Support » Fixing WordPress » Better WP Security and beyond

  • Peter


    I have successfully implemented Better WP Security.
    Do I really need more like
    1) chap secure login ? or does BWPSec encryption (via backend admin)
    2) Anti Virus on the server (on my home computer I have one). Doesn’t the server provider look after it ?
    3) Firewall on the server (on my home computer I have one). Doesn’t the server provider look after it ?

    (in addition I protected wp-admin via IP address restriction)

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator kmessinger


    I would do everything recommended.



    Here a feature comparison between the text of the article “Hardening WordPress” and what Better WP Security does. Hence you install Better WP Security and look which of the following points are not treated by this plugin.

    Limiting access
    Making smart choices that reduce possible entry points available to a malicious person.

    -> Better WP Security does this

    Preparation and knowledge
    Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

    –> Better WP Security Not Really, use a different e.g. BackWPUP

    Vulnerabilities on Your Computer
    Make sure the computers you use are free of spyware, malware, and virus infections.

    –> Task on local computer

    Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.

    -> Task on local computer

    Vulnerabilities in WordPress
    Updating WordPress
    Main article: Updating WordPress.

    –> WP reminds you to update

    If you think you have found a bug, report it. See Submitting Bugs for how to do this.

    –> user issue

    Web Server Vulnerabilities
    Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.

    -> Web host issue

    If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide.

    -> Web host issue

    Network Vulnerabilities
    The network on both ends — the WordPress server side and the client network side — should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network.

    –> User behavior issue

    Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.

    –> Better WP Security or Cap Secure Login ??

    Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.

    –> Better WP Security does this

    When connecting to your server you should use SFTP encryption if your web host provides it. Using SFTP is the same as FTP, except your password and other data is encrypted as it transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

    –> by the way: Support for SFTP (SSH File Transfer Protocol) is not implemented in Filezilla Server.

    File Permissions
    Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

    –> Better WP Security does this

    It is best to lock down your file permissions as much as possible and to loosen those restrictions. All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the web server.

    –> Does Better WP Security do this ?

    The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

    –> Does Better WP Security do this or does it come with the WP installation ? My files are all 644 (read/write for me, only read for group and world)

    Database Security
    If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user.

    –> On Hostgator each WP installation obtains a new DB.

    Securing wp-admin
    Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files.

    –> Done by Better WP Sec. Do I need still Chap Secure Login ?

    The most common attacks against a WordPress blog usually fall into two categories.

    Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software.
    Attempting to gain access to your blog by using “brute-force” password guessing.

    –> Done by Better WP Sec via max. Logins

    The ultimate implementation of this “second layer” password protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted. See Administration Over SSL.

    Done by Better WP Sec,

    Securing wp-includes
    A second layer of protection can be added where scripts are generally not intended to be accessed by any user.

    Securing wp-config.php
    You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

    If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

    –> “Better WP Include” prevents public access to readme.html, readme.txt, wp-config.php, install.php, wp-includes, and .htaccess.

    First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.

    –> Plugins..

    Firewall Plugins
    There are a few plugins that purport to screen out suspicious-looking requests based on rule databases and/or whitelists. BlogSecurity’s WPIDS plugin installs PHPIDS, a generic security layer for PHP applications, while WordPress Firewall uses some WordPress-tuned pre-configured rules along with a whitelist to screen out attacks without much configuration.

    –> Do I really need this in addition to Better WP Security? What about performance ?

    Security through obscurity
    Security through obscurity is generally an unsound primary strategy. However, there are areas in WordPress where obscuring information might help with security:
    Rename the administrative account:

    –> Done by Better WP Security.

    Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

    –> Done by Better WP Security.

    Sometimes prevention is not enough and you may still be hacked. That’s why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site.

    Monitoring your logs
    If you are on a private server (where you have admin access), you have to watch your logs to detect password guessing attempts, web attacks, etc.

    -> Done by Better WP Security

    Monitoring your files for changes
    When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc).

    -> Done by Better WP Security

    Monitoring your web server externally
    If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution.

    –> Who does this ?

    There is no word of Antivirus on the server inside “Hardening WordPress”. This the job of the web host, or ?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Better WP Security and beyond’ is closed to new replies.