Wordpress security

wordpress

#1

Hi there,

Currently, I own two (2) website regarding to wordpress foundation. Both of them is running well and help me get more customer (website selling)
However, I need some tool / plugin enough power to protect my site. I am afraid of one day my website will be attacked and whole our company stop working
therefore any advices please let me know


#2

I don’t use any WP security plugins.

I upgrade WP regularly (within hours of a new release). I upgrade plugins and themes similar. I only use code from trusted sites and people. I don’t use weak passwords.

If this is your company, I would suggest doing the same, and possibly using SSL for logging in.


#3

I do not use any plugins either.

A couple of things (in addition to the above):

http://perishablepress.com/5g-blacklist-2012/ ( I seem to remember learning about that from you,Ipstenu. Do you still use that?)

Changing the login page from wp-login to something different has prevented a lot of brute-force login attempts that were causing my memory go crazy. I imagine this will need to be updated, but for the last several months has been working fine:

http://www.firsttracksmarketing.com/webs...tacks.html


#4

I use the 5G firewall on sites that aren’t behind my own firewall server. :slight_smile: It’s great.


#5

l’m running akismet and upgrade as mentioned


#6

If you’re going to use one, I suggest Better WP Security because I know those devs and the just hired Aaron Campbell, who actually lead a WP core release cycle, so you KNOW he knows WP :slight_smile:

Still, you actually don’t need one if you’re careful about which themes and plugins you use, and security scan them.


#7

WordPress seems to be the new target nowadays for every hacker on the planet.

I don’t use WordPress… however I see WP hack attempts in my logs by the hundreds every single day. I use mod_rewrite code to serve them a small custom 403 error page, then I block the IP range they’re coming from.

IMO most of these hacks are coming from compromised accounts at various hosting companies, including Dreamhost itself. Occasionally I email the abuse dept at these hosting companies and most often get a reply saying the abusing account has been shut down.

You can actually buy lists of compromised accounts, complete with a c-panel for managing your nefarious intentions


#8

I don’t think ‘New’ is the right word. It’s been a target for the last few years.

The problem is people DON’T update WordPress and their plugins, and they’re not using secure ones. Like, last week there was a guy who bought a ‘nulled’ theme (you know the kind you get NOT from the developer, but some back alley?) and was shocked to find out he’d been hacked from it.

And to that and, I say again, the issue is not WordPress itself, it’s what you add on to it.

I get WP hack attempts on things like timthumb all the time too. I don’t use it. It’s not in my themes or plugins. But still, people know that folks aren’t using the latest versions and they target it.

All the security plugins in the world won’t help you if you’re not careful with what you install on your website.