Best WordPress Security Strategy? (23 posts)

  1. Shawn33
    Posted 4 years ago #


    I have been studying up recently trying to put together a good security strategy for an existing site and it's beginning to feel a bit like trying to learn a new language. I'm hoping that I might be able to get a little advice from some WordPress experts on the matter.

    So far these are the plugins/services I am looking at:
    1. Bulletproof Security Plugin
    2. Better WP Security Plugin
    3. Secure WordPress Plugin
    4. Sucuri.net services
    5. Website Defender's beta security service

    I am not someone who knows how to edit .htaccess files or coding or anything like that.

    I have done a few things already though like moving the wp-config.php file, deleting the readme.html/install.php files. I put a blank index.html file in the uploads directory. I'm also considering password protecting my admin folder through cpanel. That's about the extent of what I know how to do technically and honestly I don't even fully understand why I did these things, except that they were recommended to me by someone I trust.

    My fear is that some of the plugins, like "Bulletproof" and "Better WP Security" will have features that might break my site and I won't know how to fix it. Is that fear unfounded?

    Securi seems like a good idea since they monitor your site and will fix things if it does get hacked. However, I'm not sure that their preventitive measures are on par with that of the afore mentioned plugins.

    Does anyone have experience with these plugins/services?

    What would you recommend for someone like myself who doesn't have the desire nor the capability to edit files and fix compatibility issues, but would like some peace of mind concerning the security of their site?

    Hope that wasn't too long...

    Thanks in advance!


  2. MickeyRoush
    Posted 4 years ago #

    Shawn33, unfortunately some of those plugins can easily break your site. Bulletproof and Better WP edit your .htaccess file(s), so you need to learn something about them. Otherwise they are good plugins. I wish there was an easy answer. The WordPress core itself is quite secure as there are many who help support it. Security really comes into question when you use themes and plugins. Either get them here or read reviews about them before you decide on which to use. (Please start new specific threads on a plugin or theme in particular if you have a question about them.)

    Here are some more good plugins and tips that should help you. The more you learn the more you can lock down your site.

    1. http://wordpress.org/extend/plugins/block-bad-queries/
    2. http://wordpress.org/extend/plugins/bad-behavior/
    3. http://wordpress.org/extend/plugins/ban-hammer/
    4. http://wordpress.org/extend/plugins/extrawatch/
    5. http://wordpress.org/extend/plugins/ip-filter/
    6. http://wordpress.org/extend/plugins/limit-login-attempts/
    7. http://wordpress.org/extend/plugins/login-dongle/
    8. http://wordpress.org/extend/plugins/mute-screamer/
    9. http://wordpress.org/extend/plugins/simple-changed-files/
    10. http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/
    11. http://wordpress.org/extend/plugins/wordpress-firewall-2/
    12. http://wordpress.org/extend/plugins/wordpress-sentinel/
    13. http://wordpress.org/extend/plugins/wp-block-admin/
    14. http://wordpress.org/extend/plugins/wsecure/installation/

    There are many more, those are just ones that I think you should read up on.

    Informative links:

    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/

    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories

    Again there is more info out there, those are just the ones that have been mentioned on this forum many times. Some you have probably already looked into.

  3. +1 MickeyRoush

    The best security comes via best practices. Those informative links that Mickey provided are good stuff.

    - Have a routine backup strategy and keep X number of backups off the server.

    - Know how to restore from scratch and practice restoring your backup somewhere else. Don't practice on your live WordPress install :) if you can do that successfully you are really prepared for the Bad Thing™.

    - Learn about hosting and what else is running on your server. A secured WordPress installation can be ruined by other insecure software.

    - Keep up with version releases for all of your software. Sometimes newer releases break plugins and you need to decide if keeping that old software s worth it and if you accept the risk.

    That and Mickey's posting should start you on the path of Reasonably Secure Goodness.

  4. Shawn33
    Posted 4 years ago #

    MickeyRoush - thank you so much for the informative links...I have some reading to do ;) Thanks as well for the warning about Bulletproof and Better WP Security. I had a feeling that might be the case but needed some confirmation from someone with experience.

    Jan Dembowski - Thanks for the advice as well! My backup strategy has been to do a database backup via wp-db manager before any theme/plugin updates - then do a full, home directory, and database backup via cpanel once a week which I store in 3 locations.

