How to secure Wordpress?

Discussion in 'malware problems & news' started by Paul Keith, Sep 5, 2009.

Thread Status:
Not open for further replies.
  1. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    After someone plurk'd this article: http://digitizor.com/2009/09/05/4-w...ess-installation-affected-eval-base64-decode/

    I'm just paranoid of blogging especially since I've never payed for it or used Wordpress before.

    What are the ultimate safety guidelines to secure Wordpress? I'm not asking for generic ways to secure Wordpress but really looking for the end-be-all security instructions for it.

    Is there a Nod32, Avira, Malwarebyties, Sandboxie for this kind of software?
     
  2. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    There is a lot of things you can do to make WP secure, but the biggest failure occurs because people don't update their install as well as plugins when security fixes occur.

    Also plugin overload, the more plugins you introduce the more chances for compromise. I see people using plugins for the silliest things, like inserting analytics on every pageload when you can just open up footer.php and paste the code in.

    As for virus scanner type things, yeah there is one but i don't bother because it's limited in scope to what it can detect. I'd rather stop them getting in instead of detecting it after the fact.

    If you have a blog i can give you some specific pointers, such as login lockdown to protect against brute force, creating a second admin and removing the first so the account with privileges isn't user id 1 with a login name of "Admin" and so on. Or for instance if you try and login with a wrong user or pass, WP actually tells you what parts was wrong so throw that code in the bin so you don't provide the hacker with feedback.

    There's lots you can do. Also just like computers, you want to backup your WP database and filesystem frequently not just because of hacking but for general host/server problems as well.
     
  3. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Oh. Darn.

    Isn't there a way of knowing this before actually having a blog? As a newbie to blogging, one of the things that has turned me off for a long time in trying this was because I just don't know which is the end-be all of guides to follow. (Not just in security)

    I have heard of the "always update the software" claim though but my problem with this is that this is standard advice for all software especially those needing to connect to the internet!

    Stuff like inserting analytics on every page load and causing plugin overload though...how is a beginner user even able to ask that?
     
  4. 1boss1

    1boss1 Registered Member

    Joined:
    Jun 26, 2009
    Posts:
    401
    Location:
    Australia
    A lot of it is trial and error, refining and learning over time. No different to a PC, you once didn't even know how to turn one on and write a Wordpad document. But you seem to be using a PC, worked out how to connect to the net, make an email account and register here to make a thread.

    If you just install the latest Wordpress, add a theme and blog away you are very secure provided your host is reputable. Do regular backups to safeguard your data and your set.

    Most hackers seek out old or vulnerable installs or plugins using semi or fully automated means, it's less common to have a hacker sit there and pound away at a fully updated install.. that's more personal, or aimed at high profile sites for fame.

    If you are really concerned, you can get a hosted blog at Wordpress.com it's less flexible but to my knowledge their system hasn't been compromised.
     
  5. Paul Keith

    Paul Keith Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    25
    Actually I never knew how to do all that and had to use a guide except for opening a PC.

    I used to never bother with Wordpad until due to my excessive reading of RSS's and Webpages, the clunkiness of Word Processor got to me and even then I moved to Notepad.

    It wasn't until one day I saw a joke guide on wikihow on how to get rid of your blogging fix and one of the advises listed was to basically write down articles on wordpad and that's when I first looked at the program for real.

    The same went for the internet when up until I installed Lastpass on Firefox, I used to never register much for the sites and I had a nasty habit of leaving sites so I always forgot the usernames and eventually it came to a point where I lurked instead of made topics.

    I have registered for a hosted blog (though not Wordpress, Tumblr) but as you said, a majority of learning Wordpress and blogging still comes from actually having one. There's just no virtual manager to test run the software in it's fullest form.

    And yes I understand, I might have overreacted but you have to understand this is Wilders. People can talk for ages about securing stuff in their PCs and such talks has created such things as which antivirus to avoid and which is the instant recommendation. The fact that Wordpress is similar to Windows XP in security and yet the security measures is trial and error is frankly...shocking. (Especially from a casual user who only ever started with dabbling in the internet because not only did I fail to update Norton in the past, I was using Norton and with no backup knowledge, using a PC was like a ticking time bomb just waiting for when your guard to go down and get infected with a run-by virus and forcing you to reformat all the time "because there was no guide".)
     
Loading...
Thread Status:
Not open for further replies.