johno69
Top Contributor
Never leave your admin username as admin. You are asking for trouble.
http://screencast.com/t/W369CKorr
http://screencast.com/t/W369CKorr
WordPress Security Tips
- Thread starter FirstPageResults
- Start date
Data Glasses
Top Contributor
Logged on to email just as i received 22 hack reports for my wordpress site www.ohthankgod.com and although the hacks were averted i instantly went to hosting and banned that suckers ip address ........just as i got hack report 23
helloworld
Top Contributor
In Russia, wordpress hacks you...****in
chris
Top Contributor
For the ManageWP users, here are a few ways to add extra layers of security:
Restrict by IP address:
https://managewp.com/user-guide/how-to-use-managewp/secure/restrict-access-to-managewp-by-ip-address
Two-factor authentication
https://managewp.com/user-guide/how...count-security-with-two-factor-authentication
Cheers,
Chris
Restrict by IP address:
https://managewp.com/user-guide/how-to-use-managewp/secure/restrict-access-to-managewp-by-ip-address
Two-factor authentication
https://managewp.com/user-guide/how...count-security-with-two-factor-authentication
Cheers,
Chris
johno69
Top Contributor
This is available in InfiniteWP too.
chris
Top Contributor
I really like the idea of being able to self-host InfiniteWP. A big plus.
Cheers,
Chris
aus11
Top Contributor
+1
I set InfiniteWP up on a spare domain I had, and have it running for all my sites now. Makes updating an absolute breeze!
johno69
Top Contributor
I can't stress this enough for all the new users out there.
http://screencast.com/t/ARS1MHDBX
I have Wordfence set to automatically block users who use an invalid username to try login. But it's annoying the amount of times they try.
Paul.
petermeadit
Top Contributor
Yup blog any and all brute force...
I will second that. So important to use something like Wordfence, and block any brute force attacks.
I often block entire countries because nothing useful come from there but repeated login attempts and fake google bots.
Dare you to turn on email notifications for each invalid login attempt...
I will second that. So important to use something like Wordfence, and block any brute force attacks.
I often block entire countries because nothing useful come from there but repeated login attempts and fake google bots.
Dare you to turn on email notifications for each invalid login attempt...
johno69
Top Contributor
Dare you to turn on email notifications for each invalid login attempt...
I have them on. I have it set to block anyone who tries an invalid username for 24 hours. Then I generally block them permanently.
petermeadit
Top Contributor
How do you reckon it stacks up again ManageWP? Or Worpit?
Like: ManageWP vs. InfiniteWP vs. Worpit.
be interested to hear opinions.
Like: ManageWP vs. InfiniteWP vs. Worpit.
be interested to hear opinions.
Blue Wren
Top Contributor
petermeadit
Top Contributor
I have ManageWP up and running and loving it. Worth the money I'd say.
findtim
Top Contributor
the thread is old but still bloody good value to read, starting with chris's contribution.
i'm winding down for 2014, looking towards 2015 and wondering were i should head with security on WP as its been my BIGGEST headache this year.
wordfence has done a great job, i dabbled into infinitewp but didn't go whole hog but i'm leaning towards it now over the xmas break.
just wanted to reignite the question again, wordfence / managewp / infinitewp / sucuri + others , whats the general feeling of a good combination ?
tim
i'm winding down for 2014, looking towards 2015 and wondering were i should head with security on WP as its been my BIGGEST headache this year.
wordfence has done a great job, i dabbled into infinitewp but didn't go whole hog but i'm leaning towards it now over the xmas break.
just wanted to reignite the question again, wordfence / managewp / infinitewp / sucuri + others , whats the general feeling of a good combination ?
tim
Christopher
Top Contributor
Your right @findtim really old thread but a goodie. Probably wasn't wise to post your exact password methods in hindsight.
At any rate reading the ops thread.
Setting your server file permisions to 666 is a bad idea, which is read and write, user, group, others. Your giving front end attacks write permissions. The recommended lockdown file permission is 444 which is read user, group, others. 444 means that even if someone breaks into your site they can't change your htaccess file, or any other file with that permission. Ie the wp-config file. If you look closely at ithemes security, this is the permission it changes the files too, on a complete lock down. And you generally realize this, when your cache plugin wants to write to it and fails.
