Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

Hosting Discussion > Web Hosting Forums > Web Hosting Discussion > Best setup to lock down WordPress sites
forgot password?



Reply


Old
  Post #1 (permalink)   01-15-2016, 04:54 PM
HD Community Advisor
 
SenseiSteve's Avatar
 
Join Date: Mar 2009
Location: Saint Louis
Posts: 4,945
Send a message via MSN to SenseiSteve

Status: SenseiSteve is offline
We all know that WordPress websites can be messy when it comes to securing/recovering it from malicious attacks AND we've seen lots of web hosting providers offering WordPress hosting, even though some of them are really just offering the same old shared hosting packages under a different name.

I've seen a lot of piecemeal recommendations on how to best address this, but I wanted to start a thread dedicated to addressing WordPress security - all by its lonesome.

All advice is welcome.
__________________
ProlimeHost- Dedicated Server Hosting & KVM SSD VPS
Three Datacenter Locations: Los Angeles, Denver & Singapore
SuperMicro Hardware | Multiple Bandwidth Providers | 24/7 On Site Engineers
 
 
 


Old
  Post #2 (permalink)   01-18-2016, 03:08 AM
HD Guru
 
Join Date: Jan 2013
Posts: 756
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 
The Following 2 Users Say Thank You to cheapdedicated For This Useful Post:
SenseiSteve (02-09-2016), vladimir (03-18-2016)


Old
  Post #3 (permalink)   01-18-2016, 10:42 PM
HD Addicted
 
IkY0294's Avatar
 
Join Date: Dec 2008
Location: Brooklyn
Posts: 563

Status: IkY0294 is offline
There are many ways of going about securing wordpress. Multiple ways and combinations it's just all about how well of a job you want to do it and how much time / effort into doing so. It's all about budget and what type if audience you will be dealing with.

The number one best thing with wordpress that you could do is to ensure its up to date at all times and so are the plugins. Also don't try using to many plugins. Lastly always remove any out dated plugins just like what was mentioned above.
__________________
Who has the coffee pot?
 
 
 


Old
  Post #4 (permalink)   01-18-2016, 10:44 PM
HD Guru
 
Join Date: Mar 2002
Location: New York
Posts: 518
Send a message via ICQ to HostColor Send a message via Skype™ to HostColor

Status: HostColor is offline
I would also add that it is worth providers to offer Managed WordPress Hosting and consumers to pay a little bit more to keep their installations secure and well maintained.
__________________
HostColor.com - Cloud Infrastructure w/ High Availability - Bare-Metal Dedicated Servers - since 2000
Data Centers: US (near Chicago) & Europe
Network (AS46873): Level 3, Cogent, Hurricane Electric, Retn.net + Midwest Peering
 
 
 


Old
  Post #5 (permalink)   01-19-2016, 03:33 AM
HD Guru
 
Join Date: Jan 2013
Posts: 756
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Quote:
Originally Posted by HostColor View Post
I would also add that it is worth providers to offer Managed WordPress Hosting and consumers to pay a little bit more to keep their installations secure and well maintained.
Because of the popularity of wordpress in the shared hosting customers we decided to just offer free wordpress hardening services for any user that needs it. We take it upon ourselves to harden any website we find vulnerable. Of course we inform the client in question the measures we will be taking to secure their site.
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 


Old
  Post #6 (permalink)   01-22-2016, 07:34 PM
HD Newbie
 
Join Date: Jan 2016
Posts: 7

Status: AltairHosting is offline
Quote:
Originally Posted by jkateega View Post
Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Donít use ďadminĒ or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.
These suggestions are good and I would add the following:
  • Enable SSL, even if it is just the admin section.
  • If you have a fixed IP address you're accessing the site from you can lock down the admin section to it.
 
 
The Following User Says Thank You to AltairHosting For This Useful Post:
cheapdedicated (01-25-2016)


Old
  Post #7 (permalink)   01-25-2016, 07:30 AM
HD Guru
 
Join Date: Jan 2013
Posts: 756
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Quote:
Originally Posted by AltairHosting View Post
These suggestions are good and I would add the following:
  • Enable SSL, even if it is just the admin section.
  • If you have a fixed IP address you're accessing the site from you can lock down the admin section to it.
Now that is for really advanced users but I agree it helps
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 


Old
  Post #8 (permalink)   01-25-2016, 10:06 AM
HD Newbie
 
Join Date: May 2014
Posts: 26

Status: coloAZ is offline
Quote:
Originally Posted by jkateega View Post
Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Donít use ďadminĒ or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.
This is a pretty good list. One more I would add is password protecting or IP limiting the wp-admin folder. (eg, using .htaccess)
__________________
coloAZ - Colocation and Dedicated Servers
Proudly in PhoenixNAP - Quad Core, Hex Core and More!
Need Remote Hands in PhoenixNAP? Let us know!
www.coloaz.com - 1-855-9-COLOAZ
 
 
 
The Following User Says Thank You to coloAZ For This Useful Post:
cheapdedicated (01-25-2016)


Old
  Post #9 (permalink)   01-25-2016, 10:59 AM
HD Guru
 
Join Date: Jan 2013
Posts: 756
Send a message via AIM to cheapdedicated Send a message via Yahoo to cheapdedicated Send a message via Skype™ to cheapdedicated

Status: cheapdedicated is offline
Quote:
Originally Posted by coloAZ View Post
This is a pretty good list. One more I would add is password protecting or IP limiting the wp-admin folder. (eg, using .htaccess)
The only reason I never added it on the list is because of the too many users on dynamic IPs
__________________
Techsys Ltd | Dedicated Servers | V.P.S | Free Plesk Panel
G8 Servers cPanel Reseller VPS Reseller Dedicated Server Resellers

G8 Host Cheap Domains | Shared Hosting | SSL
 
 
 


Old
  Post #10 (permalink)   01-26-2016, 07:27 PM
HD Addict
 
Localnode's Avatar
 
Join Date: Apr 2010
Posts: 142

Status: Localnode is offline
Quote:
Originally Posted by jkateega View Post
Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.

Quote:
Originally Posted by AltairHosting View Post
  • Enable SSL, even if it is just the admin section.
  • If you have a fixed IP address you're accessing the site from you can lock down the admin section to it.
These suggestions are really good.

To add on to both of them - you can change the database prefix from "wp" to something else (when installing) Softaculous provides this option.
You can also change it after installation - which is slightly trickier.

There's multiple security plugins for WordPress - one of my favourites is iThemes.
2 Factor authentication should not be overlooked - it's mentioned before but it's a seriously good suggestion. iThemes has this option (in paid) but there's free plugins for this.
Don't use old plugins!

To restrict access to your admin area from certain IP addresses add the following to your .htaccess file in your WordPress installation directory. Replacing xx.xxx.xxx.xxx with your IP address.
Code:
# BEGIN RESTRICTION
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
# END RESTRICTION
Naturally if you have changed any of the default settings to something else - you will need it changed in the above code.
__________________
Localnode
24/7 Support | Superior Hardware
Become an affiliate and earn 30% of every sale.
Follow Us | Like Us | Blog
 
 
The Following 3 Users Say Thank You to Localnode For This Useful Post:
Artashes (02-09-2016), RosenHost (03-18-2016), SenseiSteve (02-09-2016)


Old
  Post #11 (permalink)   02-09-2016, 03:45 AM
HD Community Advisor
 
ughosting's Avatar
 
Join Date: Jan 2011
Location: London
Posts: 604

Status: ughosting is offline
We've put various features in place to ensure our WordPress hosting is up with the best.

1. Softaculous is setup, so that the table prefix is random and not WP. We've also tried to ensure that "admin" is not selected as the default admin name.

2. We have "patchman" which spots vulnerable scripts in WordPress core and templates and patches them (having first given the customer a heads up about what will happen and the choice of them fixing them first).
This is less likely to break the script than forcing an update.
That said, we recommend updates and softaculous can automate them if you are feeling lazy.

3. Hourly R1Soft Backups.
Nothing gives me more peace, should a site become compromised, than knowing I have hundreds of restore points to which I can regress.

