The Most Active and Friendliest
Affiliate Marketing Community Online!

“Adavice”/  “CPA

Wordpress Security

AbbyJ

New Member
affiliate
When starting my site I know it's important to make sure my site is secure. What plugins do you all recommend to use? I currently use Login Lockdown, but that's it. Is there anything else I should do on my computer or site other than plugins? So far I have antivirus software and https for the site, but that's it. Thanks in advance.
 
Even above plugins; here is a snippet of a reply that I just sent to a potential hosting customer this morning:

wordpress isolated databases
Nagios checks validating current WordPress installation versions
Nagios checks validating pending Operating System patches
DNS is through CloudFlare:
-- mask server IP
-- CloudFlare browser version & validation
-- CloudFlare's anti-DDOS
Implement SELinux
Dynamic firewalls,
Daily import of known-bad ip addresses
For sites that are non-encrypted, force login pages, & admin pages over the https encrypted protocol
Disable out-of-the-box accounts, like 'admin'

Security Plugins :
Sucuri (actually run hardening suggestions & enable any notification options)
CloudFlare Flexible SSL (required for the FORCE_SSL_ADMIN setting)
Login LockDown (change lockout timeout to 3600, update nginx to reflect CloudFlare IP's so source IP is accurate)
WordPress Zero Spam
 
Great, thanks! I am new to this, so how do you validate Wordpress installation versions and OS patches? How do you mask server IP address and why? Also, how do you import known bad IP addresses and what does this do to protect me? Thanks!
 
Change wp-login.php to another /user or /login it will save your website from automatic login bots.
 
how do you validate Wordpress installation versions and OS patches

One plugin that was not mentioned is WordFence. It's a great plugin that will protect WordPress from attacks. It has the ability to scan for malware, and can compare your WordPress installing to the files on WordPress-dot-org. OS patches are usually left to the host. One thing with WordFence...disable the Live View option. It's not needed.

Another option to protect your Dashboard is setup a htaccess file to either only allow a specific IP (you) or a user name /password combination that needs to be entered to access the Dashboard.
 
Don't install too many plugins. Keep the plugins that are necessary for your website.
and also don't forget to install WordPress security plugins. personally I'm using All in one WP Security.
 
I have heard some good things about Wordfence. There are also some htaccess rules that can be easily applied to greatly improve the security of WordPress.
 
MI
Back