February 22, 2014 at 3:32 pm #91953
I was reading an article on WordPress security and they recommended the following:
1. Don’t Use Admin Username
We’ve hammered on this before, but do not ever use “admin” as your username. If that’s your username, change it. Change it now!
2. Hide Your Login Screen
Another tip to shut down the hackers and bots is to hide your login screen. You can give the page a unique URL and keep the bad element from even getting to it.
3. Limit Login Attempts
This might not stop hackers from cracking your password, but it will stop bots from hitting your login page with multiple attempts. Lock it down.
4. Require Strong Passwords
WordPress password security is about more than just your password. If you’re using a 5-star, crazy good password but another admin has a weak password, your whole site is still vulnerable. But you can force all the users on your WordPress installation to use strong passwords. How strong these passwords really are is debatable, but at least no one will have simple five letter passwords that would make hackers weep with joy.
I’ve already got #1 and #4 covered, but is there a way to hide the login screen/change the URL and limit the login attempts with our current Studiopress themes? If not, which plugins for these features are recommended?
Thank you!February 22, 2014 at 7:37 pm #91975
emasaiParticipantPost count: 669
2. Read this article http://codex.wordpress.org/Hardening_WordPress
Need Website Customization or a Responsive CSS fix? Contact Me
Lynne emasai.comFebruary 22, 2014 at 8:21 pm #91983
Thanks, emasai, I’ll check them out!February 23, 2014 at 11:06 am #92026
Bill MurrayParticipantPost count: 575
I’ll try to save you some time on #2 and #3 – don’t bother. You can read more on how we cover security here http://wpperform.com/wordpress-security/.
For #2, the login URL is hard-coded in WP in many places, so it would take modifications to WP core to achieve this, which would not be recommended.
For #3, it falls into the category of fixing 1 problem creates a bigger problem. Attempts to limit logins (or to run security-related code in WP) necessarily runs through PHP. Running that code slows down your site for all visitors.
If you attempt to limit logins via PHP, attackers can can inadvertently create a DoS (denial of service) attack on your site by repeatedly triggering your code to keep them out. Our article discusses why you can never have great WP security on a shared server, but if you are on a shared server and don’t want to/can’t switch, your best approach is to use secure, complex passwords and to use 2 factor authentication – and that’s it. If you try to do too much security in the wrong hosting environment, you can very easily create situations where you’re site isn’t available. Attacks are real and frequent, but stopping brute force attacks are just 1 of many challenges you have running a WP site.
February 23, 2014 at 3:22 pm #92045
Thank you, Bill, but, Oh, boy, I think I’ve waded too far into the deep water…..
Well, I did a quick read of those articles and, yes, I’m in the “confused” category (although I did understand a lot of it at a general level). I don’t have time to get into all that (I originally tried to learn how to build everything on my Mac with Dreamweaver, Apache, etc.–big mistake!), so I think I’ll just stick with your recommendation for complex passwords (I use the 1Password on my Mac and iOS devices) and two-factor authentication, which I’ve been doing for a long time.
But I only have basic web sites with nothing anyone would try to steal, so my host (iPage) probably does enough for me at this point given I can’t afford a “managed solution,” yes?!
Thanks again!February 23, 2014 at 4:16 pm #92051
Bill MurrayParticipantPost count: 575
iPage is unreasonably cheap, and while we’re lot more in percentage terms, the absolute dollar difference wouldn’t buy a nice meal. I think if you have 1 question in a year’s timeframe, it justifies that difference. We don’t like to let money stand in the way of good relationships, so if you think we’re a good fit, get in touch.
On “nothing anyone would try to steal”, don’t be naive. Bad actors aren’t after your content. They are after a range of things, but a few bear mention: your traffic and your domain/reputation. A bad actor can leverage your traffic in a variety of ways and redirect it to their typically criminal schemes. A bad actor can take over your domain and then blackmail you to try to get it back. Most people on shared hosts don’t review their server logs and would be shocked if they did. The volume of attack traffic goes up and down, but just about any WP site is being attacked many times every day, and that likely includes yours. I don’t say that to scare you, because the vast majority of the “attacks” are scans for vulnerabilities that the attacker can exploit. But if your vigilance drops for an extended period, the odds of your site being compromised go up a lot. It’s not that you aren’t being attacked now, because in all likelihood you are. You’re just unaware of those attacks because you’re surviving them.
You must be logged in to reply to this topic.