Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Wordpress security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Wordpress security

Any suggestions for wordpress security plugins? I checked wordfence and secupress. Both have different approaches.

Any suggestions/ feedback? Any plugins coming on sale?

Thnx

Comments

  • Free:

    1. Change the default login URL
    2. Use only updated plugins
    3. Use no more plugins than necessary
    4. Cloudflare
    5. Regular backups
  • I have been using Sucuri with NAXSI for some time without issues. And, ofc, always up-to-date plugins and themes.

    Thanked by 1plumberg
  • vyas11vyas11 Member
    edited November 2019

    @plumberg said:
    Any suggestions for wordpress security plugins? I checked wordfence and secupress. Both have different approaches.

    Any suggestions/ feedback? Any plugins coming on sale?

    Thnx

    Depending on to what extent you are willing to get your hands greasy:

    I am in no way an expert, but over the course of years after many black eyes, getting spam bomb'd, losing a domain or two and databases corrupted, here is what I have learnt.

    Will also depend on whether you are looking at shared hosting versus VPS or the "new age" managed WP hosting. There are several that have cropped up in recent years. Majority of them use Google Cloud or AWS as backend. (I am trying out 10Web, which uses GCP)

    ref: Any plugins coming on sale - you may want to check out this link (not an aff link, just a curated list of BF offers Some are WP related.) or this one- more WP specific (removed the FB tracking id that FB adds with compliments)

    Coming to the plugins/script part

    a. Wordfence is a good start, they by default force you to download .htaccess file even before you get started. Look into the Brute force settings- default has upper limit of 30. Set it to 5 or something lower.

    b. Hidemylogin plugin changes the default login link to domain.tld/newurl from the default domain.tld/wp_admin. Good to keep the casual seekers away, who will then get a 404 error page or a customised messages.
    I like the "No.. no.. no.. no... no" from Jurassic Park)

    c. Use scripts for social media sharing/ any default text or image blocks instead of plugins.

    d. Absolutely - minimise the number of plugins.

    e. There are some great tutorials on changing the permissions for some files/ folders, making .htacess read only etc. (PITA if you are trying to run upgrades or modifying certain settings. but if you have access to web folder/ ssh, not really that painful)

    f. CDN : Cloudflare is the most recommended, yes, but for media files any other will do (thanks to recommendations on LET- I am giving Bunnycdn a try) @BunnySpeed. Also Publitio and Publist - LT deals (yeah, I know....) from AS and PG respectively.

    g. Updated theme(s). Keep them simple, nothing fancy. I recently got a LT deal on Hexia/ Nevo from AS. Hope they keep their promise of updates.

    h. Most Softaculous based installation shave options to minimise logins (loginizer) and backups. I typically opt for weekly backups, and retaining 3 most recent backups.

    i. Recaptcha/ 2FA. I tried them, maybe they are an accruedacquired taste.

    j. Backup the databse independent of the .xml files that WP export throws at you. Trying out this week how to do it using a ssh session.

    Update I: Use a special character in the login (e.g. vyas11@let) and the public identity to be say vyas11. That with word fence (you public ID can be added in the negative list for word fence) is a deadly combo-results in immediate lockdown and admin gets an email alert.

    Update II: New experiment I am working on: Utilising one plan each from Smallweb @Mic-hael , in AU, EU and US. Set up subdomains, main site in location a, (e.g. au.domain.tld) and blog on another (e.g. eu.domain.tld) and us.domain.tld as backup. For less than 10 US Dollars, the ability to learn by experimentation is awesome.

    Update III: Time permitting. I will keep updating the above on my learning journey blog.

    Cheers.

    Edit: How on earth do I embed a YT video here?

  • Wp cerber been using from 2 years api request disable , recaptcha , login attempt , ip blocking , login url can be changed , scanning file for integrity

    Thanked by 2vyas11 plumberg
  • Used iThemes security and no problems yet. trust me it worth every penny.

