[H] Wordpress security

C

CranialBlaze

Expert Member
Joined
Jan 24, 2008
Messages
4,207
Reaction score
1,101
Recently started working with wordpress and decided to move my own site over from Joomla to wordpress, I find it has a few seo capabilities that joomla does not.

Now for all my sites i always used the akeeba suite, Backup and Admin. Admin is a set of security tools and a web application firewall. TBO I have no idea how good it was, but Akeeba is one of the top joomla developers and some of thier code has already been directly intergraded into joomla so I figured it must be good. Worked pretty well on a clients site.

Anyway, I am looking for something for wordpress now, have 3 sites coming up for clients as well. Hoping someone has some recomendations, googles not muc help, found 3 that look good but to be honest I do not know enough about web security threats to tell which if any is the best.

http://wordpress.org/extend/plugins/wordfence/
http://wordpress.org/extend/plugins/bulletproof-security/
http://wordpress.org/extend/plugins/better-wp-security/

From waht I can tell neither one has allt he features I know from akeeba and I am pretty sure its not a good idea to install them all.

So far all I have done was change the DTB prefix and enable 2 google authenticator on the login.

AKeeba had all these nice things like XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking kinds of protections, google authenticator, project honepot, bad behaviour, ur secret parameter and the htaccess editor that did some other security stuffs. AS you will see the plugins I found combined do not have all of that, but then again I have no idea if I need all of that to begin with.

Some help would be greatly experienced from those who know beter than me, would be nice to get another cms under my belt, maybe even give drupal a bash in future.
 
Hi There,
The technical ins and outs of security is not something that I have spent a lot of time on. However I have access to someone who has worked in this field more. I passed your query on to him and this is his reply. Before you read it though I must warn you he is very economical with words and you are going to have to do some research to implement his suggestions but then you would want to do that wouldn't you as part of a learning process?

Better way to do it and more efficient is to move your security to DB , compiler level
For connections to DB use PDO or SQLi libraries and not MYSQL as you would normally.
Both libs are cleaning ( sanitasing) dirty code from most of the possible infections.

http://php.net/manual/en/book.pdo.php will assist you as well.

Also monitor activity on your site and use include/ conf/extras/ httpd-blacklist

to remove China, Brazil, etc etc completely from accessing your site regardless of Wordpress, Joomla etc,

Let me know how you get on

Regards

Tim
 
Thanks Tim

Will have a look into the PDO, but is wordpress not already using MYSQLi, I know Joomla moved over at v2.5.

I actually ended up going with Bulletproof and Wordfence after a simple realization that bulletproof is a "set it and forget it" plugin. It writes all the security entries into the .htaccess blocking whatever queries and attacks, where as wordfence is a periodic scanner more of an antivirus and basic firewall combo, it has the options to block countries all together, as well as prevent broot force attacks, scans all internal and external files for problems and malicious code and emails an alert if anythings found, also compares plugin files to those in the repository.

Also finally managed to track down an admin url token plugin so instead of /wp-admin you need to use /wp-admin?secretkeywordthatyouchoose, without that case sensitive phrase you cannot get to the admin page and once there you still have to get past google 2 factor auth.

Then also using xcloner for weekly site backups and daily dtb backups.

Think that pretty much covers the common bases and should work well for the average website.

Typing all this out makes me file like I am paranoid (admitidly I am slightly), but only ever having 1 site hacked in my 9 years, then again it could of been more if I was not paranoid.

Why block China and Brazil though? Do we just not like them or are they like high risk for causing kakas? I have noticed quite a few Chinese bots sitting on my site.
 
CranialBlaze said:
Why block China and Brazil though? Do we just not like them or are they like high risk for causing kakas? I have noticed quite a few Chinese bots sitting on my site.
Click to expand...

South America (predominantly Brazilian IPs), China, and eastern Europe, as well as a couple of north African countries.....
Those are the IPs I see most often trying to hack clients' sites and our dedi servers.
 
froot said:
South America (predominantly Brazilian IPs), China, and eastern Europe, as well as a couple of north African countries.....
Those are the IPs I see most often trying to hack clients' sites and our dedi servers.
Click to expand...

Ok, well for me blocking those would not really be a problem, not planning on job hunting in said countries and don't need the traffic either.
My client on the other hand will not go that, but so far they been pretty safe and their IT department will be setting up a new secure dedicated server as the sites being moved away from WP hosted solution.
 
These are some of the tips I use when securing my wordpress sites:

You should start with an automated backup plugin like BackWPup.
Remove unneeded files & plugins you no longer use (like Hello Dolly).
Restrict access to configuration file via .htaccess and file permissions.
Generate your unique secret keys and capture them in your configuration file.
Have a custom database prefix e.g. wp_cranial_
Change the default admin user name to something like mywebsiteadmin.
Disable directory viewing via .htaccess
Restrict access to admin area using your ip in .htaccess.
Activate akismet plugin and get your free Akismet API key from their website (for spam prevention).
Install a plugin called Wordpress Firewall 2 - to protect you from automated attacks and known exploits.
WP Ban is another awesome plugin that you can use to ban specific ips and ip ranges.
Delete your install file after installing Wordpress.
 
You should start with an automated backup plugin like BackWPup. (XCloner, but will check that out. Does it have a restore script, specs don't specify)
Remove unneeded files & plugins you no longer use (like Hello Dolly). (Done, that things daft)
Restrict access to configuration file via .htaccess and file permissions. (Bulletproof)
Generate your unique secret keys and capture them in your configuration file. (Done)
Have a custom database prefix e.g. wp_cranial_ (Done)
Change the default admin user name to something like mywebsiteadmin. (done)
Disable directory viewing via .htaccess (bulletproof)
Restrict access to admin area using your ip in .htaccess. (bulletproof & wSecure)
Activate akismet plugin and get your free Akismet API key from their website (for spam prevention). (Done, not that I allow comments on anything)
Install a plugin called Wordpress Firewall 2 - to protect you from automated attacks and known exploits. (Bulletproof & Wordfence, also WF2 has not been updated in 2 years so I am pretty sure it would be out of date)
WP Ban is another awesome plugin that you can use to ban specific ips and ip ranges. (wordfence, blocks ip and or entire countries)
Delete your install file after installing Wordpress. (don't see any. but it was an xcloner restore)
 
CranialBlaze said:
You should start with an automated backup plugin like BackWPup. (XCloner, but will check that out. Does it have a restore script, specs don't specify)
Click to expand...

Unfortunately restoring your site from a backup is a manual and somewhat long process.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X