How important is additional Wordpress security?

[johnkcopy]

I am wondering how vital it is to have additional wordpress security if your blog is hosted on a purchased hosting plan.

The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.

How many of you advise clients or even use additional security yourself?

[727v7]

the exploit may have happened from an bot that targets wordpress/admin installs, as wordpress reveals a lot in the header. another factor is how the site was installed and/or by whom, as some auto-installers leave important config files in the root directory. and sometimes employers forget whom they gave access to the dash/server.

for wordpress you may want to add a login lockdown plugin, restrict access to the wp-admin directory via htaccess or apache/virtual config file, check file permission on important files like the wp-config file so they are not writable, remove wordpress version from header file. among other things...

plugin age is a factor too, as a lot of plugins are poorly coded for older versions of php. exploits often happen as the result of a plugin with an unfiltered form or runaway script.

[LMD]

I've used Wordfence, both free and paid versions. I like the alerts that keep you on top of things, such as plugin updates, WP updates, file changes (compares code from one to the other) and files that don't belong on the server. I think the paid version still comes with a country block. In the last 30 days, for one client's site with a paid version, it's blocked well over 1000 IPs, so it looks like it's doing it's job. The most blocks in the last 30 days are from Germany. Go figure.

[pavan kumar]

Prevention is better than cure, though we take backups everyday and if it is client's private data to be protected, it is better using top protection plugins sucuri, wordfence; as hackers continue to seek new opportunities for their break-ins all the time whether it's http or https

[Bridge]

You can try the plugin called WP security
If the security issue happens on the server level, you don't have any idea.
I have a host on webhostingpad.com and the website was hacked from time to time.

[shqip]

there is many plugins for wp security me personaly im using all in one wp security and wordfence those 2 plugins which are high rated and avoid installing nulled plugin and cracked one

[LMD]

Quote:

Originally Posted by shqip

there is many plugins for wp security me personaly im using all in one wp security and wordfence those 2 plugins which are high rated

Nothing new here. Both plugins have already mentioned in previous posts.

[vaguar]

Quote:

Originally Posted by LMD

I've used Wordfence, both free and paid versions. I like the alerts that keep you on top of things, such as plugin updates, WP updates, file changes (compares code from one to the other) and files that don't belong on the server. I think the paid version still comes with a country block. In the last 30 days, for one client's site with a paid version, it's blocked well over 1000 IPs, so it looks like it's doing it's job. The most blocks in the last 30 days are from Germany. Go figure.

I've been wondering about those alerts. I had a site with no security plug-ins and it worked fine, without any problems for years. Then one day I installed wordfence and it started sending alerts that so many login attempts had been blocked. Makes me wonder about the plugin's utility

[LMD]

Quote:

Originally Posted by vaguar

I've been wondering about those alerts. I had a site with no security plug-ins and it worked fine, without any problems for years. Then one day I installed wordfence and it started sending alerts that so many login attempts had been blocked. Makes me wonder about the plugin's utility

Let me ask you this: How would you know if anyone has tried and failed to login to your site, or how many times someone had tried to access the password recovery function, if there was no reporting system in place for said activities??

Of course WordPress sites will work fine without security plugins, as long as you are diligent in terms of updating the backend elements of the site regularly (not just every 6-8 weeks or so) and as well, hope there isn't a vulnerability with the theme, plugins or hosting platform.

[Freevestor]

Quote:

Originally Posted by LMD

I've used Wordfence, both free and paid versions. I like the alerts that keep you on top of things, such as plugin updates, WP updates, file changes (compares code from one to the other) and files that don't belong on the server. I think the paid version still comes with a country block. In the last 30 days, for one client's site with a paid version, it's blocked well over 1000 IPs, so it looks like it's doing it's job. The most blocks in the last 30 days are from Germany. Go figure.

It's quite interesting to see all of the bots and crawlers that try to hit the login pages in WP when viewing it all through WordFence.

[LMD]

Yes - auto-bots on a mission sent out by hackers to "break" the login defences for unauthorized access.