    Thanked by 1plumberg
  • @vyas11 said:

    @plumberg said:
    Any suggestions for wordpress security plugins? I checked wordfence and secupress. Both have different approaches.

    Any suggestions/ feedback? Any plugins coming on sale?

    Thnx

    Depending on to what extent you are willing to get your hands greasy:

    I am in no way an expert, but over the course of years after many black eyes, getting spam bomb'd, losing a domain or two and databases corrupted, here is what I have learnt.

    Will also depend on whether you are looking at shared hosting versus VPS or the "new age" managed WP hosting. There are several that have cropped up in recent years. Majority of them use Google Cloud or AWS as backend. (I am trying out 10Web, which uses GCP)

    ref: Any plugins coming on sale - you may want to check out this link (not an aff link, just a curated list of BF offers Some are WP related.) or this one- more WP specific (removed the FB tracking id that FB adds with compliments)

    Coming to the plugins/script part

    a. Wordfence is a good start, they by default force you to download .htaccess file even before you get started. Look into the Brute force settings- default has upper limit of 30. Set it to 5 or something lower.

    b. Hidemylogin plugin changes the default login link to domain.tld/newurl from the default domain.tld/wp_admin. Good to keep the casual seekers away, who will then get a 404 error page or a customised messages.
    I like the "No.. no.. no.. no... no" from Jurassic Park)

    c. Use scripts for social media sharing/ any default text or image blocks instead of plugins.

    d. Absolutely - minimise the number of plugins.

    e. There are some great tutorials on changing the permissions for some files/ folders, making .htacess read only etc. (PITA if you are trying to run upgrades or modifying certain settings. but if you have access to web folder/ ssh, not really that painful)

    f. CDN : Cloudflare is the most recommended, yes, but for media files any other will do (thanks to recommendations on LET- I am giving Bunnycdn a try) @BunnySpeed. Also Publitio and Publist - LT deals (yeah, I know....) from AS and PG respectively.

    g. Updated theme(s). Keep them simple, nothing fancy. I recently got a LT deal on Hexia/ Nevo from AS. Hope they keep their promise of updates.

    h. Most Softaculous based installation shave options to minimise logins (loginizer) and backups. I typically opt for weekly backups, and retaining 3 most recent backups.

    i. Recaptcha/ 2FA. I tried them, maybe they are an accruedacquired taste.

    j. Backup the databse independent of the .xml files that WP export throws at you. Trying out this week how to do it using a ssh session.

    Update I: Use a special character in the login (e.g. vyas11@let) and the public identity to be say vyas11. That with word fence (you public ID can be added in the negative list for word fence) is a deadly combo-results in immediate lockdown and admin gets an email alert.

    Update II: New experiment I am working on: Utilising one plan each from Smallweb @Mic-hael , in AU, EU and US. Set up subdomains, main site in location a, (e.g. au.domain.tld) and blog on another (e.g. eu.domain.tld) and us.domain.tld as backup. For less than 10 US Dollars, the ability to learn by experimentation is awesome.

    Update III: Time permitting. I will keep updating the above on my learning journey blog.

    Cheers.

    Edit: How on earth do I embed a YT video here?

    Thanks for the detailed note.

  • Mr_TomMr_Tom Member, Host Rep

    Less is more (in terms of plugins) and keep everything up to date.

    Restrict PHP from running in the uploads directory, delete any unused plugins/themes.

    Thanked by 1plumberg
    • Wordfence is pretty good with minimum tweak. Scan your website frequently with this plugin and detect any potential threat.
    • Minimize the login attemps
    • Use 2 factor authenticator. Wordfence has built in feature for this.
    • Change login url from wp-admin to something not easy to find (e.g. /mylogin355).
    • Use a CDN, e.g. cloudflare. Cloudflare do has itself some pretty nice options for securing the site.
    • Secure your webserver login. If it is a shared server, use a really hard to find password. If it is a vps or dedi, do all the necessary stuff to secure your server.
    • Use only plugins that are updated, have a lot of installations and good reviews. Disable and uninstall plugins that you don't use.
    • Disable PHP executing in uploads folder
    • Dont use "admin" and "administrator" and "root" as username for admin account.
    • Use captcha for commenting
    • keep backups. Then, keep backups and after that, keep backups. Keep backups in more than one location and in more than one way. Use a respected backup plugin (I prefer akeeba backup, it is not in wordpress directory, you can find it only in it own website. It is a famous backup initially for Joomla, nowadays the best backup solution for wordpress). And use manual backup, too (dump database and keep files copying them in a different server).
    • Do frequent updates for WP itself, your theme and your plugins. Keep only one theme, delete all the others (included the default ones) if you don't need them.