And the dreaded 777 mentioned as well, is read write and execute, user (your ftp or control panel) group (your site internal access) others (external web traffic). Typically a site falls victim to shell scripts that then leave this shiny great big door open, for others to penetrate the server and reek havoc network wide.
If your host supports Jail host, I suggest implementing it per site. Jail host is a way of sand boxing every domain in your vps, or shared hosting plan, as if it was in its own vps plan. So the highest level some with a shell script can go is the root of your domain. Here is a good wiki write up on Jail host. https://en.wikipedia.org/wiki/FreeBSD_jail
At any rate reading the ops thread.
Setting your server file permisions to 666 is a bad idea, which is read and write, user, group, others. Your giving front end attacks write permissions. The recommended lockdown file permission is 444 which is read user, group, others. 444 means that even if someone breaks into your site they can't change your htaccess file, or any other file with that permission. Ie the wp-config file. If you look closely at ithemes security, this is the permission it changes the files too, on a complete lock down. And you generally realize this, when your cache plugin wants to write to it and fails.
And the dreaded 777 mentioned as well, is read write and execute, user (your ftp or control panel) group (your site internal access) others (external web traffic). Typically a site falls victim to shell scripts that then leave this shiny great big door open, for others to penetrate the server and reek havoc network wide.
If your host supports Jail host, I suggest implementing it per site. Jail host is a way of sand boxing every domain in your vps, or shared hosting plan, as if it was in its own vps plan. So the highest level some with a shell script can go is the root of your domain. Here is a good wiki write up on Jail host. https://en.wikipedia.org/wiki/FreeBSD_jail
findtim
Top Contributor
what else have i been doing in 2016 which has helped?
move login plugin, i saw instant results https://wordpress.org/plugins/sf-move-login/
change wp prefix, https://wordpress.org/plugins/db-prefix-change/, very simpleeeeee
wordfence, free version, take the time to look at setup intrustions or watch a youtube on it, block "admin" but also block the letters " .com" , ".com.au"
sucuri, free version, its pretty gutless but does give you some warnings, the "hardening" page is the best part of it.
infinitewp is good, just make sure you have allocated enough space on your server to hold at least 3 packups.
don't let website owner use their name as admin login + use nickname field for posts " team, staff, owner, kanagroo "
tim
move login plugin, i saw instant results https://wordpress.org/plugins/sf-move-login/
change wp prefix, https://wordpress.org/plugins/db-prefix-change/, very simpleeeeee
wordfence, free version, take the time to look at setup intrustions or watch a youtube on it, block "admin" but also block the letters " .com" , ".com.au"
sucuri, free version, its pretty gutless but does give you some warnings, the "hardening" page is the best part of it.
infinitewp is good, just make sure you have allocated enough space on your server to hold at least 3 packups.
don't let website owner use their name as admin login + use nickname field for posts " team, staff, owner, kanagroo
"tim
Christopher
Top Contributor
Don't use the admin role at all for posting, If its your site or client, set up an editor account. If that gets hacked into, because it is the one posting, their is not much they can do, except delete posts, which you would have a backup of. And never log into your site as admin on an open of free wifi hotspot. Even most private wifi routers broad cast some packets in plain text. When you log in via standard ftp the credentials can be intercepted. So hense have an editor role for content production.what else have i been doing in 2016 which has helped?
move login plugin, i saw instant results https://wordpress.org/plugins/sf-move-login/
change wp prefix, https://wordpress.org/plugins/db-prefix-change/, very simpleeeeee
wordfence, free version, take the time to look at setup intrustions or watch a youtube on it, block "admin" but also block the letters " .com" , ".com.au"
sucuri, free version, its pretty gutless but does give you some warnings, the "hardening" page is the best part of it.
infinitewp is good, just make sure you have allocated enough space on your server to hold at least 3 packups.
don't let website owner use their name as admin login + use nickname field for posts " team, staff, owner, kanagroo
tim
