Best WordPress Security Strategy?

@ Shawn33 – You do not need to know anything about .htaccess files in order to use BulletProof Security because we have automated it so much that it does all the site specific .htaccess customizations per website automagically. 😉 It is almost impossible to screw this up, but some folks do on occasion. The good news is it takes about 2 minutes to get right back where you were by deleting the root .htaccess file and using AutoMagic and activating BulletProof Modes again.

In general I think it is better to look in the actual plugin’s forum area and see what kind of issues folks are having with a plugin and note the responses / support from the plugin author.

We take BulletProof Security support very seriously and do not leave anyone hanging as you can see by our plugin forum area responses. 😉

In general hiding things is not an effective security strategy. Also adding a second layer of BasicAuth authentication on the /wp-admin folder is not really effective. If a hacker has gotten through the WP authentication on the /wp-admin folder then cracking BasicAuth will take about 30 seconds to 1 minute. My personal record is 6 seconds.

What is very effective and very important and that was not mentioned here is that you completely secure your site against Brute Force Password Cracking for your WP login. First off make sure that the username that you pick is unusual / obscure. Ensure that your username is not the same as comment Author name. Then get a plugin that locks your login after X amount of failed cracking attempts. Any password can be cracked given enough time, but by slowing a hacker bot down you will most likely deter it enough that it will look for easier pickings somewhere else.

The best security approach is an action approach.
X does this bad action and Y is the result = Forbidden.

I don’t know about you, but if someone offered me the keys to a Ferrari I wouldn’t refuse them because I thought I couldn’t handle the car. 😉

Thanks.

BPS seems intimidating, but after playing with BPS for 15 minutes you will be like “is that it?” and wanting more features LOL. A couple of years ago BPS had very little automation and yeah it was hectic for everyone, but these days its a total no-brainer. 😉

BPS only does it’s thing by creating .htaccess files and does not interfere, modify or change anything else about WordPress or your website so all you have to do is just delete the root .htaccess file that BPS creates if you run into a problem.

Yep Login Lock is a great plugin. 😉

1. I tried to find out how SiteLock works and i just found a bunch of hype and sales pitch info and nothing about how it actually works, but it appears to be some sort of scanner. I assume then that it is not creating .htaccess files and just scanning based on signatures. So I don’t think there would be any sort of conflict. Also it seems pretty established so it is safe to factor in that they have taken into account that website owners will probably already have their own .htaccess files.

And yeah a scanner in combination with local website security .htaccess files would make your website even more secure. We don’t use any scanner services, but we do have HoneyPots, Traps and other early warning detection custom coding systems. Mostly though this is used for tracking down hacker’s scripts to grab them and dissect them for research purposes. 😉

2. I hate this question. 😉 I obviously believe in BPS Pro, but i am not a salesman and detest sales pitching period. Give BPS free a try and if you like it and feel comfortable with it then there is a link within BPS that will take you to a feature comparison of BPS free and Pro. BPS Pro is designed the same way – we don’t expect anyone to have to know anything – just point and shoot. LOL

Oh and this is an interesting bit of info that didn’t make the mainstream. There has been a massive Worldwide assault directed at Web Host Servers themselves using Brute Force FTP Password cracking. It has been going on now for over a month and several of the big boys got nailed. What is interesting about this one is that it appears 3 or 4 hacker groups are sharing some newfound Server vulnerability that they discovered. Whatever they figured out it has worked on compromising over 20 Web Hosts Servers Worldwide that we know of. So the true number is probably 100+ Web Hosts. Not all Servers are compromised just some so they must share some common vulnerability. Any way it seems to be slowing down a bit so I guess most of the Web Hosts figured out what needed to be patched. 😉

Thanks.

Actually BPS Pro 5.1.5 has the first generation of AutoRestore, which is only autorestoring the WP Core Root files. Generation 2 will have full site AutoRestore and something new that we are not revealing yet. he he. 😉 The approach is countermeasure security – the Host Server gets hacked, files are injected with malicious code and autorestore automatically restores the files. Full Site AutoRestore will work together with the new feature. They will be released in 5.1.7. 😉

very nice thread.
I was wondering if anyone knows other plugins that are compatible with
Bulletproof Security Plugin. It seems the more the merrier…

However, since it’s functions / settings are not broken down into options or settings (i.e. “do you want to have this measure implemented?”) it feels unsafe for a novice like myself, because I don’t what exactly is being done.

First off BPS has been around for years and almost 500,000 downloads/installations to date. The .htaccess code has been carefully thought out to work on 1,000’s of different web hosts and millions of websites. So there are only a couple of things that rarely cause problems on some web hosts and of course some plugin issues. Help info can be found in this BulletProof Security Forum >>> http://forum.ait-pro.com/ and you will notice that there are only a handful of issues when dealing with 1,000’s of web hosts and almost 500,000 downloads/installations.

The other thing is I have already tried giving folks options to choose from in BPS – that was a complete disaster and a nightmare. The problem is the same problem – if you give people .htaccess options and choices that they really do not understand then you are in the exact same boat, well actually a much worse boat. 😉

The other thing about BPS htaccess files/code is that the code MUST be integrated into the entire WordPress Rewrite loop at all levels and cannot be added as stand alone code, otherwise it would only be effective in the root directory and not all levels of URL rewriting.

/
/some category/
/some category/some post
/some page
etc etc etc

The majority of folks do not want to have to make choices and want full automation. I designed BPS to work for those folks who want hands off automation and I also coded it for myself – full manual control with built-in .htaccess file/code editors, etc. 😉

You have made some interesting points. Feedback is always appreciated. You are obviously a technically savvy person – most folks are not and why should they be. They just want something quick without having to mess around with it so they can go on about whatever their personal work may be – cranking out posts, adding items to a store, etc.

And this is an observation I have made through the years – everyone works differently and wants things layed out in the format they are most familiar with/most comfortable with. Unfortunately, I will never be able to make everyone happy so the format I have chosen to go with is the one that has worked best after trying many different formats. I hate to say this but it is true for me – if 99% of folks are telling me that things are good and 1% want changes then most likely I am not really going to consider making a change. If 10% of the folks ask for a change then I will definitely make that change. 😉

I have tried explaining things to the average person and that does not really work out well and only ends up adding more time spent/increased workload so I gave up that approach years ago. BPS used to have options/choices/decisions, which increased my workload/support time around 300% so that is a NO GO for me. 😉

BPS starts from maximum security with the option to decrease that maximum security on a case by case basis or when a plugin skip/bypass rule is needed for a particular plugin issue/problem. So actually there is only one direction to go in by default – that is to decrease your personal website security if you choose to do that as needed.

I think BPS and Better WP Security are comparable plugins and both plugins do different things and do overlap slightly. Both plugins work together/are compatible. So there is really no point in comparing them against each other and declaring which might be better than the other. If you are more comfortable with the format Better WP Security is using then the choice is a simple one for you – go with Better WP Security. 😉