    That's it!

  • jsgjsg Member, Resident Benchmarker

    @poisson said:
    Free:

    1. Change the default login URL
    2. Use only updated plugins
    3. Use no more plugins than necessary
    4. Cloudflare
    5. Regular backups

    I would have agreed if there wasn't your point 4.

    And btw. it's not necessary anyway. A decent VPS from a decent provider with a sensible config (e.g. my.cnf), a decent http server and reasonable caching is good enough for most WP sites. I know it because I do it myself.

    Plus one extra point: Be sure to have a recent PHP version and a reasonable php.ini.

    Oh, and "regular backups" means not just "click on the button of some backup plugin". It also means to transfer the backup file to another server.

    My final tip: don't overdo it. WP is based on crap (PHP, MySQL in any incarnation although some are a bit less crappy) and hence is limited no matter what. That's why I think that "keep the whole shebang updated. Always. Often. Regularly!" is good and important advice.

    Thanked by 2plumberg vimalware
  • @jsg said:

    @poisson said:
    Free:

    1. Change the default login URL
    2. Use only updated plugins
    3. Use no more plugins than necessary
    4. Cloudflare
    5. Regular backups

    I would have agreed if there wasn't your point 4.

    And btw. it's not necessary anyway. A decent VPS from a decent provider with a sensible config (e.g. my.cnf), a decent http server and reasonable caching is good enough for most WP sites. I know it because I do it myself.

    Plus one extra point: Be sure to have a recent PHP version and a reasonable php.ini.

    Oh, and "regular backups" means not just "click on the button of some backup plugin". It also means to transfer the backup file to another server.

    My final tip: don't overdo it. WP is based on crap (PHP, MySQL in any incarnation although some are a bit less crappy) and hence is limited no matter what. That's why I think that "keep the whole shebang updated. Always. Often. Regularly!" is good and important advice.

    Actually, I use cloud flare not just for caching, but to hide the origins of the server.

  • vyas11vyas11 Member
    edited November 2019

    Something I have been experimenting with (albeit with partial success) - use CF just for SSL for subdomains that are on different servers. If I find a more efficient/ practical way of doing it, would be happy to try it out.

    Edit: Update: Some session on some device of mine remained active, and good ol' Facebook and google picked up my "interest" in WP security. I saw four promotions for WP Groups on FB - one of which I became a member of, and two ads from amazon about books on Wordpress.

    Interestingly enough, the WP group I signed up for was discussion guess what? WP security!

  • bikegremlinbikegremlin Member
    edited November 2019

    @vyas11 said:
    Something I have been experimenting with (albeit with partial success) - use CF just for SSL for subdomains that are on different servers. If I find a more efficient/ practical way of doing it, would be happy to try it out.

    Edit: Update: Some session on some device of mine remained active, and good ol' Facebook and google picked up my "interest" in WP security. I saw four promotions for WP Groups on FB - one of which I became a member of, and two ads from amazon about books on Wordpress.

    Interestingly enough, the WP group I signed up for was discussion guess what? WP security!

    With shared / reseller hosting - I had no problems setting up LetsEncrypt certificates for subdomains - each hosted on a separate account, often on different server. The only problem is that www.subdomain.example.com will need to be redirected to subdomain.example.com - the www version won't work with Cloudflare and the free TLS certs.

    As for "always update", be cautious. My policy:

    make a test.example.com, set it up with all the plugins and theme / child theme used on "main" site(s). Update that one first. Check if it's all working fine. Then update the other site(s).

    Backups:
    Make sure you do them regularly and that you keep old coppies - just in case a website gets hacked without you realising it for the first month or two (and secure it to make sure you realise - WordFence will notify you of any file changes, doing regular scans automatically).

    Another thing, just as important: check whether your backups work - can you get the site working using those backups. That is a crucial point that some people miss.

    P.S.
    Change default login URL does more harm than good IMO. Security through obscurity is fine when it doesn't come at a price - this one does however.

    Leave the login as it is. Just make sure that WordFence blocks immediately anyone trying to log in as "admin", "administrator" etc. And don't give administrative rights to the account used for publishing content (that has a visible username). While WordFence can be used to hide the listing of created users.

    P.P.S.
    Another topic on LET that talks about this from a slightly different perspective, with some great advice from forum members:
    https://www.lowendtalk.com/discussion/160422/how-to-figure-out-a-website-account-is-hacked

    Thanked by 1ITLabs
  • vyas11vyas11 Member
    edited November 2019

    @bikegremlin said:

    Another thing, just as important: check whether your backups work - can you get the site working using those backups. That is a crucial point that some people miss.

    P.S.
    Change default login URL does more harm than good IMO. Security through obscurity is fine when it doesn't come at a price - this one does however.

    Yes and yes. Latter yes after first hand experience of the downside. - some third party plugins or scripts that take you back to the wp-login page, only to see a 404 error. And Hidemylogin is nice but I could always do with one less plugin.

  • @vyas11 said:

    @bikegremlin said:

    Another thing, just as important: check whether your backups work - can you get the site working using those backups. That is a crucial point that some people miss.

    P.S.
    Change default login URL does more harm than good IMO. Security through obscurity is fine when it doesn't come at a price - this one does however.

    Yes and yes. Latter yes after first hand experience of the downside. - some third party plugins or scripts that take you back to the wp-login page, only to see a 404 error. And Hidemylogin is nice but I could always do with one less plugin.

    I try to keep this up to date:
    https://io.bikegremlin.com/8963/wordpress-security/

    There, I wrote about changing the login URL as well - warning against it.

    Thanked by 1vyas11
  • jsgjsg Member, Resident Benchmarker

    re "CloudF%$!#

    • No. That's creates a dependency and a SPOF. If CDN then BunnyCDN.
    • Hiding ones IP only provides quite limited protection.
    • Think twice - and then once more - before handing your TLS keys to any 3rd. party.
    Thanked by 1vimalware
  • masedimasedi Member
    edited November 2019

    I use no security plugin at all. If you can do it server side, it is better. In this case, you need a root access, you'll need at least cloud/virtual server.

    change default ssh port
    disable ssh root login
    enable ssh password-less login
    konfigure iptable-based firewall
    enable SSL (Let's Encrypt)
    additionally install fail2ban, clamav (antivirus), malware/rootkit hunter, snort, etc...

    WP security plugins typically has feature to hide your default wp-admin location, you can do this by using webserver rewrite rule.

    Here is an example configuration of my Nginx WP "security" rules borrowed from Better WP Security plugin.

    Thanked by 1vyas11
  • somiksomik Member
    edited November 2019

    Best WordPress security is to delete it. Failing it, keep it on seperate server and keep backups. Eventually one of the plugins you use will get hacked. Your job is to prepare rectification measures.

    Thanked by 1plumberg
  • @masedi said:
    I use no security plugin at all. If you can do it server side, it is better. In this case, you need a root access, you'll need at least cloud/virtual server.

    change default ssh port
    disable ssh root login
    enable ssh password-less login
    konfigure iptable-based firewall
    enable SSL (Let's Encrypt)
    additionally install fail2ban, clamav (antivirus), malware/rootkit hunter, snort, etc...

    WP security plugins typically has feature to hide your default wp-admin location, you can do this by using webserver rewrite rule.

