
  3. Infiltrated What

    Infiltrated What BANNED BANNED

    Joined:
    Nov 10, 2016
    Messages:
    15
    Likes Received:
    1
    Gender:
    Male
    By password locking the administration panel. Like a website here in Chengdu, China.
     
  4. ankit03

    ankit03 Jr. VIP Jr. VIP

    Joined:
    Apr 3, 2016
    Messages:
    1,278
    Likes Received:
    114
    install login lockdown
     
  5. ScissorBlake

    ScissorBlake Newbie

    Joined:
    Oct 28, 2016
    Messages:
    42
    Likes Received:
    3
    Gender:
    Male
    Keeping updated CMS, not using suspicious themes and plugins, not using 'admin' username.
     
  6. darulez

    darulez Jr. VIP Jr. VIP

    Joined:
    Mar 12, 2013
    Messages:
    2,221
    Likes Received:
    684
    Gender:
    Female
    Occupation:
    Waiting 36 days till I can stick it in
    Location:
    Walhalla
    Lockdown hasnt been updated in years ...
    Use some 8digit cryptic pw

    I wrote a full ebook how to harden WP... But it's in German :(
     
  7. Bloggeradamsmith

    Bloggeradamsmith Regular Member

    Joined:
    Feb 4, 2016
    Messages:
    335
    Likes Received:
    41
    Gender:
    Male
    Location:
    Around BHW
    Don't use the common user name for your wordpress, Change your password every 15 days once :)
     
  8. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    871
    Likes Received:
    3,292
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    get a real web site. :D
     
    • Thanks Thanks x 1
  9. Ethan Henry

    Ethan Henry Newbie

    Joined:
    Aug 19, 2016
    Messages:
    12
    Likes Received:
    2
    Gender:
    Male
    Install limit login attempts plugins. Use numbers, special character and caps in the password and change the password periodically.
     
  10. Juneja

    Juneja Supreme Member

    Joined:
    Jun 12, 2016
    Messages:
    1,441
    Likes Received:
    191
    Gender:
    Male
    Don't use common username and limit login attempts.
     
  11. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    871
    Likes Received:
    3,292
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    don't force anyone to log in before they can make comments.
    let people post comments and then check them for spam.
     
  12. towelfox

    towelfox Junior Member

    Joined:
    Jan 11, 2012
    Messages:
    173
    Likes Received:
    55
    Did you mean to type that into Google? If you had you'd have come up with some great resources to read.

    You need to think outside of the WordPress install too. You can do all you like to secure your own site but if there are other sites or services present on the box then they pose a risk too.

    Best thing you can probably do is do some reading and always keep backups stored away from the site and in multiple locations.
     
  13. dabandit

    dabandit Junior Member

    Joined:
    Feb 21, 2008
    Messages:
    140
    Likes Received:
    50
    Mod Security + Suhosin.
     
  14. BuildMoreLinks

    BuildMoreLinks Jr. VIP Jr. VIP Premium Member

    Joined:
    Jun 7, 2012
    Messages:
    2,032
    Likes Received:
    682
    the best bet would be using a really long password and also limiting the access of the /admin folder through a particular static IP only. Also keeping everything else updated.
     
  15. Ablehost

    Ablehost Newbie

    Joined:
    Dec 14, 2016
    Messages:
    19
    Likes Received:
    5
    Gender:
    Male
    Practically follow almost all of the advice listed above from everyone. An ounce of prevention is worth more than a pound of cure. And always, ALWAYS back everything up as well whenever you can so if the worse does happen, you're able to move without skipping a beat. Not only that but make sure you keep an offline notebook with passwords and usernames and stuff.
     
  16. markantos

    markantos Junior Member

    Joined:
    Sep 4, 2015
    Messages:
    135
    Likes Received:
    25
    Do all the above and don't forget to use ithemes security pro or any other plugin that forces two factor authentication. You have no idea how many password attempts this one trick solved.
     
  17. greyhats

    greyhats Junior Member

    Joined:
    Jun 2, 2012
    Messages:
    184
    Likes Received:
    43
    Here's what i would do to increase wordpress security.

    Buy your theme/plugin instead of download it illegally. Use strong password for your personal email account, database, hosting account.