    Does that sound like a pretty good strategy?

    Know how to restore from scratch and practice restoring your backup somewhere else. Don't practice on your live WordPress install :) if you can do that successfully you are really prepared for the Bad Thing™.

    I didn't know restoring could present problems. I always thought you could just use cpanel's restore interface or contact the hosting provider in the event of a catastrophic failure that requires a full restore.

    Is there more to it than that?

  5. AITpro
    Posted 4 years ago #

    @ Shawn33 - You do not need to know anything about .htaccess files in order to use BulletProof Security because we have automated it so much that it does all the site specific .htaccess customizations per website automagically. ;) It is almost impossible to screw this up, but some folks do on occasion. The good news is it takes about 2 minutes to get right back where you were by deleting the root .htaccess file and using AutoMagic and activating BulletProof Modes again.

    In general I think it is better to look in the actual plugin's forum area and see what kind of issues folks are having with a plugin and note the responses / support from the plugin author.

    We take BulletProof Security support very seriously and do not leave anyone hanging as you can see by our plugin forum area responses. ;)

    In general hiding things is not an effective security strategy. Also adding a second layer of BasicAuth authentication on the /wp-admin folder is not really effective. If a hacker has gotten through the WP authentication on the /wp-admin folder then cracking BasicAuth will take about 30 seconds to 1 minute. My personal record is 6 seconds.

    What is very effective and very important and that was not mentioned here is that you completely secure your site against Brute Force Password Cracking for your WP login. First off make sure that the username that you pick is unusual / obscure. Ensure that your username is not the same as comment Author name. Then get a plugin that locks your login after X amount of failed cracking attempts. Any password can be cracked given enough time, but by slowing a hacker bot down you will most likely deter it enough that it will look for easier pickings somewhere else.

    The best security approach is an action approach.
    X does this bad action and Y is the result = Forbidden.

    I don't know about you, but if someone offered me the keys to a Ferrari I wouldn't refuse them because I thought I couldn't handle the car. ;)


  6. Shawn33
    Posted 4 years ago #

    @ATIpro - Thanks for responding to me personally regarding your services.

    I was leaning toward your plugin to begin with for sure as you seem to provide great support, have the most comprehensive features, and keep the plugin updated frequently.

    What worried me was that what it does might be too complicated and if there was a problem I wouldn't be able to fix it. So, if there are any complications with your plugin, all edits can be removed and things put back the way they were easily?

    Thanks also for the tip about login protection. I have been using Login Lock for a few days now and it blocks attempts daily. Had no idea there were so many attacks going on :(

    Couple other questions while I have you:

    1. I noticed my hosting account has a discounted price for a service called Site Lock. Would that service interfere with your plugin if I was using both at once and would there be any reason to be using both anyway?

    2. Would you recommend the premium version of your plugin for someone like myself who is not advanced in file editing, coding, etc, or would the premium features just be over my head?

    Thanks again!


  7. AITpro
    Posted 4 years ago #

    BPS seems intimidating, but after playing with BPS for 15 minutes you will be like "is that it?" and wanting more features LOL. A couple of years ago BPS had very little automation and yeah it was hectic for everyone, but these days its a total no-brainer. ;)

    BPS only does it's thing by creating .htaccess files and does not interfere, modify or change anything else about WordPress or your website so all you have to do is just delete the root .htaccess file that BPS creates if you run into a problem.

    Yep Login Lock is a great plugin. ;)

    1. I tried to find out how SiteLock works and i just found a bunch of hype and sales pitch info and nothing about how it actually works, but it appears to be some sort of scanner. I assume then that it is not creating .htaccess files and just scanning based on signatures. So I don't think there would be any sort of conflict. Also it seems pretty established so it is safe to factor in that they have taken into account that website owners will probably already have their own .htaccess files.

