Domain Manage

Best Wordpress Security

Discussion in 'Wordpress' started by FutureDomain, Nov 28, 2011.

Thread Status:
Not open for further replies.
  1. FutureDomain

    FutureDomain Active Member

    Joined:
    Oct 2007
    Posts:
    490
    Likes Received:
    6
    Hi Everyone

    I am hoping this thread will not only help me but others.

    Yet again a number of my blogs have been hacked and some idiot and pointless hacker has messed up some great sites.

    I had an attack on my Job Quick site on Saturday and I managed to fix all the hackers rubbish, but tonight another Hacker defaced 8 more sites, including the one I had just managed to fix.

    Has anyone got some good tips on the best ways to secure your wordpress site, I use pluggins like login lockout etc. but I am sure you guys have some best practise ways to do this and stop hackers

    Thanks everyone.
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
     
  3. peter_w United Kingdom

    peter_w Active Member

    Joined:
    Nov 2008
    Posts:
    558
    Likes Received:
    18
    The majority of hacks recently have come via an exploit timthumb, so first port of call would be to install the Timthumb Vulnerability Scanner (plugin) and run it.
     
    • Like Like x 2
  4. FutureDomain

    FutureDomain Active Member

    Joined:
    Oct 2007
    Posts:
    490
    Likes Received:
    6
    Thanks Peter

    Will do that one, great tip rep-plus given, I have been busy tracking the hacker down, just found them... not sure how responsive Saudi ISP's are though
     
  5. atlas Canada

    atlas Well-Known Member

    Joined:
    Oct 2007
    Posts:
    1,255
    Likes Received:
    28
    Some thoughts:

    * change all your passwords
    * hackers often upload a few backdoors when they hack a website - check for this (review all recently modified files). Also check the first line of the wp-config.php file - many hacks inject some obfuscated php code there
    * Change your wp-content -folder name
    * Install 404 logger plugin to see if bots are testing your website for security vulnerabilities
    * Follow these steps:
    http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/
     
    • Like Like x 1
  6. aZooZa

    aZooZa Well-Known Member Exclusive Member

    Joined:
    Nov 2005
    Posts:
    4,453
    Likes Received:
    76
  7. Blossom United Kingdom

    Blossom Well-Known Member

    Joined:
    Oct 2010
    Posts:
    1,380
    Likes Received:
    52
    When you fixed the site after the hacking, what steps did you take?
     
  8. golddiggerguy United Kingdom

    golddiggerguy Well-Known Member

    Joined:
    Apr 2007
    Posts:
    3,635
    Likes Received:
    25
    Not security as such but "Limit login attempts" is a nice one to just have in place.

    Can customise to suit your level of lock outs if passwords are entered wrongly.
     
  9. admin Spain

    admin Administrator Staff Member

    Joined:
    Jun 2004
    Posts:
    9,998
    Likes Received:
    94
    try "Better WP Security" plug-in, has loads of features.

    and if you want to track (in real time) what users are doing on your site try "WassUp" plug-in

    Admin
     
    • Like Like x 1
    Last edited: Nov 29, 2011
  10. FutureDomain

    FutureDomain Active Member

    Joined:
    Oct 2007
    Posts:
    490
    Likes Received:
    6
    Thanks everyone, I have had full scans run and one of the biggest sites is going to take ages to repair, so far I have found a few things that suprise me, like premium pluggins like WP robot has vulnerable elements.

    I know the defaults are a problem and you can change them, it would be good to be able to change these as part of the install. I am seriously invested in premium tools for my WP installs but it just shows you can do more.

    If anyone runs WP I would say a maldet scan is good if you have new pluggins, even found all-in-one-seo-pack is vulnerable and I have used this for ages.

    I have a busy week ahead, lol
     
  11. FutureDomain

    FutureDomain Active Member

    Joined:
    Oct 2007
    Posts:
    490
    Likes Received:
    6
    Just thinks before I moan about pluggins, do you think that the hacker installed some backdoors in all-in-one-seo-pack and WP robot pluggins, would be interesting if anyone also found gzbase64.inject.unclassed results in thier installs after running a malware detect scan on thier server.

    Oh and thanks for all the tips everyone, I am certain these will help me and others
     
Thread Status:
Not open for further replies.

Share This Page