Community Forums › Forums › Archived Forums › General Discussion › How do you secure your WordPress install?
Tagged: wordpress security
- This topic has 6 replies, 4 voices, and was last updated 10 years, 11 months ago by Victor Font.
-
AuthorPosts
-
May 12, 2013 at 5:04 am #40543rstynerParticipant
I am just curious what you guys do to make your WordPress installs more secure.
Also, in my search for this, I am finding alot of people talking about removing the version number of WordPress. Is removing the version a good thing? Does removing the version number prevent you from getting version update alerts?
May 12, 2013 at 5:41 am #40544geezer466MemberThis plugin comes very highly recommended.
Works for me anyway..
May 12, 2013 at 5:50 am #40548rstynerParticipantThank you. I am checking out this one, http://wordpress.org/extend/plugins/bulletproof-security/ but will look at your suggestion to. I need "EASY" to understand stuff...
May 12, 2013 at 9:52 am #40561Bill MurrayMemberBe careful with security plugins. They are often used as a fix for those who don't have the technical skill or the desire to invest the time or money to go a better route. I don't mean that as a knock on anyone, and there are a lot of security plugin developers who spend a lot of time addressing weaknesses in common WP setups for those who can't/won't address them themselves. Security plugins have a big negative impact on site performance. Most very experienced WP site admins operate without any security plugins. If you're adding a lot of security plugins, you're doing it wrong.
If you ...
a) never allow usernames like 'admin' or 'root'
b) never access your site with FTP and only use SFTP or SSH
c) set up your WP install so that you can not upgrade plugins from the WP dashboard (difficult, I know)
d) keep core WP, plugins, and themes reasonably up to date
e) run anti-malware/anti-virus software on any machine used to access your webserverthen you really don't need any security plugins.
If you really insist on installing one, you can consider Bad Behavior configured with minimal logging. That will block some bad traffic, but this kind of effort is better/faster done at the server level, not in a plugin.
We run a WP network and see many (sometimes thousands) attacks per day. The guidelines above keep us very secure.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
May 14, 2013 at 3:27 pm #40913rstynerParticipantOkay, so is there a way to reverse everything that was done with a plugin? I mean after the plugin is activated it changes some files and such (I used bulletproof and deactivated it to use the better wp-security). It's a rather fresh install, so should I just re-do the install or is there a way I can get this back to the way it was before the activation of the security plug-in?
May 14, 2013 at 6:21 pm #40931Bill MurrayMemberDeactivating a plugin does just that - it makes it so it is no longer active. In that state its code is not executing. So deactivation will get you essentially back to the state you were before you activated the plugin - except for the options the plugin wrote to the database.
Some plugins provide an option to delete plugin settings on deactivation, but most don't. Most users want to keep plugin settings on deactivation because deactivating plugins is a common troubleshooting technique where a plugin is deactivated only for a short period. If you ever want to go back to Better WP Security, you can simply re-activate, and any configuration work you did is still intact because the options are in the DB.
If you don't want to use Better WP Security, you can look through the database, find the options settings for that plugin, and delete them. However, you have to do that with extreme caution, because some options might not be clearly labeled, and if you're not familiar with doing this, it's easy to delete the wrong thing. Having a few unused options is not a big deal, but if you are regularly activating plugins just to test/evaluate them, you shouldn't be doing that testing on a live site.
Web: https://wpperform.com or Twitter: @wpperform
We do managed WordPress hosting.
May 20, 2013 at 6:16 am #41803Victor FontModeratorBullet Proof Security makes significant changes to your .htaccess file and installs a .htaccess file in wp-admin. The original .htaccess file should be in the bullet proof backup directory. If you restore the backup file, the bullet proof changes should be gone.
Regards,
Victor
https://victorfont.com/
Call us toll free: 844-VIC-FONT (842-3668)
Have you requested your free website audit yet? -
AuthorPosts
- The forum ‘General Discussion’ is closed to new topics and replies.