4. LiteSpeed webserver (or NGINX/Apache on VPS). LiteSpeed, with lscache ensures that your site is snappy!!
(LiteSpeed are due to release a wordpress cache plugin soon, which could be a big game changer)

5. CloudLinux with CageFS. If one user gets compromised we're confident that our other users remain safe.

6. CloudLinux OptimumCache keeps your Wordpress files cached longer, minimising disk I/O and keep your site fast.

7. We also have a special feature, our Security-Robot
A log trawler, which is owner aware.
If an IP tries to log into wordpress instances which belong to different people. (Not different users, different payment sources). You immediately know that is a hacker and can ban that IP on only two connection attempts.
(When combined with the fact that we use of 50 different class C ip ranges on each of our shared servers, the hackers don't know which IPs are connected to a given server, their "only use an IP once per server" doesn't work.)

8. We use BitNinja, which keeps the majority of the naughty people out.

Whilst you could say this is just shared hosting "called something else" it's pretty damned good.
(But then we don't call it anything else, just shared hosting)
__________________
DDoS Protected, LiteSpeed + LiteMage on CloudLinux with SSD Disks, R1Soft, Softaculous, SIteBuilder, BitNinja, LetsEncypt & Patchman
UnixGuru: Accounts with 1-16 CPU Cores, 2-32GB RAM. Why use a VPS?
█ Choose from Shared, Reseller and Elastic-Sites Hosting

Last edited by ughosting : 02-09-2016 at 03:49 AM.
 
 
The Following 2 Users Say Thank You to ughosting For This Useful Post:
Artashes (02-09-2016), SenseiSteve (02-09-2016)


Old
  Post #12 (permalink)   02-11-2016, 01:37 AM
HD Community Advisor
 
ughosting's Avatar
 
Join Date: Jan 2011
Location: London
Posts: 604

Status: ughosting is offline
At the risk of making myself look silly.

LiteSpeed had already released their LiteSpeed Plugin around 2 weeks ago.

It's a simple "purge the correct cache" plugin at the moment
But with promised ESI includes in the future (like LiteMage) it will likely be able to cache visitors and logged in users in the future, making this a possible "must have" for community sites.
__________________
DDoS Protected, LiteSpeed + LiteMage on CloudLinux with SSD Disks, R1Soft, Softaculous, SIteBuilder, BitNinja, LetsEncypt & Patchman
UnixGuru: Accounts with 1-16 CPU Cores, 2-32GB RAM. Why use a VPS?
█ Choose from Shared, Reseller and Elastic-Sites Hosting
 
 
 


Old
  Post #13 (permalink)   02-12-2016, 02:14 PM
HD Newbie
 
Join Date: Apr 2013
Location: Rotherham
Posts: 15

Status: hostsurfuk is offline
Disabling template editing and restricting admin to 1 IP via .htaccess seems to work best for us.
__________________
Louis M. | Host Surf UK
UK VPS, Dedicated Servers, Cloud Servers
Managed & Unmanaged | 24/7 Technical Support
0 Day Cancellation & No Setup Fee
 
 
 


Old
  Post #14 (permalink)   03-18-2016, 10:44 AM
HD Amateur
 
Join Date: Mar 2016
Location: UK
Posts: 76
Send a message via Skype™ to iHostiGo

Status: iHostiGo is offline
its easy to clean wordpress from viruses, if you are using wordpress hosting it won't help to protect it viruses instead you can use the security plugins for wordpress
 
 
 


Old
  Post #15 (permalink)   03-18-2016, 05:36 PM
HD Newbie
 
Join Date: Mar 2016
Location: Malta / Turkey
Posts: 24

Status: RosenHost is offline
Forcing lates updates to users might be a starting point. Softaculous is useful to one click update many scripts and I think should be encouraged. However, it's default db prefixes should be edited.

Other than that, I saw a security measure on Eleven2. They are asking the visitor to solve a simple math question to enter wp-login.php . This is useful to prevent bots' brute force attacks on wp-login.
 
 
 
Reply
Previous Thread Next Thread


Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: