Webmaster Forum

Go Back   Webmaster Forum > Web Development > Blogging Forum

Blogging Forum Discuss general blogging issues here - design, integration, posting, trackbacks, ETC. Also discuss blogs you like.


Closed Thread
 
Thread Tools Display Modes
Share |
  #1  
Old 05-29-2017, 02:18 PM
johnkcopy johnkcopy is offline
Contributing Member
 
Join Date: 04-12-17
Posts: 52
iTrader: 0 / 0%
How important is additional Wordpress security?

I am wondering how vital it is to have additional wordpress security if your blog is hosted on a purchased hosting plan.

The site I was working on for someone had https: and it seemed to be a secure host. This happened about a year ago and their Wordpress site got hacked.

i saw no reason for this to happen to them because this was during the initial stages of starting work on the site. They should not have been a target.

How many of you advise clients or even use additional security yourself?
 

Advertisement

Advertisement

  #2  
Old 06-21-2017, 01:56 PM
727v7 727v7 is offline
Junior Member
 
Join Date: 06-09-17
Posts: 4
iTrader: 0 / 0%
the exploit may have happened from an bot that targets wordpress/admin installs, as wordpress reveals a lot in the header. another factor is how the site was installed and/or by whom, as some auto-installers leave important config files in the root directory. and sometimes employers forget whom they gave access to the dash/server.

for wordpress you may want to add a login lockdown plugin, restrict access to the wp-admin directory via htaccess or apache/virtual config file, check file permission on important files like the wp-config file so they are not writable, remove wordpress version from header file. among other things...

plugin age is a factor too, as a lot of plugins are poorly coded for older versions of php. exploits often happen as the result of a plugin with an unfiltered form or runaway script.
 
  #3  
Old 06-21-2017, 02:25 PM
LMD's Avatar
LMD LMD is online now
Contributing Member
 
Join Date: 11-04-12
Location: Where my wife tells me to be. :)
Posts: 6,777
iTrader: 0 / 0%
I've used Wordfence, both free and paid versions. I like the alerts that keep you on top of things, such as plugin updates, WP updates, file changes (compares code from one to the other) and files that don't belong on the server. I think the paid version still comes with a country block. In the last 30 days, for one client's site with a paid version, it's blocked well over 1000 IPs, so it looks like it's doing it's job. The most blocks in the last 30 days are from Germany. Go figure.
 
  #4  
Old 06-22-2017, 08:27 AM
pavan kumar pavan kumar is offline
Contributing Member
 
Join Date: 05-24-17
Posts: 63
iTrader: 0 / 0%
Prevention is better than cure, though we take backups everyday and if it is client's private data to be protected, it is better using top protection plugins sucuri, wordfence; as hackers continue to seek new opportunities for their break-ins all the time whether it's http or https
 
  #5  
Old 06-23-2017, 04:55 AM
Bridge's Avatar
Bridge Bridge is offline
Contributing Member
 
Join Date: 06-11-17
Location: Brisbane
Posts: 57
iTrader: 0 / 0%
You can try the plugin called WP security
If the security issue happens on the server level, you don't have any idea.
I have a host on webhostingpad.com and the website was hacked from time to time.
 
  #6  
Old 08-04-2017, 03:11 AM
shqip shqip is offline
Junior Member
 
Join Date: 08-04-17
Posts: 8
iTrader: 0 / 0%
there is many plugins for wp security me personaly im using all in one wp security and wordfence those 2 plugins which are high rated and avoid installing nulled plugin and cracked one
 
  #7  
Old 08-04-2017, 10:46 AM
LMD's Avatar
LMD LMD is online now
Contributing Member
 
Join Date: 11-04-12
Location: Where my wife tells me to be. :)
Posts: 6,777
iTrader: 0 / 0%
Quote:
Originally Posted by shqip View Post
there is many plugins for wp security me personaly im using all in one wp security and wordfence those 2 plugins which are high rated
Nothing new here. Both plugins have already mentioned in previous posts.
 
  #8  
Old 08-09-2017, 09:35 PM
vaguar vaguar is offline
Contributing Member
 
Join Date: 07-02-16
Posts: 1,022
iTrader: 0 / 0%
Quote:
Originally Posted by LMD View Post
I've used Wordfence, both free and paid versions. I like the alerts that keep you on top of things, such as plugin updates, WP updates, file changes (compares code from one to the other) and files that don't belong on the server. I think the paid version still comes with a country block. In the last 30 days, for one client's site with a paid version, it's blocked well over 1000 IPs, so it looks like it's doing it's job. The most blocks in the last 30 days are from Germany. Go figure.
I've been wondering about those alerts. I had a site with no security plug-ins and it worked fine, without any problems for years. Then one day I installed wordfence and it started sending alerts that so many login attempts had been blocked. Makes me wonder about the plugin's utility
 
  #9  
Old 08-10-2017, 06:35 AM
LMD's Avatar
LMD LMD is online now
Contributing Member
 
Join Date: 11-04-12
Location: Where my wife tells me to be. :)
Posts: 6,777
iTrader: 0 / 0%
Quote:
Originally Posted by vaguar View Post
I've been wondering about those alerts. I had a site with no security plug-ins and it worked fine, without any problems for years. Then one day I installed wordfence and it started sending alerts that so many login attempts had been blocked. Makes me wonder about the plugin's utility
Let me ask you this: How would you know if anyone has tried and failed to login to your site, or how many times someone had tried to access the password recovery function, if there was no reporting system in place for said activities??

Of course WordPress sites will work fine without security plugins, as long as you are diligent in terms of updating the backend elements of the site regularly (not just every 6-8 weeks or so) and as well, hope there isn't a vulnerability with the theme, plugins or hosting platform.
 
  #10  
Old 08-14-2017, 10:02 AM
Freevestor Freevestor is offline
Junior Member
 
Join Date: 08-14-17
Posts: 1
iTrader: 0 / 0%
Quote:
Originally Posted by LMD View Post
I've used Wordfence, both free and paid versions. I like the alerts that keep you on top of things, such as plugin updates, WP updates, file changes (compares code from one to the other) and files that don't belong on the server. I think the paid version still comes with a country block. In the last 30 days, for one client's site with a paid version, it's blocked well over 1000 IPs, so it looks like it's doing it's job. The most blocks in the last 30 days are from Germany. Go figure.
It's quite interesting to see all of the bots and crawlers that try to hit the login pages in WP when viewing it all through WordFence.
 
  #11  
Old 08-14-2017, 10:23 AM
LMD's Avatar
LMD LMD is online now
Contributing Member
 
Join Date: 11-04-12
Location: Where my wife tells me to be. :)
Posts: 6,777
iTrader: 0 / 0%
Yes - auto-bots on a mission sent out by hackers to "break" the login defences for unauthorized access.
 
  #12  
Old 08-14-2017, 08:19 PM
vaguar vaguar is offline
Contributing Member
 
Join Date: 07-02-16
Posts: 1,022
iTrader: 0 / 0%
Quote:
Originally Posted by LMD View Post
Let me ask you this: How would you know if anyone has tried and failed to login to your site, or how many times someone had tried to access the password recovery function, if there was no reporting system in place for said activities??

Of course WordPress sites will work fine without security plugins, as long as you are diligent in terms of updating the backend elements of the site regularly (not just every 6-8 weeks or so) and as well, hope there isn't a vulnerability with the theme, plugins or hosting platform.
I wouldn't know. But my site never got broken into. So if Wordpress gave me all the security that my site needed, I wonder what value addition this new plugin (Wordfence) does, apart from reporting the number of unsuccessful break ins.
 
  #13  
Old 08-14-2017, 08:44 PM
LMD's Avatar
LMD LMD is online now
Contributing Member
 
Join Date: 11-04-12
Location: Where my wife tells me to be. :)
Posts: 6,777
iTrader: 0 / 0%
Quote:
Originally Posted by vaguar View Post
I wouldn't know. But my site never got broken into. So if Wordpress gave me all the security that my site needed, I wonder what value addition this new plugin (Wordfence) does, apart from reporting the number of unsuccessful break ins.
It has many features beyond blocking login attempts. For example, it gives you control over logins and pw retrievals - the number of attempts allowed, and over how long a period.

I also like the scanning feature. If it happens to find a file that shouldn't be there on the server, it lets you know so you can investigate and determine the validity of the alert.

If FTP is suspect, it can let you know right away when files are added or modified on the server.

My question is, without this plugin, how would a site owner know their site hasn't been hacked? Most hack jobs are mostly invisible, and other than manually checking all files and each page's code, a site owners find out they've been hacked when it's too late. They've usually been blacklisted, or find pages that never existed for a site that now do exist or added code in some files that in no way would be discovered with a manual, file-by-file check. I could go on, but this plugin does so much, and has little if any downside.

