- This topic has 15 replies, 11 voices, and was last updated 9 years, 7 months ago by
.
-
Posts
-
I have seen several topics about WP blogs being hacked discussed here and on other sites. I know this is something that has been around for awhile and is nothing new. However, there are many security plugins for WP that I just don't know where to start. I hate installing a plugin only to remove it if it's no good. Plus with some of these plugins they make significant changes to the blog software and backing out might not be as easy.
I was going to try out Better WP Security but I just read about Wordfence and now I am not sure. 🙂 There are others too. I am hoping to get an idea of what people use around here. What's your favorite and what are some of the great features about the one you use? Thanks in advance for taking the time to reply.
Hi Mark,
Jesse Petersen has a great one:
http://wordpress.org/support/view/plugin-reviews/stealth-login-page
I'd also say it's important to consider having a good host that's clued up on such things, typically one that only deals with WordPress, as they'll be more likely to be proactive on such things (based on personal experience).
- Nick
@iamnickdavis. I share the best new Genesis stuff weekly at GenesisWP.guide
I also offer Genesis theme setup and Photoshop (PSD) to Genesis conversions@Mark Blair, I think 2-step verification with Google Authenticator is a good approach to WordPress security, and there's a plugin:
http://wordpress.org/plugins/google-authenticator/
(I wrote a post on this topic in April, fyi, you might find that useful too http://www.nevillehobson.com/2013/04/17/how-to-secure-your-wordpress-site-against-hacker-attacks/)
Twitter: @jangles
I'm interested as to your preferred plugin as well. I've used Better WP Security in the past. But I've had a lot of problems with 403 errors resulting out of the plugin messing with my .htaccess.
Any other plugins that provide a "total solution" whether free or paid?
I like BBQ:Block Bad Queries by Jeff Starr. His website Perishable Press is a valuable resource, especially about .htaccess.
As someone who deals with this regularly, I'll take a different approach: the best WP security plugin is none at all.
First, on some of those mentioned. Mark @ Wordfence is great, and I've offered Mark suggestions on ways to make his plugin better. A while ago, he implemented one of my suggestions on ways to make IP spoofing harder (which used to be much easier using Wordfence). However, for much of what Wordfence does, there are better ways to do it - provided you are willing to get serious about security. On Jeff Starr's BBQ: great in concept, and Jeff contributes a lot of great WP info. However, on BBQ (which are based on URL length), you'll quickly find that a mix of plugins on a WP site can very easily result in long URLs, and if you block them, your site will break. Many long URL's are malicious, but not all of them are, and it's difficult to tell using an automated tool. Jesse's Stealth Login plugin also has a lot of potential, but it really is just an attempt to move the login URL to make your site less susceptible to brute force attacks. If you get serious about security, brute force attacks are very difficult to pull off.
Getting serious about security means ...
1) Giving up updating from within the WP dashboard (core WP, themes, and plugins) - this is something most refuse to do
2) Never accessing your site with FTP; use SFTP at a minimum and preferably SSH
3) Using security that gives users the lowest role they need to complete their task - don't make everyone an admin
4) Not using common usernames (eg, admin) and changing your user archive URLs to something other than the username - that removes 1/2 of the information needed in a brute force attack
5) Using complex passwords that vary from site to site among the sites you visit
6) Keeping the PC's from which you access your site free of viruses and malware (the common source of compromised sites)If you follow those 6 steps, you can skip running any WP security plugin. Your site will be faster but no less secure.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
Hi Bill,
First off, thanks for the info and detail. Can you expand on #4...changing your user archive URLs? What exactly does that mean?
I had one of my sites hacked a couple weeks ago. I think they called it an "injection?" Basically, there was some malicious code inserted into the wp-includes folder that inserted some funky meta descriptions on the pages. This caused the Google search descriptions to alter. Does the 6 steps you described cover this type of hack?
Thanks for your input Bill...I know I appreciate anything you can contribute.
@ODG - #4 is not specifically tied to an injection attack; #1 is.
Let me explain. In order for a web visitor to be able to view your site, the visitor needs to be able to read the files. When you use a browser to access your dashboard, you are a web visitor. On your WP install, a web visitor can write to files in your WP folder - that's how YOU can do upgrades via your dashboard. When I refer to read and write permissions, I am referring to permissions set at the server level. Just like you use a user account to log into your PC, servers make use of user accounts, among other things, for security. On your server setup, the server user accessing your WP files has both read and write permissions. That's not all an attacker needs, but you've already given away a lot. It's as if you left the front door to your home unlocked. What happens next is not up to you, it's up to the attacker. This setup is required to let you do upgrades through your WP dashboard because WP needs write capability to update itself. The same applies to themes and plugins. In effect, you've traded a lot of security to get some convenience.
In contrast, on my server, the server user accessing those files can only read them - not write to them or search the folders. I could give you my WP login credentials, and they wouldn't do you much good if your goal were to launch an injection attack, because you can't modify the code in my WP install. This is the vulnerability you open when you allow for in-dashboard upgrades. Nearly all serious WP professionals are accessing their sites through SSH terminal and they are doing upgrades not through the dashboard but through other tools, because this closes this vulnerability.
#4 is related to a different issue. If you show author archives on your site, by default, the archive link is a link to your actual username - no matter what you choose to display. Try it and see. Therefore, if I visit your site and you show an author archive, you've already given me your username, which is 1/2 of the info needed to break into your site. With that information, I can run something called a dictionary attack on your account (which is most likely an admin account). A dictionary attack with even a modestly large # of infected PC's acting together could break into 95%+ of installs in a very short time. If you monitor your network traffic, and your site has been out there for even a short period of time (say > 30 days), you will find that your site has been attacked by a brute force attack. You could have been the victim of an injection attack through this method IF you allow a web visitor to edit code (because that visitor, once having succeeded in the brute force attack, could use dashboard tools to edit your PHP files). Most WP sites are the targets of brute force attacks, and tools like Wordfence can reduce them. My point in the original post is that if you are serious about security, it is far better to lock the front door and take away write permissions from your WP folder. (Note - you do need write permissions for the /uploads folder; otherwise, you couldn't upload media. Therefore, you set different permissions for just this folder but supplement this with a restriction on what can be uploaded to this folder and what it can be used to do.)
If you had implemented the 6 steps I recommended, in all likelihood your site never would have been hacked. We do managed WP hosting and have had days where network wide we have seen 30,000 attacks. We implement all of those steps (plus a few more), and I haven't seen an attack succeed. No one can promise a future-proof security solution, but those steps are very hard to defeat.
Hope that helps.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
I've tried many as well and have settled on a combination of:
Bullet Proof Security
http://wordpress.org/plugins/bulletproof-security/
http://www.ait-pro.com
I use both the free and pro version. Great support.http://wordpress.org/plugins/limit-login-attempts/
http://wordpress.org/plugins/stealth-login-page/I think Vaultpress is a great option as its only $5 a month and includes one click restoration.
I don't think there is a best security plugin however i do like Wordfence.
@Bill Murray Great article , I followed everything you said , but one thing need to be clarified :
what folders exactly you make read only ?
thanksI use wordfence and love it. You can monitor who is on your site. block their i.p if they up to no good. It scans your site for various vulnerabilities and gives u suggestions how to patch them up. It also has a firewall so no can transmit malicious stuff on your site.
Most sites get hacked by using brute force. if you have a weak password etc. I suggest limiting login atempts to 3. and lock that person out for an hour or so for failed attempts. login lockdown is another good plugin for that
Wordfence also lets you see who has been loggin in and out of your wordpress.login.php aka login area.
shows you what usernames they used and passwords.
Also best to change your username from admin to something different follow the password suggestions word press gives.
@sundance - To clarify: on your server, you would have at least 2 users: 1 would represent the public web visitor and the other would be a user that is less powerful than your server root user, but who has write permissions to the WP folders. If you have a functioning site, you already have a user that represents your public web visitor. You might have to reduce the powers you've given that user.
For your entire WP folder structure except for your uploads directory, you set it so your public web visitor only has read permissions, but the more powerful non-public visitor has write permissions. Of course, once you do this, don't expect to be able to do dashboard updates to anything again. Instead, you'd use something like wget to retrieve a zip of whatever you want to upgrade directly to your server. You can retrieve WP core updates and plugins in the WP repo this way. I asked many months ago if SP supported this method, and I recall either Brian or Nick said no, so for Genesis updates, you'd have to go a different route. Obviously, these methods require that you be in control of your own server and not on a shared hosting plan.
Your uploads directory must be writable by the public web visitor so you can upload media. If you use any other plugin that uses something similar to uploads or caching (such as W3TC), the folders those plugins use must also be writable by the public web user. If those plugins can be set to store their data under /uploads (which is writable), you should be all set.
Then, you'd SSH to your server with the other, more powerful user and manage your WP installation.
This is more work, but it provides a lot more security. It will seem that is hard to give up dashboard updates at first, but once you get the hang of this method, you'll be comfortable and productive.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
@Bill Murray - thanks a lot , seems too much work but worth it , I will try it first on my testing server.
I only have1 plugin for security Limit login attempt , and I have this in htaccess :
# protect site
<Files wp-config.php>
order allow,deny
deny from all
</Files>
# directory browsing
Options All -Indexes
# Protect the .htaccess
<files .htaccess="">
order allow,deny
deny from all
</files>
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
I don't know if it help at all.
- The forum ‘General Discussion’ is closed to new topics and replies.