Results 1 to 5 of 5

Thread: 4 Little Known Ways to Achieve Better WordPress Security

  1. #1
    Web Consultant Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,115
    Likes (Given)
    983
    Likes (Received)
    912

    Default 4 Little Known Ways to Achieve Better WordPress Security

    If you do use WordPress and are concerned about security, it's not actually rocket science. Just like with any website, knowing how to use your tools and a little common sense can save you from a world of hurt and inconvenience.

    Anything can be hacked. Generally the annoyance hacks or infiltration, no matter how the website is built, is the fault of the website administrator's lack of knowledge or really cheap shared hosting plans from company's with terrible security and who only offer safety at an additional charge.

    This past year I've had more people call me with hacked websites than any year before. I've seen some nasty hacks, viruses, and just straight out take overs that could have mostly been avoided.

    9 times out of 10 they are annoyance hacks of opportunity that could have been completely avoided with a little due diligence...
    keeping your software updated,
    not using "admin" as your username,
    not using easy to guess passwords,
    not having 13 administrators on one site,
    not using your server for storage,
    not keeping old plug ins that you aren't using,
    not installing things that you have no idea how to use or not properly vetting where they come from,
    not using the cheapest hosting plan available for your most important marketing asset, and so on and so on.

    The following article offers some common sense, a little bit of knowledge and a few things that anyone who runs a WordPress website can implement, many times in just a few minutes.

    While it is true that strong passwords and proper permissions on a WordPress site can help provide good security there are a few little known methods of enhancing your WordPress security, while maintaining both sides of the security vs. usability equation.
    https://ithemes.com/2015/12/16/4-lit...ress-security/
    WordPress Support WordPress Design WordPress Security

    "It takes less time to do a thing right, than it does to explain why you did it wrong." -Henry Longfellow

  2. Likes Business Attorney liked this post
  3. #2
    Super Moderator Array
    Join Date
    Aug 2008
    Location
    Chicago
    Posts
    1,519
    Likes (Given)
    15
    Likes (Received)
    81

    Default

    Quote Originally Posted by Harold Mansfield View Post
    not keeping old plug ins that you aren't using
    I would add "not keeping old themes that you aren't using". Themes are also one of those items that come under Harold's warning of "not properly vetting where they come from."

    A lot of the phishing email spam I get contains a link to a file buried in an unused theme on some innocent website that then redirects to a phishing site.

  4. Likes Harold Mansfield liked this post
  5. #3
    Web Consultant Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,115
    Likes (Given)
    983
    Likes (Received)
    912

    Default

    Quote Originally Posted by Business Attorney View Post
    I would add "not keeping old themes that you aren't using". Themes are also one of those items that come under Harold's warning of "not properly vetting where they come from."

    A lot of the phishing email spam I get contains a link to a file buried in an unused theme on some innocent website that then redirects to a phishing site.
    Good point. The only themes other than the one I'm using that I keep are WordPress default themes. There are 4 or 5 of them that now come with WordPress, but you only need one additional theme installed. Just in case there's a problem with your current theme such as it doesn't play well with an update, WordPress will need something to default to and it looks for one of the default themes to do that.
    WordPress Support WordPress Design WordPress Security

    "It takes less time to do a thing right, than it does to explain why you did it wrong." -Henry Longfellow

  6. #4
    Member Needs New Keyboard Array Brian Altenhofel's Avatar
    Join Date
    Sep 2012
    Location
    Oklahoma
    Posts
    894
    Likes (Given)
    109
    Likes (Received)
    179

    Default

    A deny-by-default server configuration (even just through .htaccess) will also go a long way. Only explicitly allow the required PHP entry point files to be executed by the webserver, and deny everything else.

    And the webserver (and PHP, if using fastcgi/fpm) daemons should never run as the same user that owns your PHP files and should never have write-access to the folders containing your PHP files.
    || VMdoh - Drupal development, consulting, and support

  7. #5
    Web Consultant Array Harold Mansfield's Avatar
    Join Date
    Aug 2008
    Location
    Las Vegas
    Posts
    9,115
    Likes (Given)
    983
    Likes (Received)
    912

    Default

    Quote Originally Posted by Brian Altenhofel View Post
    A deny-by-default server configuration (even just through .htaccess) will also go a long way. Only explicitly allow the required PHP entry point files to be executed by the webserver, and deny everything else.

    And the webserver (and PHP, if using fastcgi/fpm) daemons should never run as the same user that owns your PHP files and should never have write-access to the folders containing your PHP files.
    There are security plug ins that take help you care of this, as well as newer security options in WordPress. But it really all comes down to the site administrator knowing what they are doing. Most don't.

    WordPress has gotten an unfortunate reputation for being easy and that anyone can run it and people thereby associate that to mean the web is easy. It's easier than hand coding HTML files, but you still have to learn a few things.
    Most people don't know or learn anything about basic website security at all, whether it be WordPress or just HTML files.

    And cheap hosting companies suck and don't seem to care anymore. They're just offering the basics. You don't get security support AT ALL. If you don't know, they don't tell you and when something happens..first of all it's your fault no matter what it is...then they want to up-sell you more security products. But that's another conversation.
    WordPress Support WordPress Design WordPress Security

    "It takes less time to do a thing right, than it does to explain why you did it wrong." -Henry Longfellow

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •