Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

WordPress Security 101

Status
Not open for further replies.

draggar

þórr mjǫlnir
Legacy Exclusive Member
Joined
Dec 26, 2007
Messages
7,357
Reaction score
223
First, I'll agree most people would think this belongs in the CMS development section but honestly, the last thing I want is a "how to" for hackers indexed by Google - this section is hidden to all except logged in Platinum or higher level members here.

Recently I've set up a (highly) political site based on WordPress and even though I considered the chances of hack attempts low (which it is apparent that I was VERY wrong with that) I took some precautions.

First - when setting up the blog, yes, set up the admin account and give it a GOOD password. Set the display name to be something different in the control panel when it is all set up (say, the name of the blog).

Next, get these plugins:

Simple Login Log - http://wordpress.org/extend/plugins/simple-login-log/
This will allow you to have a log of EVERYONE who attempts to log into the site in the control panel great for FYI.


Wrong Password - http://wordpress.org/extend/plugins/alex-wrong-password/

This little gem will be a godsend in the case of brute force attacks. This will email the administrator when anyone attempts to log into the site and gets the password wrong. This is what is in the email:
Code:
[COLOR=#500050][FONT=arial]Someone tried to log into your WordPress site, and failed.
 They used the following details:

Site URL: [URL="http://caninecomputing.com/"]([/URL]site URL)
Referer:
Username: admin
[/FONT][/COLOR]
[FONT=arial]Password: (password used)[/FONT][FONT=arial]
[/FONT]
[FONT=arial][COLOR=#500050]Email:
IP Address: [B]IP Address[/B]
User Agent: Mozilla/5.0 (compatible; bingbot/2.0; +[URL]http://www.bing.com/bingbot.htm[/URL])[/COLOR][/FONT]


Look at that - the IP address. THis way you can block it in the .htaccess file, report it to the abuse@ email address, or if you need to, report it to the FBI. This plugin is the most important one. Instant email notification, with good details. :)

While logged in as the admin, set up another admin account with a unique name (not easy but something you'll remember) - make the password BETTER than the one for the admin account - even use non traditional characters if you need to. Set the display name as the same as the admin account.

Next, log in as the new admin and confirm everything is all set up - if it is edit the "admin" (login) account to one with NO rights (set the role to "No role for this site") - this way if they do log in as the admin (despite your good password) they'll have no rights to do anything and you'll still have their information.

Also, make sure you always keep WordPress and ALL your plugins current - log in at least once a week to check for updates.

Feel free to add to the list if you've found any good tips for WordPress security.
 
Dynadot - Expired Domain Auctions

dcristo

Level 9
Legacy Exclusive Member
Joined
Feb 25, 2005
Messages
3,709
Reaction score
151
Deny access to the wp admin directory, which is how most hackers gain access to your blog.

If you have a static IP address in .htaccess of the wp-admin folder put

Code:
order deny,allow
deny from all
allow from <ip address>
 
Status
Not open for further replies.

Who has viewed this thread (Total: 1) View details

Who has watched this thread (Total: 3) View details

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Sedo - it.com Premiums

IT.com

Premium Members

MariaBuy

Upcoming events

Our Mods' Businesses

UrlPick.com

*the exceptional businesses of our esteemed moderators

Top Bottom