How do you secure your WordPress install?

Community Forums Forums General Discussion How do you secure your WordPress install?

This topic is: not resolved

This topic contains 6 replies, has 4 voices, and was last updated by  Victor Font 1 year, 2 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #40543

    rstyner
    Participant
    Post count: 59

    I am just curious what you guys do to make your WordPress installs more secure.

    Also, in my search for this, I am finding alot of people talking about removing the version number of WordPress. Is removing the version a good thing? Does removing the version number prevent you from getting version update alerts?

    #40544

    geezer466
    Participant
    Post count: 17

    This plugin comes very highly recommended.

     

    Works for me anyway..

     

    http://wordpress.org/extend/plugins/better-wp-security/

    #40548

    rstyner
    Participant
    Post count: 59

    Thank you. I am checking out this one, http://wordpress.org/extend/plugins/bulletproof-security/ but will look at your suggestion to. I need “EASY” to understand stuff…

    #40561

    Bill Murray
    Participant
    Post count: 572

    Be careful with security plugins. They are often used as a fix for those who don’t have the technical skill or the desire to invest the time or money to go a better route. I don’t mean that as a knock on anyone, and there are a lot of security plugin developers who spend a lot of time addressing weaknesses in common WP setups for those who can’t/won’t address them themselves. Security plugins have a big negative impact on site performance. Most very experienced WP site admins operate without any security plugins. If you’re adding a lot of security plugins, you’re doing it wrong.

    If you …

    a) never allow usernames like ‘admin’ or ‘root’
    b) never access your site with FTP and only use SFTP or SSH
    c) set up your WP install so that you can not upgrade plugins from the WP dashboard (difficult, I know)
    d) keep core WP, plugins, and themes reasonably up to date
    e) run anti-malware/anti-virus software on any machine used to access your webserver

    then you really don’t need any security plugins.

    If you really insist on installing one, you can consider Bad Behavior configured with minimal logging. That will block some bad traffic, but this kind of effort is better/faster done at the server level, not in a plugin.

    We run a WP network and see many (sometimes thousands) attacks per day. The guidelines above keep us very secure.


    Web: http://wpperform.com or Twitter: @wpperform

    We do managed WordPress hosting.

    #40913

    rstyner
    Participant
    Post count: 59

    Okay, so is there a way to reverse everything that was done with a plugin? I mean after the plugin is activated it changes some files and such (I used bulletproof and deactivated it to use the better wp-security). It’s a rather fresh install, so should I just re-do the install or is there a way I can get this back to the way it was before the activation of the security plug-in?

    #40931

    Bill Murray
    Participant
    Post count: 572

    Deactivating a plugin does just that – it makes it so it is no longer active. In that state its code is not executing. So deactivation will get you essentially back to the state you were before you activated the plugin – except for the options the plugin wrote to the database.

    Some plugins provide an option to delete plugin settings on deactivation, but most don’t. Most users want to keep plugin settings on deactivation because deactivating plugins is a common troubleshooting technique where a plugin is deactivated only for a short period. If you ever want to go back to Better WP Security, you can simply re-activate, and any configuration work you did is still intact because the options are in the DB.

    If you don’t want to use Better WP Security, you can look through the database, find the options settings for that plugin, and delete them. However, you have to do that with extreme caution, because some options might not be clearly labeled, and if you’re not familiar with doing this, it’s easy to delete the wrong thing. Having a few unused options is not a big deal, but if you are regularly activating plugins just to test/evaluate them, you shouldn’t be doing that testing on a live site.


    Web: http://wpperform.com or Twitter: @wpperform

    We do managed WordPress hosting.

    #41803

    Victor Font
    Participant
    Post count: 63

    Bullet Proof Security makes significant changes to your .htaccess file and installs a .htaccess file in wp-admin. The original .htaccess file should be in the bullet proof backup directory. If you restore the backup file, the bullet proof changes should be gone.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.