    And yeah a scanner in combination with local website security .htaccess files would make your website even more secure. We don't use any scanner services, but we do have HoneyPots, Traps and other early warning detection custom coding systems. Mostly though this is used for tracking down hacker's scripts to grab them and dissect them for research purposes. ;)

    2. I hate this question. ;) I obviously believe in BPS Pro, but i am not a salesman and detest sales pitching period. Give BPS free a try and if you like it and feel comfortable with it then there is a link within BPS that will take you to a feature comparison of BPS free and Pro. BPS Pro is designed the same way - we don't expect anyone to have to know anything - just point and shoot. LOL

    Oh and this is an interesting bit of info that didn't make the mainstream. There has been a massive Worldwide assault directed at Web Host Servers themselves using Brute Force FTP Password cracking. It has been going on now for over a month and several of the big boys got nailed. What is interesting about this one is that it appears 3 or 4 hacker groups are sharing some newfound Server vulnerability that they discovered. Whatever they figured out it has worked on compromising over 20 Web Hosts Servers Worldwide that we know of. So the true number is probably 100+ Web Hosts. Not all Servers are compromised just some so they must share some common vulnerability. Any way it seems to be slowing down a bit so I guess most of the Web Hosts figured out what needed to be patched. ;)


  8. Shawn33
    Posted 4 years ago #

    Thanks for the info and advice and being so honest with me, I really appreciate it. I'll give BPS another look and probably try it out. It's good to know the support is there if I need it. That's something you can't say about every plugin and service, even many of the really popular ones.

    Regarding the server attack, that's something I was thinking about the other day. Even if my site is secure through WP, what's stopping someone from hacking my cpanel or the server itself. Oh, well I guess there's only so much you can do and then just make sure you have a good backup strategy in case of disaster ;)

    Thanks again!

  9. AITpro
    Posted 4 years ago #

    Actually BPS Pro 5.1.5 has the first generation of AutoRestore, which is only autorestoring the WP Core Root files. Generation 2 will have full site AutoRestore and something new that we are not revealing yet. he he. ;) The approach is countermeasure security - the Host Server gets hacked, files are injected with malicious code and autorestore automatically restores the files. Full Site AutoRestore will work together with the new feature. They will be released in 5.1.7. ;)

  10. Mark (podz)
    Support Maven
    Posted 4 years ago #

    There is also VaultPress.

  11. gransar
    Posted 3 years ago #

    very nice thread.
    I was wondering if anyone knows other plugins that are compatible with
    Bulletproof Security Plugin. It seems the more the merrier...

  12. definitio
    Posted 3 years ago #

    Hello, I am having the same "dilemma", between
    1) BulletProof Security
    2) Better WP Security

    1) I like how BulletProof Security breaks the htaccess down into "compartments" signifying that the order of htaccess rules matters. It also quite easy to manage overall.
    However, since it's functions / settings are not broken down into options or settings (i.e. "do you want to have this measure implemented?") it feels unsafe for a novice like myself, because I don't what exactly is being done.
    If something goes wrong I can't read all these lines of code and locate the offending rules.
    It's just inserted into htaccess as a "block".
    This way it's also difficult to compare its set of functions with those of an other security plugin.

    2) Overall Better WP Security seems to offer more functions (including changing the database prefix, the admin user id etc.)
    It also breaks downs the security settings into distinguished options, so if I get a malfunction with the applied settings, I can safely remove one at a time and test to see which is the offending rule.

    I don't know if Better WP SEcurity enforces some rules on order of htaccess code, like BulletProof Security does, by forcing e.g. WP Super Cache code at the bottom of htaccess, AFTER WordPress default code.
    Bulletproof also notifies you when (known I guess) plugins have no access to htaccess when they need it.

    I must say that I have also lost some faith on Better WP Security after trying the "login" protection and failing.
    The url slug to the new login or admin address does not work and in fact the "secret key" is displayed in the url field of the browser.

    I don't want to use both and I am having difficulty choosing.

    Better WP Security does have more options, which are laid out for the user to choose, but it does currently have one bug, as far as I can tell, which is kind of confidence shaking.
    Bulletproof Security offers very easy htacces administration, I like how it allows you to add code to specified places through the backend, but its code comes as a block making it hard to find rules that are responsible for incompatibilities and if I ever want to move away from it, I have to pick out the various pieces of code, while with Better WP Security I can easily just delete what I code I see belongs to a deleted deleted/deactivated plugin...they don't become "mixed" as with Bulletproof Security.

    What's your take

  13. AITpro
    Posted 3 years ago #

    However, since it's functions / settings are not broken down into options or settings (i.e. "do you want to have this measure implemented?") it feels unsafe for a novice like myself, because I don't what exactly is being done.