Last edited by LMD; 08-14-2017 at 08:48 PM.
 
  #14  
Old 08-14-2017, 11:01 PM
KeepItSimple's Avatar
KeepItSimple KeepItSimple is offline
Contributing Member
 
Join Date: 07-09-10
Location: Bulgaria
Posts: 81
iTrader: 4 / 100%
The first thing I do on any new WP site is to put WordFence and activate the firewall. There are so many security holes in plugins, themes, and WP core constantly found, so it is a very insecure environment. WordFence blocks weird request and can protect from security holes that are not even discovered yet. Also it can find modified files, which is very useful.
 
  #15  
Old 12-15-2017, 10:30 PM
shaileshshakya shaileshshakya is offline
Contributing Member
 
Join Date: 11-22-17
Location: Delhi
Posts: 93
iTrader: 0 / 0%
Hey,
when it comes to security, I would say 'alert'. By the way, WordPress is highly secured. But hackers always looking for those blogs or websites that you're running on WordPress.

However, you use HTTPS, it means your protocol is secured but what if someone installs a malware to hack your site.

The same thing happens to me earlier, my site was infected by malware. My server provider has notified me to clean the malware.

I didn't know how to remove them. But I asked host provider how can I remove the malware from my site.
Thankfully, I removed them and my site was live.
So, here the thing is that you need to have both securities HTTPS and WordPress platform.

Now, I have installed the sitelock on my site to make it protect. You can buy sucuri or wordfence to make your system fully protected.

Tips

Always update your WordPress tools like plugins, themes etc.
scan your site daily basis
check the vulnerability

That's it
 
  #16  
Old 12-17-2017, 12:27 AM
Rosenborg's Avatar
Rosenborg Rosenborg is offline
Contributing Member
 
Join Date: 12-14-17
Location: Denmark
Posts: 59
iTrader: 0 / 0%
Personally i use iThemes Security and UpdraftPlus - Backup/Restore, we also have backup from the server side.. Just to be sure. Nothing more annoying that getting hacked.
 
  #17  
Old 12-17-2017, 06:58 AM
rickySt rickySt is offline
Junior Member
 
Join Date: 12-01-17
Posts: 40
iTrader: 0 / 0%
As has already said, the main security problems with WordPress is not from WordPress itself, or from the excellent plugins like Wordfence.

In my opinion the main security risk comes from plugins. Unlike other software, Drupal for example, WordPress do not have a robust vetting of new plugins. Anyone can create one, and anyone can get it added to the official download page with little review. While some plugins are excellent, others are not, and for the new WordPress user it is not always easy to know the difference.

According to the WordPress org site, plugins have complete access to WordPress core, so unthinkingly adding a plugin created by someone you don't personally know potentially involves giving that person complete access to your site.

In the vast majority of cases, of course, the plugins are fine. But the shear number of available plugins is both the best and worst feature of WordPress. Sooner or later, by the law of averages, we are all liable to add a plugin that will screw our site up in one way or another.
 
  #18  
Old 12-17-2017, 08:00 AM
LMD's Avatar
LMD LMD is online now
Contributing Member
 
Join Date: 11-04-12
Location: Where my wife tells me to be. :)
Posts: 6,777
iTrader: 0 / 0%
What I like about Wordfence, is they alert users of WordPress plugins when a plugin has been hacked, been dropped by WordPress.org, or is out of date and an updated plugin version is available.

They also have a premium plugin in which you can ban IPs, by country. If you only do business locally, you could technically ban any other country in the world, but your own. I know it's not perfect, and hackers have ways around this, but it can have a dampening effect on at least some attempted unauthorized logins etc.
 
Go Back   Webmaster Forum > Web Development > Blogging Forum

Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Wordpress Alerts Thread HTMLBasicTutor Blogging Forum 147 10-15-2019 06:09 AM
Looking for Wordpress Developer websun Looking To Hire 6 06-27-2017 08:37 AM


V7N Network
Get exposure! V7N I Love Photography V7N SEO Blog V7N Directory


All times are GMT -7. The time now is 12:04 PM.
Powered by vBulletin
Copyright 2000-2014 Jelsoft Enterprises Limited.
Copyright © 2003 - 2018 VIX-WomensForum LLC