How to secure a website running on WordPress?

Discussion in 'WordPress' started by Devtard, Apr 16, 2013.

0
  1. #1
    Many people think that "security" plugins are a panacea for all problems. In my opinion, WP is pretty secure itself and doesn't need any security enhancements.* In my opinion, security plugins usually perform useless tasks (that can be easily done manually) and waste server resources.

    My websites have never been hacked. That's because I use common sense. I think that the majority of all websites are hacked because of not very wise users who don't look for suspicious code and install anything that they can find on the internet.

    This is an interesting post made by one of the top WP plugin developers: http://halfelf.org/2013/false-security/

    In a nutshell:

    What he doesn’t do
    • Hide the WP version in the HTML
    • Remove readme.html
    • Hide login error messages
    • IP blocking
    • Use a different prefix for the DB
    • Move wp-config.php

    What he does do
    • .htaccess protect wp-config.php
    • Lock file permissions
    • Prevent plugins from writing to wp-config.php and .htaccess
    • Prevent folder content browsing (for images mostly, but also plugins)
    • Use strong passwords for WP/FTP/SQL accounts
    • Use one-time passwords for WP/SQL/FTP/SSH accounts

    To you all who advise people to install dubious security plugins: let them read this instead.

    * Well, there is one exception - in case of a brute-force attack that web hosters are experiencing in recent days, you might want to relocate your WP directory if you need to use it.
     
    Last edited: Apr 16, 2013
    Devtard, Apr 16, 2013 IP
  2. Nigel Lew

    Nigel Lew Notable Member

    Messages:
    4,642
    Likes Received:
    406
    Best Answers:
    21
    Trophy Points:
    295
    #2
    Giggles quietly to self lol...

    Just as a quick aside he is entirely correct but lay folks don't know what that stuff means. You can't tell a noob, "bro, you got plugins writing to the config file" Fleshing out why a range of things won't work correctly because you changed the db prefix is not much fun either.

    just sayin,
    Nigel
     
    Nigel Lew, Apr 16, 2013 IP
  3. jeff23

    jeff23 Member

    Messages:
    141
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    26
    #3
    Hey great article.

    Points are very helpful.

    Just few days before my website got hacked.

    Good points to protect it in future
     
    jeff23, Apr 17, 2013 IP
  4. themes4all

    themes4all Well-Known Member

    Messages:
    662
    Likes Received:
    47
    Best Answers:
    6
    Trophy Points:
    100
    #4
    very interesting article.. there is a bunch og bloggers out there who write something like : 15 Best wordpress security plugins and blablablabla.. in fact with this tips and simply with the wordpress documents : http://codex.wordpress.org/Hardening_WordPress you can do some tricks to secure it...
     
    themes4all, Apr 17, 2013 IP
  5. Sazzad

    Sazzad Greenhorn

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #5
    Very informative post. also you can you .htaccess to secure your wp-config.php and block access to wp-include folder.
     
    Sazzad, Apr 17, 2013 IP