wordpress security issues

Harden your wordpress

Best recommended plugin :

All in one WP security –  get it there or from wordpress.org / or just search for All In One WP Security & Firewall in your plugin search

or watch on you tube

After recent hack of  one of my sites on which I had Word fence installed, I was forced to look at all of my WordPress installations once again.

I love wordpress , dont get me wrong, but its not a set and forget platform.  The core is constantly being changed with updates to plugins etc and is a favorite for hackers to test their latest software.

Hacked

I found a file folder called proem in my root and it had changed the index and .htaccess files along with a few others. After a day of trying to recover , I finally gave up and restored the site with a back up (Back up Buddy.. expensive but worth every penny- its the best out there)

Having a backup or WordPress is essential :

If you don’t want to spend tons of time repairing a site that’s taking you months and even in some cases years to build. Hackers have no remorse. To most if not all it’s a game.

If your not sure of how to harden your wordpress site :

I found an above average plugin that walks you through all of the areas that need to be beefed up.

All in one WP security –  get it there or from wordpress.org / or just search for All In One WP Security & Firewall in your plugin search

or watch on you tube

This is an excellent plug-in which has a ton of features I know you’re going to like. ( like htaccess file change notification)

and easily create an alphanumeric wp login thats easy to do and recommended.

An effective Brute Force prevention technique is to change the default WordPress login page URL.

Normally if you wanted to login to WordPress you would type your site’s home URL followed by wp-login.php.

This feature allows you to change the login URL by setting your own slug and renaming the last portion of the login URL which contains the wp-login.php to any string that you like.

By doing this, malicious bots and hackers will not be able to access your login page because they will not know the correct login page URL.

Wordfence – great plugin to monitor your site in real time and provides a level of security . Its not fullproof in and of itself but it gives valueable information and it has a lot of features.

Note : By default, the “Live Tracking” feature of Wordfence is turned on. However this is a very resource intensive process and causes high CPU usage on your account, which in turn, causes your website to load slower.

With this in mind, we are asking all Wordfence users to disable this feature (this is the recommended setting in the Wordfence documentation for users on Shared Hosting Servers) via their WordPress dashboards. You will find that disabling this feature will lead to the improved performance of your websites.

Instructions on how to disable the “Live Tracking” feature can be found below: 

How To Reduce Wordfence CPU Usage

 

 

Visit the http://www.wordfence.com/ site to see what it looks like : its an eyeopener!

The current frequency of attacks we’re seeing across all WordPress sites running Wordfence is 31280 attacks per minute.

There are a number of WordPress plugin vulnerabilities out there that a lot of users haven’t yet patched against.

TimThumb Vulnerability Scanner
==============================

http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/

Disable XML-RPC Pingbacks
==========================

https://wordpress.org/plugins/disable-xml-rpc-pingback/

If you are running the OptimizePress WordPress theme on your account, this has known vulnerabilities and you should follow the details in the article below to patch the vulnerability:

http://d9clients.com/announcements/47/OptimizePress-Security-Vulnerability-Please-read-if-using-OptimizePress.html

When connecting to your webspace via FTP, it would be a lot more secure if you were to use SFTP. (Secure File Transfer Protocol)

SFTP encrypts data that is transmitted, whereas FTP sends all data between your machine and the server in plain text format, making it easy for packet sniffers to intercept.

All major FTP clients now support SFTP, so all you need to do to enable it, is to change the protocol in your FTP client from “FTP” to “SFTP”. You will also need to specify the secure port on the server, you can find the SFTP port by logging into your cPanel, and clicking on “FTP Accounts” and then “Configure FTP Client”.

if you have Cloudflare provided by your web host it will add an additional level of security.

Check you site with site check by Securi

change the file permissions on the root….. Codex for

Secured Permissions
600 -rw——- /home/user/wp-config.php
604 -rw—-r– /home/user/cgi-bin/.htaccess
600 -rw——- /home/user/cgi-bin/php.ini
711 -rwx–x–x /home/user/cgi-bin/php.cgi
100 —x—— /home/user/cgi-bin/php5.cgi
.htaccess permissions
644 > 604 – The bit allowing the group owner of the .htaccess file read permission was removed. 644 is normally required and recommended for .htaccess files.

And lastly take a breath and continue looking for WordPress to finally overcome its security issues sometime far in the distant future.

The Ongoing Battle

It seems that it is destined to be an ongoing battle that considering the number of attacks taking place .. so  I hope that these few measures will help.. let me know…

One thing I can guarantee is that if you have word press and you dont make it harder for hackers to get in…. your going to have a hacked site on your hands .  Just install Wordfence to see how many visits your site really has, and how many use admin as a hack attempt for a login.   Thats the first thing to do on any wp install… .dont use admin as a username.... use a secure alphanumeric name/pass and delete the default after test log out login..

Cheers

John N

 

Comments

  1. Its not my first time to go to see this web site, i am visiting this
    web page dailly and take pleasant information from
    here daily.

  2. This info is priceless. Where can I find out more?
    http://www.youtube.com recently posted…http://www.youtube.comMy Profile

    • John Neilson says:

      I have D9 as a host ( I think that they are the best around) and they send out information on stuff that they run accross.
      If you have a site that your concened about the first thing is to change the default log in to something other then the normal login with
      Wp Security and then ask your Hosting Provider for any tips on hardening.

Speak Your Mind

*

eighteen + eighteen =

CommentLuv badge