The Most Active and Friendliest
Affiliate Marketing Community Online!

“Adavice”/  “CPA

How important is additional Wordpress security?

alvin_raj

New Member
affiliate
I am wondering how vital it is to have additional wordpress security if your blog is hosted on a purchased hosting plan.

The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.

How many of you advise clients or even use additional security yourself?
 
Wordpress powers 23% of the Internet. As such, it is one of the most attacked pieces of software out there. If you and/or your host don't take security seriously with your Wordpress installations, you will have trouble.

Tha absolute number one most important aspect of Wordpress security is to stay up to date. I would also recommend a WAF (Web Application Firewall) of any kind. Not all WAF's are equal, but something is better than nothing.
 
Our company absolutely agrees with utdream, you MUST stay up to day with Wordpress updates to even have half a chance of having a secure site through Wordpress. As was also mentioned Wordpress is highly targeted because so many people use it. There are other things you can do to keep your site protected that might be advantageous like updating your theme and any plugins you have installed, remove any plugins or themes you are no longer using, only download or install plugins and themes from trusted sources, make sure to use a secure username (not just admin, which is often used by default), and change your password regularly using strong passwords typically using a random string of numbers and letters.
 
Most of the securities breaches can easily be fixed if users take some simple steps. Some important step
01. Keep a strong password
02. Keep changing your password in regular intervals
03. Never use administrator account to make post or pages
04. Changes admin ID to something random numbers after installation. Don't keep the default 1.
05. Stop user enumeration
06. Use Login limit plugins
07. change default wp-admin or wp-login.php url using a plugin
08. Use google recaptcha
09. Use wp scan by sucuri to scan for vulnerabilities in your plugin or theme
10. Always take backup on regular interval and update your theme, plugin and WordPress.
11. You can use some advance security plugin to block spammer and scrapers.

These are the some basic securities tip, hope this help someone
 
Hi Alvin,

I recommend you to use Cloudflare for additional security + WPremote to make sure that all your WordPress sites and plugins are always updated. Both solutions are free, just need to setup once.

Cheers! :)
 
YES! Some great advice in this thread.

What you are talking about is "hardening" WP.

Security isn't perfect and never will be. There will always be those trying to tap into someones site. It is a continual and progressive process that must be managed regularly.

Hardening WordPress is about risk reduction, and not elimination. The risk will never be zero. You must employ the the controls that best suit the risks and threats that may pertain to your site. Hardening WP

  1. Always keep everything up to date. there are some items such as WP itself, and most plugins, that can be automatically updated.
  2. Only install "Trusted" WP themes and plugins. Read their ratings and frequency of update.
  3. Always remove unused and unwanted plugins and themes.
  4. Install a security plugin like Sucuri Security, or BulletProof Security, etc.
  5. Backup the site weekly. you can set this to automatically occur inside your WHM. Be sure to clear out backups older than 60 days as they tend to be large files.
  6. Enforce extremely strong passwords.
  7. On some sites, it is a good idea to use a two factor login. There are plugins for this. Google Authenticator, Duo Two Factor, Two Factor, Clef, Authy, Rublon 2FA, etc.
  8. Make yourself the Admin without using "admin" as the username. Always remove, or rename, the "automatically created "admin" user.
  9. You have to limit login attempts. WP does not have this as a native code yet. I use JetPack for this, but have also used Login Lockdown and Login Attempts.
  10. you can also monitor brute force attacks and other malware attacks with Securi or WP Security Audit Log.
  11. Get an SSL certificate. If you don't want to buy one, at least get one of the free ones like Let's Encrypt.
  12. Rename or replace the login page so nobody can find it. There are plugins for this, I haven't used them for a while because I build my own themes now and have that built in for me. The exception to that for me is that on my member sites, I use S2Member which has this option built in.

There is more and you can find it on the WP org site in the above referenced link.
 
I've been hacked before and it's not nice. I used someone on peopleperhour.com who quickly removed the hack and installed securi security plugin, so I guess that's a decent quick plugin to use.
 
I am wondering how vital it is to have additional wordpress security if your blog is hosted on a purchased hosting plan.

The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.

How many of you advise clients or even use additional security yourself?


I advise strongly to add as many security layers as possible. HTTPS has no real impact with security against hackers. you must install wordfence/shield or any other good plugin for security.
 
The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.
just because the site is over https does not mean the site is secure, or in any way hack proof. It means that the data is transmitted over an encrypted channel.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.
The moment you register a domain, your whois contact information is scraped.
You also have no idea, nor any control, over the security of the hosting company.

These are naive assumptions.
 
I am wondering how vital it is to have additional wordpress security if your blog is hosted on a purchased hosting plan.

The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.

How many of you advise clients or even use additional security yourself?

Wordpress depends on the internet, this means it's vulnerable to malicious attacks. Not updating wordpress may lead your site to being compromised, your site may go down and display inappropriate messages.
 
For client sites it is always better to be prepared.

Small sites might not really need advanced security. However, for business-related sites particularly if those are your clients' sites, you should ideally amp up the security. Just in case.
 
If you think your server hosting provider was the reason behind hacking, then go for renowned hosting provider and hosting server service. Cloud web server hosting or dedicated web server hosting is best to avoid hacking related attacks. Shared hosting & virtual private server hosting is detrimental to security.
 
I am wondering how vital it is to have additional wordpress security if your blog is hosted on a purchased hosting plan.

The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.

How many of you advise clients or even use additional security yourself?
Well you can check this article for WordPress Security.
 
Many great points above. Using https does not make a website immune to any form of issues. Many times those issues are within the website. So when people are blocking others from getting in...they're already inside and can do almost anything they want.

Looking what was mention, one thing may have been missed...deleting whats not needed. If you have themes and plugins that are not being used, sitting deactivated, or "for a later day"...back them up and delete them from WordPress. They still use processing power and can be an open hole to an exploit.

Any themes or plugins you buy...research reviews on theme. See if the developer addresses issues quickly, and if they send out updates frequently.

Next...unless the web host specifically covers WordPress security, talk to them about protecting your website from bot and xmlrpc attacks. This can be done in the htaccess file which all cPanel type host will have. It's an added layer of protection. Leaving security to a plugin...although good as a last line of defense, still requires PHP and MySQL processing...so any large attacks can still bring down the website as it records the attacking information.
 
WordPress is the most popular CMS platform for building websites. Hence it is a prime target for hackers for data hacking and other cyber attacks
As a result, if your WordPress site lacks proper security, it may be vulnerable to attacks such as malware, phishing, and brute force attacks.

Additional WordPress security includes prevent site from unauthorized access , protect from malicious attacks , regularly update the software, install necessary plugins , use strong password etc.
 
MI
Back