WordPress.org

Support

Support » Plugins and Hacks » Best WordPress Security Strategy?

Best WordPress Security Strategy?

  • Greetings,

    I have been studying up recently trying to put together a good security strategy for an existing site and it’s beginning to feel a bit like trying to learn a new language. I’m hoping that I might be able to get a little advice from some WordPress experts on the matter.

    So far these are the plugins/services I am looking at:
    1. Bulletproof Security Plugin
    2. Better WP Security Plugin
    3. Secure WordPress Plugin
    4. Sucuri.net services
    5. Website Defender’s beta security service

    I am not someone who knows how to edit .htaccess files or coding or anything like that.

    I have done a few things already though like moving the wp-config.php file, deleting the readme.html/install.php files. I put a blank index.html file in the uploads directory. I’m also considering password protecting my admin folder through cpanel. That’s about the extent of what I know how to do technically and honestly I don’t even fully understand why I did these things, except that they were recommended to me by someone I trust.

    My fear is that some of the plugins, like “Bulletproof” and “Better WP Security” will have features that might break my site and I won’t know how to fix it. Is that fear unfounded?

    Securi seems like a good idea since they monitor your site and will fix things if it does get hacked. However, I’m not sure that their preventitive measures are on par with that of the afore mentioned plugins.

    Does anyone have experience with these plugins/services?

    What would you recommend for someone like myself who doesn’t have the desire nor the capability to edit files and fix compatibility issues, but would like some peace of mind concerning the security of their site?

    Hope that wasn’t too long…

    Thanks in advance!

    Shawn

Viewing 15 replies - 1 through 15 (of 22 total)
  • Shawn33, unfortunately some of those plugins can easily break your site. Bulletproof and Better WP edit your .htaccess file(s), so you need to learn something about them. Otherwise they are good plugins. I wish there was an easy answer. The WordPress core itself is quite secure as there are many who help support it. Security really comes into question when you use themes and plugins. Either get them here or read reviews about them before you decide on which to use. (Please start new specific threads on a plugin or theme in particular if you have a question about them.)

    Here are some more good plugins and tips that should help you. The more you learn the more you can lock down your site.

    1. http://wordpress.org/extend/plugins/block-bad-queries/
    2. http://wordpress.org/extend/plugins/bad-behavior/
    3. http://wordpress.org/extend/plugins/ban-hammer/
    4. http://wordpress.org/extend/plugins/extrawatch/
    5. http://wordpress.org/extend/plugins/ip-filter/
    6. http://wordpress.org/extend/plugins/limit-login-attempts/
    7. http://wordpress.org/extend/plugins/login-dongle/
    8. http://wordpress.org/extend/plugins/mute-screamer/
    9. http://wordpress.org/extend/plugins/simple-changed-files/
    10. http://wordpress.org/extend/plugins/wordpress-file-monitor-plus/
    11. http://wordpress.org/extend/plugins/wordpress-firewall-2/
    12. http://wordpress.org/extend/plugins/wordpress-sentinel/
    13. http://wordpress.org/extend/plugins/wp-block-admin/
    14. http://wordpress.org/extend/plugins/wsecure/installation/

    There are many more, those are just ones that I think you should read up on.

    Informative links:

    1. http://codex.wordpress.org/WordPress_Backups
    2. http://codex.wordpress.org/Backing_Up_Your_Database
    3. http://codex.wordpress.org/Restoring_Your_Database_From_Backup

    1. http://codex.wordpress.org/FAQ_My_site_was_hacked
    2. http://wordpress.org/support/topic/268083#post-1065779
    3. http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
    4. http://ottopress.com/2009/hacked-wordpress-backdoors/

    1. http://codex.wordpress.org/Hardening_WordPress
    2. http://codex.wordpress.org/htaccess_for_subdirectories

    Again there is more info out there, those are just the ones that have been mentioned on this forum many times. Some you have probably already looked into.

    Moderator Jan Dembowski

    @jdembowski

    Brute Squad and Volunteer Moderator

    +1 MickeyRoush

    The best security comes via best practices. Those informative links that Mickey provided are good stuff.

    – Have a routine backup strategy and keep X number of backups off the server.

    – Know how to restore from scratch and practice restoring your backup somewhere else. Don’t practice on your live WordPress install πŸ™‚ if you can do that successfully you are really prepared for the Bad Thing™.

    – Learn about hosting and what else is running on your server. A secured WordPress installation can be ruined by other insecure software.

    – Keep up with version releases for all of your software. Sometimes newer releases break plugins and you need to decide if keeping that old software s worth it and if you accept the risk.

    That and Mickey’s posting should start you on the path of Reasonably Secure Goodness.

    MickeyRoush – thank you so much for the informative links…I have some reading to do πŸ˜‰ Thanks as well for the warning about Bulletproof and Better WP Security. I had a feeling that might be the case but needed some confirmation from someone with experience.

    Jan Dembowski – Thanks for the advice as well! My backup strategy has been to do a database backup via wp-db manager before any theme/plugin updates – then do a full, home directory, and database backup via cpanel once a week which I store in 3 locations.

    Does that sound like a pretty good strategy?

    Know how to restore from scratch and practice restoring your backup somewhere else. Don’t practice on your live WordPress install πŸ™‚ if you can do that successfully you are really prepared for the Bad Thingβ„’.

    I didn’t know restoring could present problems. I always thought you could just use cpanel’s restore interface or contact the hosting provider in the event of a catastrophic failure that requires a full restore.

    Is there more to it than that?

    @ Shawn33 – You do not need to know anything about .htaccess files in order to use BulletProof Security because we have automated it so much that it does all the site specific .htaccess customizations per website automagically. πŸ˜‰ It is almost impossible to screw this up, but some folks do on occasion. The good news is it takes about 2 minutes to get right back where you were by deleting the root .htaccess file and using AutoMagic and activating BulletProof Modes again.

    In general I think it is better to look in the actual plugin’s forum area and see what kind of issues folks are having with a plugin and note the responses / support from the plugin author.

    We take BulletProof Security support very seriously and do not leave anyone hanging as you can see by our plugin forum area responses. πŸ˜‰

    In general hiding things is not an effective security strategy. Also adding a second layer of BasicAuth authentication on the /wp-admin folder is not really effective. If a hacker has gotten through the WP authentication on the /wp-admin folder then cracking BasicAuth will take about 30 seconds to 1 minute. My personal record is 6 seconds.

    What is very effective and very important and that was not mentioned here is that you completely secure your site against Brute Force Password Cracking for your WP login. First off make sure that the username that you pick is unusual / obscure. Ensure that your username is not the same as comment Author name. Then get a plugin that locks your login after X amount of failed cracking attempts. Any password can be cracked given enough time, but by slowing a hacker bot down you will most likely deter it enough that it will look for easier pickings somewhere else.

    The best security approach is an action approach.
    X does this bad action and Y is the result = Forbidden.

    I don’t know about you, but if someone offered me the keys to a Ferrari I wouldn’t refuse them because I thought I couldn’t handle the car. πŸ˜‰

    Thanks.

    @ATIpro – Thanks for responding to me personally regarding your services.

    I was leaning toward your plugin to begin with for sure as you seem to provide great support, have the most comprehensive features, and keep the plugin updated frequently.

    What worried me was that what it does might be too complicated and if there was a problem I wouldn’t be able to fix it. So, if there are any complications with your plugin, all edits can be removed and things put back the way they were easily?

    Thanks also for the tip about login protection. I have been using Login Lock for a few days now and it blocks attempts daily. Had no idea there were so many attacks going on πŸ™

    Couple other questions while I have you:

    1. I noticed my hosting account has a discounted price for a service called Site Lock. Would that service interfere with your plugin if I was using both at once and would there be any reason to be using both anyway?

    2. Would you recommend the premium version of your plugin for someone like myself who is not advanced in file editing, coding, etc, or would the premium features just be over my head?

    Thanks again!

    Shawn

    BPS seems intimidating, but after playing with BPS for 15 minutes you will be like “is that it?” and wanting more features LOL. A couple of years ago BPS had very little automation and yeah it was hectic for everyone, but these days its a total no-brainer. πŸ˜‰

    BPS only does it’s thing by creating .htaccess files and does not interfere, modify or change anything else about WordPress or your website so all you have to do is just delete the root .htaccess file that BPS creates if you run into a problem.

    Yep Login Lock is a great plugin. πŸ˜‰

    1. I tried to find out how SiteLock works and i just found a bunch of hype and sales pitch info and nothing about how it actually works, but it appears to be some sort of scanner. I assume then that it is not creating .htaccess files and just scanning based on signatures. So I don’t think there would be any sort of conflict. Also it seems pretty established so it is safe to factor in that they have taken into account that website owners will probably already have their own .htaccess files.

    And yeah a scanner in combination with local website security .htaccess files would make your website even more secure. We don’t use any scanner services, but we do have HoneyPots, Traps and other early warning detection custom coding systems. Mostly though this is used for tracking down hacker’s scripts to grab them and dissect them for research purposes. πŸ˜‰

    2. I hate this question. πŸ˜‰ I obviously believe in BPS Pro, but i am not a salesman and detest sales pitching period. Give BPS free a try and if you like it and feel comfortable with it then there is a link within BPS that will take you to a feature comparison of BPS free and Pro. BPS Pro is designed the same way – we don’t expect anyone to have to know anything – just point and shoot. LOL

    Oh and this is an interesting bit of info that didn’t make the mainstream. There has been a massive Worldwide assault directed at Web Host Servers themselves using Brute Force FTP Password cracking. It has been going on now for over a month and several of the big boys got nailed. What is interesting about this one is that it appears 3 or 4 hacker groups are sharing some newfound Server vulnerability that they discovered. Whatever they figured out it has worked on compromising over 20 Web Hosts Servers Worldwide that we know of. So the true number is probably 100+ Web Hosts. Not all Servers are compromised just some so they must share some common vulnerability. Any way it seems to be slowing down a bit so I guess most of the Web Hosts figured out what needed to be patched. πŸ˜‰

    Thanks.

    Thanks for the info and advice and being so honest with me, I really appreciate it. I’ll give BPS another look and probably try it out. It’s good to know the support is there if I need it. That’s something you can’t say about every plugin and service, even many of the really popular ones.

    Regarding the server attack, that’s something I was thinking about the other day. Even if my site is secure through WP, what’s stopping someone from hacking my cpanel or the server itself. Oh, well I guess there’s only so much you can do and then just make sure you have a good backup strategy in case of disaster πŸ˜‰

    Thanks again!

    Actually BPS Pro 5.1.5 has the first generation of AutoRestore, which is only autorestoring the WP Core Root files. Generation 2 will have full site AutoRestore and something new that we are not revealing yet. he he. πŸ˜‰ The approach is countermeasure security – the Host Server gets hacked, files are injected with malicious code and autorestore automatically restores the files. Full Site AutoRestore will work together with the new feature. They will be released in 5.1.7. πŸ˜‰

    There is also VaultPress.

    very nice thread.
    I was wondering if anyone knows other plugins that are compatible with
    Bulletproof Security Plugin. It seems the more the merrier…

    Hello, I am having the same “dilemma”, between
    1) BulletProof Security
    2) Better WP Security

    1) I like how BulletProof Security breaks the htaccess down into “compartments” signifying that the order of htaccess rules matters. It also quite easy to manage overall.
    However, since it’s functions / settings are not broken down into options or settings (i.e. “do you want to have this measure implemented?”) it feels unsafe for a novice like myself, because I don’t what exactly is being done.
    If something goes wrong I can’t read all these lines of code and locate the offending rules.
    It’s just inserted into htaccess as a “block”.
    This way it’s also difficult to compare its set of functions with those of an other security plugin.

    2) Overall Better WP Security seems to offer more functions (including changing the database prefix, the admin user id etc.)
    It also breaks downs the security settings into distinguished options, so if I get a malfunction with the applied settings, I can safely remove one at a time and test to see which is the offending rule.

    I don’t know if Better WP SEcurity enforces some rules on order of htaccess code, like BulletProof Security does, by forcing e.g. WP Super Cache code at the bottom of htaccess, AFTER WordPress default code.
    Bulletproof also notifies you when (known I guess) plugins have no access to htaccess when they need it.

    I must say that I have also lost some faith on Better WP Security after trying the “login” protection and failing.
    The url slug to the new login or admin address does not work and in fact the “secret key” is displayed in the url field of the browser.

    I don’t want to use both and I am having difficulty choosing.

    Better WP Security does have more options, which are laid out for the user to choose, but it does currently have one bug, as far as I can tell, which is kind of confidence shaking.
    Bulletproof Security offers very easy htacces administration, I like how it allows you to add code to specified places through the backend, but its code comes as a block making it hard to find rules that are responsible for incompatibilities and if I ever want to move away from it, I have to pick out the various pieces of code, while with Better WP Security I can easily just delete what I code I see belongs to a deleted deleted/deactivated plugin…they don’t become “mixed” as with Bulletproof Security.

    What’s your take

    However, since it’s functions / settings are not broken down into options or settings (i.e. “do you want to have this measure implemented?”) it feels unsafe for a novice like myself, because I don’t what exactly is being done.

