04-09-2011, 08:39 AM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2006
Posts: 80
|
|
How Secure are your WordPress Installations?
There have been several hacking incidents lately and the targets are WordPress. Share your experience in securing WP installations.
__________________
SOLID HOSTING
Philippine Web Hosting Company
Domain Registration | Shared Hosting | Reseller Hosting | VPS | Cloud | Dedicated Server | Colocation | Microsoft SPLA
|
04-09-2011, 08:40 AM
|
|
Web Host Extraordinaire!!!
|
|
Join Date: Dec 2007
Location: Indianapolis, Indiana USA
Posts: 14,333
|
|
Quote:
Originally Posted by solidhostingph
There have been several hacking incidents lately and the targets are WordPress. Share your experience in securing WP installations.
|
This is nothing new, one of the most important things you can do is keeping WordPress itself and all plugins updated and to physically remove any plugins you're not actually using (and not just "disabling" them).
__________________
█ Michael Denney - MDDHosting, LLC - Professional Hosting Solutions
█ LiteSpeed Powered - Shared, Reseller, Semi-Dedicated, and VPS
█ For high-end shared accounts ideal for business, check out our Semi-Dedicated offerings!
█ http://www.mddhosting.com/ - Providing Quality Services since 2007
|
04-09-2011, 11:30 AM
|
|
WHT Addict
|
|
Join Date: Jun 2009
Posts: 115
|
|
Quote:
Originally Posted by MikeDVB
This is nothing new, one of the most important things you can do is keeping WordPress itself and all plugins updated and to physically remove any plugins you're not actually using (and not just "disabling" them).
|
Completely agree, just keep your WP installations up to date and have secure passwords.
__________________
█ Accelerated Hosting - From Constant Internet
█ Automatically serving your website from the nearest server
█ Get hosted on our global network! America / Europe / Asia
|
04-09-2011, 02:38 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Dec 2007
Posts: 34
|
|
I have WP-Firewall Installed. I don't know how much protection it really gives but I have never been hacked.
|
04-09-2011, 03:56 PM
|
|
Disabled
|
|
Join Date: Mar 2008
Posts: 630
|
|
For personal installations, I always IP restrict the wp-admin folder to myself only via a .htaccess file. This provides a huge amount of protection.
The rest is pretty much common sense; keep Wordpress up to date, keep plugins up to date. Keep plugin usage down to a minimum, as the more you have the greater the likelihood that one of them is exploitable.
|
04-09-2011, 05:02 PM
|
|
Aspiring Evangelist
|
|
Join Date: Apr 2010
Posts: 418
|
|
i just updated to latest wp, and now try to update cpanel etc...
don't forget to harden the password 
__________________
please cmiiw always
|
04-10-2011, 07:48 AM
|
|
Junior Guru Wannabe
|
|
Join Date: May 2010
Posts: 43
|
|
@uzair21 wp-firewall works with wp 3?
|
04-10-2011, 07:50 PM
|
|
Premium Member
|
|
Join Date: Mar 2003
Location: Saint Paul, MN
Posts: 817
|
|
Add .htaccess rules to block all POST requests with an empty referrer. This will stop a lot of comment/pingback spam, and also at least some of the exploit tools out there.
__________________
redpin.com - offering amazingly competent email, dns, and web hosting since 2002 ... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
|
04-10-2011, 08:12 PM
|
|
Web Hosting Guru
|
|
Join Date: May 2004
Location: Corona, CA USA
Posts: 346
|
|
Quote:
Originally Posted by Ankheg
Add .htaccess rules to block all POST requests with an empty referrer. This will stop a lot of comment/pingback spam, and also at least some of the exploit tools out there.
|
Hey, that's brilliant! Unfortunately mod_rewrite has a tendency to make my head asplode, but I'll ask around about syntax for this.
__________________
██ Skeptic Hosting
██ Promoting a reality-based lifestyle choice
██ Hosting by invitation only, nothing for sale
|
04-10-2011, 08:25 PM
|
|
Premium Member
|
|
Join Date: Mar 2003
Location: Saint Paul, MN
Posts: 817
|
|
This is the pertinent bit of the .htaccess file we give customers:
Code:
SetEnvIf User-Agent ^$ zeroref=yes
SetEnvIf Referer "^$" zeroref=yes
SetEnvIf Referer "-$" zeroref=yes
<Limit POST>
Order allow,deny
allow from all
deny from env=zeroref
</Limit>
There are undoubtedly more elegant solutions, but this has worked well for us since the days of Wordpress 1.whatever.
__________________
redpin.com - offering amazingly competent email, dns, and web hosting since 2002 ... because someone has to!
Because Simple Things Should Be Simple - YouCANHasDNS
Last edited by Ankheg; 04-10-2011 at 08:26 PM.
Reason: BBCode != HTML :(
|
04-10-2011, 09:30 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Jan 2011
Posts: 33
|
|
Change the default database prefix. Move wp-config.php up one directory. Don't have an "admin" account and make sure that your log-in username doesn't match the display name on your posts. If you access your site over unsecured wifi, then make sure you have https enabled for admin or connect through a vpn.
|
04-10-2011, 10:21 PM
|
|
Web Hosting Guru
|
|
Join Date: May 2004
Location: Corona, CA USA
Posts: 346
|
|
Quote:
Originally Posted by Ankheg
This is the pertinent bit of the .htaccess file we give customers:
Code:
SetEnvIf User-Agent ^$ zeroref=yes
SetEnvIf Referer "^$" zeroref=yes
SetEnvIf Referer "-$" zeroref=yes
<Limit POST>
Order allow,deny
allow from all
deny from env=zeroref
</Limit>
|
I've just installed this snippet on over a dozen blogs on my servers. I also use a similar rule set that denies GET or POST based on a list of bad bot user agent strings. I found that inserting your code below that other code does not break anything for human users who have not tweaked their browsers so they send no UA information.
Sure, there are lots of silly posts here on WHT sometimes, and some amazingly bold would be fraudsters, so messages like yours that help the community help offset the loser posts.
Thank you very much.
__________________
██ Skeptic Hosting
██ Promoting a reality-based lifestyle choice
██ Hosting by invitation only, nothing for sale
|
04-10-2011, 10:35 PM
|
|
Web Hosting Evangelist
|
|
Join Date: Jan 2004
Posts: 544
|
|
I am not a fan of WP at all because of this very reason. Sure WP works great, but too many WP sites are just online and not updated ever. Since WP is one of the top website platforms, it is targeted heavily. If you don't know how to secure a WP installation properly, your website will be targeted and potentially destroyed.
Last month I had to fetch 3 backups due to hack attempts that succeeded. (Not my sites, but for clients I provide backup service for).
|
04-10-2011, 10:37 PM
|
|
Junior Guru Wannabe
|
|
Join Date: Apr 2006
Posts: 80
|
|
@speckl: that's why we have this thread. we want others to share their experience in securing WP installations for the benefit of all.
__________________
SOLID HOSTING
Philippine Web Hosting Company
Domain Registration | Shared Hosting | Reseller Hosting | VPS | Cloud | Dedicated Server | Colocation | Microsoft SPLA
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
| Postbit Selector |
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
|
| Login: |
|
|
| Advertisement: |
|
|
| Web Hosting News: |
|
|
|