    Here is an example configuration of my Nginx WP "security" rules borrowed from Better WP Security plugin.

    I forgot to mention, the most important part is backup your data regularly.

  • loeloe Member
    edited November 2019

    masedi said: If you can do it server side, it is better.

    Sure. If you have control on the server lots of cool things can be done. You can use fail2ban to ban people who try to login several times on your website. Can be used with CF as well using their API.

    poisson said: Actually, I use cloud flare not just for caching, but to hide the origins of the server.

    jsg said: re "CloudF%$!#

    No. That's creates a dependency and a SPOF. If CDN then BunnyCDN.
    Hiding ones IP only provides quite limited protection.
    Think twice - and then once more - before handing your TLS keys to any 3rd. party.

    Indeed. But hiding the IP has other benefits than protection, like not showing to the world your network if you happen to host several websites on the same VPS/IP, as many web tools makes it easy to know which other websites or hosted on an IP. With CF you end up sharing your frontend IP with a lot of unknown strangers, which is interesting. But yeah, it comes at an horrible price, using cheap VPSes as a reverse proxy could be a better solution (but not sure: having your TLS key on a cheap ovz vps with shitty super cheap providers ain't necessarily that good either, isn't it?).

    In the end it depends if your content is sensitive or not and what you are trying to achieve. SPOF yes but they have a big team working to fix any issue when there is one. I wouldn't trust them for a project where security is paramount, but if the main issue is uptime, it should work fine. But I admit that not using them is the right option most of the time.

  • @somik said:
    Best WordPress security is to delete it. Failing it, keep it on seperate server and keep backups. Eventually one of the plugins you use will get hacked. Your job is to prepare rectification measures.

    This goes for every website, ever - it will get hacked.
    100% secure system is a useless one, by definition.

    It boils down to whether the effort, knowledge and resources needed for hacking are worth the prize (or someone possessing those is really bent on hacking the site for whatever other reason). So the level of protection also depends on site's "attractiveness" and previous hacking (attempt) history.

    Best one can do is have backups and some way of figuring out they have been hacked as soon as possible.

    Another aspect is that each level of security introduces a certain level of "inconvenience" for the legit users / site admins. Some are more troubling, some less. Plus it often adds complexity and another thing that can malfunction.

    As for the WP deletion - WP offers a very simple way to make nice looking websites and update content on a regular basis. With all its pros and cons. I agree that generally it is a mess. In terms of security, optimization and standardization. Yet, compared to the available alternatives, for many use cases it is "the least bad" option.

  • Ah, one think I see if automated FTP backups or automatic backup to Google drive.

    Great.

    When the hacker gets access to your server, they also get access to anything linked to your server. So the FTP backup location is compromised. The Google drive is also same.

  • @somik said:
    Ah, one think I see if automated FTP backups or automatic backup to Google drive.

    Great.

    When the hacker gets access to your server, they also get access to anything linked to your server. So the FTP backup location is compromised. The Google drive is also same.

    I agree.

    Having an offline backup is a good option - just in case.

    As well as another online bakcup on a different continent (in addition to one on your continent).

    That way, your backup policy doesn't have a failsafe only if a meteor destroys more than one continent, but then not having a backup will not be something that worries you.

  • If you are incompetent in securing your site just use saas like wp.com

    If its just blogging or simple site then just use wp2static.

    Dynamic sites like forum, ecommerce and others requiring user input can really be a pain. You need to take risks and understand risks. You need to maintain, updates, upgrades, etc...

    Make your site as simple as possible.
    Dont allow user ulpoad
    Obsfuscation
    Failsafe / backups
    Less plugins as much as possible or better yet no plugins at all
    Choose a plugin from stable company or a plugin you can easily update or handle the codes.

  • there is no such thing

    you can try modsecurity if you have access to the server

  • Better use managed service instead script scanners,
    +1 Sucuri or just use F2B model.

    Thanked by 1ITLabs
Sign In or Register to comment.