[vaguar]

Quote:

Originally Posted by LMD

Let me ask you this: How would you know if anyone has tried and failed to login to your site, or how many times someone had tried to access the password recovery function, if there was no reporting system in place for said activities??

Of course WordPress sites will work fine without security plugins, as long as you are diligent in terms of updating the backend elements of the site regularly (not just every 6-8 weeks or so) and as well, hope there isn't a vulnerability with the theme, plugins or hosting platform.

I wouldn't know. But my site never got broken into. So if Wordpress gave me all the security that my site needed, I wonder what value addition this new plugin (Wordfence) does, apart from reporting the number of unsuccessful break ins.

[LMD]

Quote:

Originally Posted by vaguar

I wouldn't know. But my site never got broken into. So if Wordpress gave me all the security that my site needed, I wonder what value addition this new plugin (Wordfence) does, apart from reporting the number of unsuccessful break ins.

It has many features beyond blocking login attempts. For example, it gives you control over logins and pw retrievals - the number of attempts allowed, and over how long a period.

I also like the scanning feature. If it happens to find a file that shouldn't be there on the server, it lets you know so you can investigate and determine the validity of the alert.

If FTP is suspect, it can let you know right away when files are added or modified on the server.

My question is, without this plugin, how would a site owner know their site hasn't been hacked? Most hack jobs are mostly invisible, and other than manually checking all files and each page's code, a site owners find out they've been hacked when it's too late. They've usually been blacklisted, or find pages that never existed for a site that now do exist or added code in some files that in no way would be discovered with a manual, file-by-file check. I could go on, but this plugin does so much, and has little if any downside.

[KeepItSimple]

The first thing I do on any new WP site is to put WordFence and activate the firewall. There are so many security holes in plugins, themes, and WP core constantly found, so it is a very insecure environment. WordFence blocks weird request and can protect from security holes that are not even discovered yet. Also it can find modified files, which is very useful.

[shaileshshakya]

Hey,
when it comes to security, I would say 'alert'. By the way, WordPress is highly secured. But hackers always looking for those blogs or websites that you're running on WordPress.

However, you use HTTPS, it means your protocol is secured but what if someone installs a malware to hack your site.

The same thing happens to me earlier, my site was infected by malware. My server provider has notified me to clean the malware.

I didn't know how to remove them. But I asked host provider how can I remove the malware from my site.
Thankfully, I removed them and my site was live.
So, here the thing is that you need to have both securities HTTPS and WordPress platform.

Now, I have installed the sitelock on my site to make it protect. You can buy sucuri or wordfence to make your system fully protected.

Tips

Always update your WordPress tools like plugins, themes etc.
scan your site daily basis
check the vulnerability

That's it

[Rosenborg]

Personally i use iThemes Security and UpdraftPlus - Backup/Restore, we also have backup from the server side.. Just to be sure. Nothing more annoying that getting hacked.

[rickySt]

As has already said, the main security problems with WordPress is not from WordPress itself, or from the excellent plugins like Wordfence.

In my opinion the main security risk comes from plugins. Unlike other software, Drupal for example, WordPress do not have a robust vetting of new plugins. Anyone can create one, and anyone can get it added to the official download page with little review. While some plugins are excellent, others are not, and for the new WordPress user it is not always easy to know the difference.

According to the WordPress org site, plugins have complete access to WordPress core, so unthinkingly adding a plugin created by someone you don't personally know potentially involves giving that person complete access to your site.

In the vast majority of cases, of course, the plugins are fine. But the shear number of available plugins is both the best and worst feature of WordPress. Sooner or later, by the law of averages, we are all liable to add a plugin that will screw our site up in one way or another.

[LMD]

What I like about Wordfence, is they alert users of WordPress plugins when a plugin has been hacked, been dropped by WordPress.org, or is out of date and an updated plugin version is available.

They also have a premium plugin in which you can ban IPs, by country. If you only do business locally, you could technically ban any other country in the world, but your own. I know it's not perfect, and hackers have ways around this, but it can have a dampening effect on at least some attempted unauthorized logins etc.