    First off BPS has been around for years and almost 500,000 downloads/installations to date. The .htaccess code has been carefully thought out to work on 1,000’s of different web hosts and millions of websites. So there are only a couple of things that rarely cause problems on some web hosts and of course some plugin issues. Help info can be found in this BulletProof Security Forum >>> http://forum.ait-pro.com/ and you will notice that there are only a handful of issues when dealing with 1,000’s of web hosts and almost 500,000 downloads/installations.

    The other thing is I have already tried giving folks options to choose from in BPS – that was a complete disaster and a nightmare. The problem is the same problem – if you give people .htaccess options and choices that they really do not understand then you are in the exact same boat, well actually a much worse boat. πŸ˜‰

    The other thing about BPS htaccess files/code is that the code MUST be integrated into the entire WordPress Rewrite loop at all levels and cannot be added as stand alone code, otherwise it would only be effective in the root directory and not all levels of URL rewriting.

    /
    /some category/
    /some category/some post
    /some page
    etc etc etc

    The majority of folks do not want to have to make choices and want full automation. I designed BPS to work for those folks who want hands off automation and I also coded it for myself – full manual control with built-in .htaccess file/code editors, etc. πŸ˜‰

    Thank you for your response.

    I get your point and to large degree I support the approach. But I am not entirely surely if it prohibits tying subsets of the code to explicit options, about what the code does, in the backend.
    As i said, it even makes it easier to compare the features of each plugin.

    The other thing is that whether this more “universally” functioning code can be actually “tightened” to fit the needs of specific users by the plugin itself, that is, by adding settings as options that the user must TEST and enable on a case by case basis, increasing the overall possible level of security.

    Now I am not saying that Better WP Security offers greater level of protection than Bulletproff Security, but that it allows more tailored configurations in an non-technical, user-friendly manner and even if some settings have higher chances of causing a conflict, being optional, they can be tested and either kept enabled or disabled.

    Seemingly – without judging the efficiency of protection – Better WP Security does allow more tailored configurations, even if they may at whole not offer greater security.

    As I said, I am not sure the two approaches are exclusive.

    But my main question is how can a user like me decide on which plugin – notwithstanding the approach – offers better protection, which is not of course only feature-related issue, but also a matter of implementation…

    You have made some interesting points. Feedback is always appreciated. You are obviously a technically savvy person – most folks are not and why should they be. They just want something quick without having to mess around with it so they can go on about whatever their personal work may be – cranking out posts, adding items to a store, etc.

    And this is an observation I have made through the years – everyone works differently and wants things layed out in the format they are most familiar with/most comfortable with. Unfortunately, I will never be able to make everyone happy so the format I have chosen to go with is the one that has worked best after trying many different formats. I hate to say this but it is true for me – if 99% of folks are telling me that things are good and 1% want changes then most likely I am not really going to consider making a change. If 10% of the folks ask for a change then I will definitely make that change. πŸ˜‰

    I have tried explaining things to the average person and that does not really work out well and only ends up adding more time spent/increased workload so I gave up that approach years ago. BPS used to have options/choices/decisions, which increased my workload/support time around 300% so that is a NO GO for me. πŸ˜‰

    BPS starts from maximum security with the option to decrease that maximum security on a case by case basis or when a plugin skip/bypass rule is needed for a particular plugin issue/problem. So actually there is only one direction to go in by default – that is to decrease your personal website security if you choose to do that as needed.

    I think BPS and Better WP Security are comparable plugins and both plugins do different things and do overlap slightly. Both plugins work together/are compatible. So there is really no point in comparing them against each other and declaring which might be better than the other. If you are more comfortable with the format Better WP Security is using then the choice is a simple one for you – go with Better WP Security. πŸ˜‰

    Thank you for your comments, for taking the respond.

    I am not savvy, I just want to be as conscious as possible (from my point of departure) when setting things up and then forget about it.

    Exactly because I don’t understand and cannot judge for myself I am wondering whether “benchmarks” have been carried out, where plugins are tested under different scenarios to see which are their respective strengths…
    …not in UI, but in actual protection…

    I would also be interested in reading about experiences of users who went either way after testing both plugins

    I don’t want to take up your time, nor do I want to put you into a position where you’d have to argue over the weaknesses of other developers’ work but I am looking for something to read that will help me say “I have these reasons for going with the X solution”.

    I have Googled the net, but not found anything helpful yet.

    I feel more comfortable with Better WP Security’s backend panel, that is true, but that is not what matters most to me. That’s just the only level on which I can comment.

Viewing 15 replies - 1 through 15 (of 22 total)
  • The topic ‘Best WordPress Security Strategy?’ is closed to new replies.
Skip to toolbar