    First off BPS has been around for years and almost 500,000 downloads/installations to date. The .htaccess code has been carefully thought out to work on 1,000's of different web hosts and millions of websites. So there are only a couple of things that rarely cause problems on some web hosts and of course some plugin issues. Help info can be found in this BulletProof Security Forum >>> http://forum.ait-pro.com/ and you will notice that there are only a handful of issues when dealing with 1,000's of web hosts and almost 500,000 downloads/installations.

    The other thing is I have already tried giving folks options to choose from in BPS - that was a complete disaster and a nightmare. The problem is the same problem - if you give people .htaccess options and choices that they really do not understand then you are in the exact same boat, well actually a much worse boat. ;)

    The other thing about BPS htaccess files/code is that the code MUST be integrated into the entire WordPress Rewrite loop at all levels and cannot be added as stand alone code, otherwise it would only be effective in the root directory and not all levels of URL rewriting.

    /some category/
    /some category/some post
    /some page
    etc etc etc

    The majority of folks do not want to have to make choices and want full automation. I designed BPS to work for those folks who want hands off automation and I also coded it for myself - full manual control with built-in .htaccess file/code editors, etc. ;)

  14. definitio
    Posted 3 years ago #

    Thank you for your response.

    I get your point and to large degree I support the approach. But I am not entirely surely if it prohibits tying subsets of the code to explicit options, about what the code does, in the backend.
    As i said, it even makes it easier to compare the features of each plugin.

    The other thing is that whether this more "universally" functioning code can be actually "tightened" to fit the needs of specific users by the plugin itself, that is, by adding settings as options that the user must TEST and enable on a case by case basis, increasing the overall possible level of security.

    Now I am not saying that Better WP Security offers greater level of protection than Bulletproff Security, but that it allows more tailored configurations in an non-technical, user-friendly manner and even if some settings have higher chances of causing a conflict, being optional, they can be tested and either kept enabled or disabled.

    Seemingly - without judging the efficiency of protection - Better WP Security does allow more tailored configurations, even if they may at whole not offer greater security.

    As I said, I am not sure the two approaches are exclusive.

    But my main question is how can a user like me decide on which plugin - notwithstanding the approach - offers better protection, which is not of course only feature-related issue, but also a matter of implementation...

  15. AITpro
    Posted 3 years ago #

    You have made some interesting points. Feedback is always appreciated. You are obviously a technically savvy person - most folks are not and why should they be. They just want something quick without having to mess around with it so they can go on about whatever their personal work may be - cranking out posts, adding items to a store, etc.

    And this is an observation I have made through the years - everyone works differently and wants things layed out in the format they are most familiar with/most comfortable with. Unfortunately, I will never be able to make everyone happy so the format I have chosen to go with is the one that has worked best after trying many different formats. I hate to say this but it is true for me - if 99% of folks are telling me that things are good and 1% want changes then most likely I am not really going to consider making a change. If 10% of the folks ask for a change then I will definitely make that change. ;)

    I have tried explaining things to the average person and that does not really work out well and only ends up adding more time spent/increased workload so I gave up that approach years ago. BPS used to have options/choices/decisions, which increased my workload/support time around 300% so that is a NO GO for me. ;)

    BPS starts from maximum security with the option to decrease that maximum security on a case by case basis or when a plugin skip/bypass rule is needed for a particular plugin issue/problem. So actually there is only one direction to go in by default - that is to decrease your personal website security if you choose to do that as needed.

    I think BPS and Better WP Security are comparable plugins and both plugins do different things and do overlap slightly. Both plugins work together/are compatible. So there is really no point in comparing them against each other and declaring which might be better than the other. If you are more comfortable with the format Better WP Security is using then the choice is a simple one for you - go with Better WP Security. ;)

  16. definitio
    Posted 3 years ago #

    Thank you for your comments, for taking the respond.

    I am not savvy, I just want to be as conscious as possible (from my point of departure) when setting things up and then forget about it.

    Exactly because I don't understand and cannot judge for myself I am wondering whether "benchmarks" have been carried out, where plugins are tested under different scenarios to see which are their respective strengths...
    ...not in UI, but in actual protection...

    I would also be interested in reading about experiences of users who went either way after testing both plugins

    I don't want to take up your time, nor do I want to put you into a position where you'd have to argue over the weaknesses of other developers' work but I am looking for something to read that will help me say "I have these reasons for going with the X solution".

