Wordpress Security

Curious what methods/services/plugins people use to secure their WP sites. Aside from keeping the site updated to the most current version of WP. Here are some things I’ve currently got going on.

  • Change default table prefix
  • Don’t use ‘admin’ as default administrator username
  • Limit Login Attempts
  • Lockdown WP Admin
  • Simple Trackback Validation with Topsy Blocker along with a popular comment blacklist in settings
  • or if commenting system isn’t needed Disable Comments
  • Disallow FTP
  • WP DB Manager to automate DB backups

anyone use wordfence? anti-malware and brute-force security by eli? sucuri?

Interested in what other people have going on.

I use this:

Panel’s Extra Web Security (aka Mod Security)
Strong Passwords (1Password keeps track, I have no idea what my password is)
Disabled registration
Force SFTP only (same as disallow FTP really)
Some .htaccess redirects to punt Spammers

That’s it. No plugins. Instead I review every single plugin and theme before it’s installed and give it a real security look. But that’s something I’m lucky enough to be able to do :confused:

I’m curious about this:

Can you offer any specifics as to which directories and which .htaccess rules you are using? Thanks.

I use the 5g Blacklist htaccess from Perishable Press for Wordpress… parts of it… Mashed up into other pieces I add in, and then stuff from HTML 5 boilerplate.

Looks like there is a 6G beta in the works as well as a 2013 IP Blacklist… http://perishablepress.com/2013-ip-blacklist/

and the 2014 Micro Blacklist http://perishablepress.com/2014-micro-blacklist/

There is also a comment word blacklist file here which looks pretty cool… for those people who use the commenting system… https://github.com/splorp/wordpress-comment-blacklist

The 5G firewall is bloody brilliant, as is splorp’s blacklist.

All the nitty gritty about my .htaccess for Apache 2.2 is here: http://halfelf.org/2013/my-super-secret-htaccess-file/

<IfModule mod_rewrite.c>
# Stop spam attack logins and comments
	RewriteEngine On
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(example.com|example2.com).* [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
	ErrorDocument 403 "Access Forbidden"

That’s the one most people like. It checks to make sure that you’re posting to wp-comments or wp-login from my sites, and NOT directly, which stops a lot of spam.

Nice. What do you use for backups? I’m kind of interested in using a shell script and cron but am sort of new at command line stuff. I found this which seems pretty interesting.

The site backup seems to work but am having trouble getting the DB to backup. Wondering what people think of this, or how they would modify this.

I use a shell script and cron. http://halfelf.org/2014/local-backups/

Every day I log into my computer, it backs everything up :slight_smile:

word. how safe is it to use a shell script up a level from the domain/user folder to get a gzipped backup on the files and database? what permissions should that shell script have?