    Wordpress Setup
    1. unique password - changed weekly
    2. change table prefix wp_

    Create new user
    change admin username with strong password
    UPDATE wp_users SET user_login = 'newusername' WHERE user_login = 'admin';
    change default admin id to xxxx

    Disable user registration if not needed
    Settings -> General and make sure the “Anyone can register” box is unchecked.

    Delete readme.html and install.php

    Add blank index.php files where needed
    wp-includes
    wp-content
    wp-content/plugins
    wp-content/themes
    wp-content/uploads

    .htacess on website root folder
    1. hide htacess and wp-config
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    2. Protect /wp-includes/
    # Block the include-only files
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

    3. To prevent people from browsing the content of your directories
    Options All -Indexes

    4. protect the .htaccess file itself
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    create .htacess on /wp-admin/
    1. create a separate .htaccess file and upload it to the /wp-admin/ directory
    order deny,allow
    allow from 192.168.5.1
    deny from all

    2. for /wp-login/
    <Files wp-login.php>
    order deny,allow
    Deny from all
    # allow access from my IP address
    allow from 192.168.5.1
    </Files>

    3. protect the .htaccess file itself
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    create .htacess on /wp-content/
    1. protect wp-content but allow XML, CSS, Javascript, and images, to be processed
    order deny,allow
    deny from all
    <files ~ ".(xml|css|jpe?g|png|gif|js)$">
    allow from all

    2. disabling PHP file execution in /wp-content/uploads/
    <Files *.php>
    deny from all
    </Files>

    *note: Be aware that this code has been known to break some WordPress themes as it does not allow PHP to be executed; particularly themes that use timthumb.php.

    3. protect the .htaccess file itself
    <Files .htaccess>
    order allow,deny
    deny from all
    </Files>

    wp-config setup
    1. add salt to wp-config https://api.wordpress.org/secret-key/1.1/salt/

    2. # Enable all core updates, including minor and major:
    define( 'WP_AUTO_UPDATE_CORE', true );

    3. Disable file editing
    define('DISALLOW_FILE_EDIT', true);

    4. Turn Off PHP Error Reporting
    error_reporting(0);
    @ini_set(‘display_errors’, 0);

    Using Correct File Permissions
    1. All directories should be 755
    2. All files should be 644
    3. wp-config.php should be 400
    4. .htacess should be 400

    Remove the WordPress Version Number
    You can do this by adding the following code to the top of your theme functions.php file:
    remove_action('wp_head', 'wp_generator');

    Limit login attempt
    http://wordpress.org/plugins/login-lockdown/

    Disable XML-RPC
    http://wordpress.org/plugins/disable-xml-rpc-pingback/

    two-step authentication
    http://wordpress.org/plugins/google-authenticator/

    add captcha:
    https://wordpress.org/plugins/google-captcha/

    back up plugin:
    https://wordpress.org/plugins/updraftplus/

    Use cloudflare
    https://www.cloudflare.com/
     
  18. stack paper

    stack paper Jr. VIP Jr. VIP

    Joined:
    Jan 24, 2008
    Messages:
    525
    Likes Received:
    241
    Occupation:
    Analog Nomad
    Location:
    Reddit / Chiang Mai
    Home Page:
    +1 for Wordfence. Great plugin.
     
  19. kaban

    kaban Newbie

    Joined:
    Oct 1, 2016
    Messages:
    31
    Likes Received:
    7
    Gender:
    Male
    There is no such plugin or website antivirus that can give you 100% protection. Here is what I would suggest:
    Add custom login URL to admin:

    Change Admin username:

    Block Brute Force Attacks:


    NEVER USE nulled themes downloaded from suspicious websites. Never use shared hosting. Always keep yoour website up to date.
     
  20. GabrelW

    GabrelW Newbie

    Joined:
    Feb 27, 2015
    Messages:
    16
    Likes Received:
    1
    WHUK Site Scanner is a website vulnerability scanner with the ability to detect vulnerabilities in a website and its code, which may lead to website data problems and security issues. WHUK Site Scanner is also capable of inspecting server settings, Trojans, Viruses, malware etc. and has various scanning options like SQL, LFI, RFI, MALWARE and INSTANT scan etc. WHUK Site Scanner also looks after your websites healthy reputation by checking whether it is blacklisted by Google, Real Time Black Hole List check (RBL), Clean MX, SURBL, Malware Patrol (Mpatrol), PhishTank and generates reports for the same.
    Visit the page for more details - https://www.webhosting.uk.com/website-scanner.php