    I have Googled the net, but not found anything helpful yet.

    I feel more comfortable with Better WP Security's backend panel, that is true, but that is not what matters most to me. That's just the only level on which I can comment.

  17. AITpro
    Posted 3 years ago #

    I think the best way of making an informed choice/decision is to look at what other folks are saying about a plugin - the good/bad/ugly LOL. The place to look is the "View Support Forum" link that each plugin has and you will get a pretty good overall picture about a plugin. ;)

    Yeah i tend to stay away from my stating my personal opinions publicly. he he. And saying negative things in general. Usually negative thoughts/feelings come from your ego so 99% of the time those thoughts/feelings are naturally going to be jaded/biased. ;)

  18. definitio
    Posted 3 years ago #

    thank you for your prompt response.

    I have to say the speed of your responses is encouraging me to stick with BulletProof Security.

    Does your response here still stand, i.e. can the two plugins be used along side each other, provided the server tweaks of Better WP Security are left unchecked?

    If I were to use Better WP Security for the rest of its functions, wouldn't it still need htaccess writing access for
    - Login Security: locking out users after X failed attempts for X minutes and
    - Users added to blacklist after X 404 links in X minutes?
    Won't that mean I'd have to keep the htaccess file unlocked?

    If I do that, it seems I would be better off using a more targeted "login protection" plugin.
    Can you recommend one now that Login Lock is gone that will work well / play nice with BulletProof Security?

    I have found
    - Simple Login Lockdown
    - Login Security Solution


  19. AITpro
    Posted 3 years ago #

    Yep the response still stands.

    I am not really 100% sure about the other htaccess writing capability, but no one has ever mentioned a problem with this so I would assume Better WP Security is doing a CHMOD to unlock the root .htaccess file if it is locked.

    For login protection and many more login and user account handling bennies >>> http://wordpress.org/extend/plugins/theme-my-login/

  20. definitio
    Posted 3 years ago #

    Thank you once again.

    I am bit confused on the difference between BPS Free and Pro regarding the update process.
    For Pro it says it updates like other WP plugins and BPS files are automatically updated.

    How does BPS Free handle updates/upgrades?

  21. AITpro
    Posted 3 years ago #

    They are the same identical update/upgrade process. Update/Upgrade Notifications are displayed in the WP Dashboard as well as the zip installation link. The only difference of course is that the Pro version zip file is installed from the AITpro API Server and not the WordPress Download Server like the Free version. ;)

  22. leejosepho
    Posted 3 years ago #

    I would also be interested in reading about experiences of users who went either way after testing both plugins.

    In my own experience, there was no either/or choice I ever had to make. As a complete rookie at all of this, BWPS and BPS were the two plugin names still readable on my notepad after several hours of searching and reading here in these forums and elsewhere...and my first move was to install and activate BWPS so I could change my admin username and make it no longer be #1 in my registry. After that, I began doing a little clicking while reviewing my previous notes as well as some new ones, and I stayed away from the yellow area there until one of the guys at BlueHost said I would likely not have any trouble with at least one of the clicks available there. BPS had not lost my interest during any of that, but like AITpro might recall my saying later, the idea of "one click for all" or whatever actually concerned a bit just like the first time I ever turned on my Commodore and wondered what might happen if I might press a wrong key. In the end, I now have only BPS working, but not because I think either plugin is better than the other. Rather, I know there will come a day when someone else will be sitting in my seat...and I will have left them with no potentially-troublesome buttons to try out.

  23. definitio
    Posted 3 years ago #

    Yep the response still stands.

    I am not really 100% sure about the other htaccess writing capability, but no one has ever mentioned a problem with this so I would assume Better WP Security is doing a CHMOD to unlock the root .htaccess file if it is locked.

    I have been testing how the two plugins work together and I am seeing something weird.

    I am trying to deactivate the "Disable Directory Browsing" option in 'Server Tweaks' section of BWPS but it will also re-check itself after saving.
    This may be due to a matching code used by the two plugins, so that it reads the option as being enabled(?). I don't know.

    PS: Doesn't BPS also remove the WordPress generator tag? I guess this could be deactivated in BWPS as well.

Topic Closed

This topic has been closed to new replies.

About this Topic