Wordpress Security

[AbbyJ]

When starting my site I know it's important to make sure my site is secure. What plugins do you all recommend to use? I currently use Login Lockdown, but that's it. Is there anything else I should do on my computer or site other than plugins? So far I have antivirus software and https for the site, but that's it. Thanks in advance.

 

[tyoussef]

also don't forget to always update your plugins and themes .

 

[AbbyJ]

Yeah, I know about upgrading the plugins. Is there anything else I need to keep in mind?

 

[MxyzptlkFishStix]

Probably the most important thing, more so than a plugin, is having strong passwords.

 

[no2pencil]

Even above plugins; here is a snippet of a reply that I just sent to a potential hosting customer this morning:

wordpress isolated databases
Nagios checks validating current WordPress installation versions
Nagios checks validating pending Operating System patches
DNS is through CloudFlare:
-- mask server IP
-- CloudFlare browser version & validation
-- CloudFlare's anti-DDOS
Implement SELinux
Dynamic firewalls,
Daily import of known-bad ip addresses
For sites that are non-encrypted, force login pages, & admin pages over the https encrypted protocol
Disable out-of-the-box accounts, like 'admin'

Security Plugins :
Sucuri (actually run hardening suggestions & enable any notification options)
CloudFlare Flexible SSL (required for the FORCE_SSL_ADMIN setting)
Login LockDown (change lockout timeout to 3600, update nginx to reflect CloudFlare IP's so source IP is accurate)
WordPress Zero Spam

 

[AbbyJ]

Great, thanks! I am new to this, so how do you validate Wordpress installation versions and OS patches? How do you mask server IP address and why? Also, how do you import known bad IP addresses and what does this do to protect me? Thanks!

 

[AdvanceSolution]

Change wp-login.php to another /user or /login it will save your website from automatic login bots.

 

[Good4U]

Use Hide my Woedpress plugin.

 

[no2pencil]

Use Hide my Woedpress plugin.

Do you have anymore details as to what it is, or what it does? Or do you just install plugins that have security sounding names?

 

[MxyzptlkFishStix]

Do you have anymore details as to what it is, or what it does? Or do you just install plugins that have security sounding names?

I think he/she is referring to Hide My WP. However, it's not exactly for the technically disinclined.

 

[Kian_SuperAff]

Wordpress is a good CMS but you always have to keep everything updated. All plugins included.

 

[wpcycle]

how do you validate Wordpress installation versions and OS patches

One plugin that was not mentioned is WordFence. It's a great plugin that will protect WordPress from attacks. It has the ability to scan for malware, and can compare your WordPress installing to the files on WordPress-dot-org. OS patches are usually left to the host. One thing with WordFence...disable the Live View option. It's not needed.

Another option to protect your Dashboard is setup a htaccess file to either only allow a specific IP (you) or a user name /password combination that needs to be entered to access the Dashboard.

 

[BrijeshM]

Don't install too many plugins. Keep the plugins that are necessary for your website.
and also don't forget to install WordPress security plugins. personally I'm using All in one WP Security.

 

[ymoz]

I have heard some good things about Wordfence. There are also some htaccess rules that can be easily applied to greatly improve the security of WordPress.

 

[Georgetech]

All my websites have the Wordfence plugin. And all the alerts ON!

 

[Stylesupplier]

Do you have anymore details as to what it is, or what it does? Or do you just install plugins that have security sounding names?

This one
Maybe