“webinar”/ “webinar”/
Welcome to Our Community
Wanting to join the rest of our members? Feel free to sign up today.

Null

 

Vote for the DOJO!

Guest,

The Dojo is coming back and in a big way.

We need all of you to help decide whether to keep the honored and timeless name as it is, "The DOJO", or change it to something new. VOTE NOW, CLICK NOW for the Dojo Name.

The AffiliateFix Team

Wordpress Security

Discussion in 'Domains and Hosting' started by AbbyJ, Feb 16, 2017.

  1. AbbyJ

    AbbyJ Affiliate affiliate

    5
    3
    3
    When starting my site I know it's important to make sure my site is secure. What plugins do you all recommend to use? I currently use Login Lockdown, but that's it. Is there anything else I should do on my computer or site other than plugins? So far I have antivirus software and https for the site, but that's it. Thanks in advance.
     
  2. Voluum
  3. Certified
    tyoussef

    tyoussef Moderator moderator Certified Vendor Service Manager affiliate

    4,147
    3,313
    113
    also don't forget to always update your plugins and themes .
     
    AbbyJ likes this.
  4. AbbyJ

    AbbyJ Affiliate affiliate

    5
    3
    3
    Yeah, I know about upgrading the plugins. Is there anything else I need to keep in mind?
     
  5. MxyzptlkFishStix

    MxyzptlkFishStix Well-Known Member affiliate

    508
    308
    63
    Probably the most important thing, more so than a plugin, is having strong passwords.
     
    AbbyJ likes this.
  6. no2pencil

    no2pencil Affiliate affiliate

    232
    95
    28
    Even above plugins; here is a snippet of a reply that I just sent to a potential hosting customer this morning:

    wordpress isolated databases
    Nagios checks validating current WordPress installation versions
    Nagios checks validating pending Operating System patches
    DNS is through CloudFlare:
    -- mask server IP
    -- CloudFlare browser version & validation
    -- CloudFlare's anti-DDOS
    Implement SELinux
    Dynamic firewalls,
    Daily import of known-bad ip addresses
    For sites that are non-encrypted, force login pages, & admin pages over the https encrypted protocol
    Disable out-of-the-box accounts, like 'admin'

    Security Plugins :
    Sucuri (actually run hardening suggestions & enable any notification options)
    CloudFlare Flexible SSL (required for the FORCE_SSL_ADMIN setting)
    Login LockDown (change lockout timeout to 3600, update nginx to reflect CloudFlare IP's so source IP is accurate)
    WordPress Zero Spam
     
    AbbyJ likes this.
  7. AbbyJ

    AbbyJ Affiliate affiliate

    5
    3
    3
    Great, thanks! I am new to this, so how do you validate Wordpress installation versions and OS patches? How do you mask server IP address and why? Also, how do you import known bad IP addresses and what does this do to protect me? Thanks!
     
  8. Change wp-login.php to another /user or /login it will save your website from automatic login bots.
     
  9. Good4U

    Good4U Affiliate affiliate

    10
    1
    1
    Use Hide my Woedpress plugin.
     
  10. no2pencil

    no2pencil Affiliate affiliate

    232
    95
    28
    Do you have anymore details as to what it is, or what it does? Or do you just install plugins that have security sounding names?
     
  11. MxyzptlkFishStix

    MxyzptlkFishStix Well-Known Member affiliate

    508
    308
    63
    I think he/she is referring to Hide My WP. However, it's not exactly for the technically disinclined.
     
    no2pencil likes this.
  12. Kian_SuperAff

    Kian_SuperAff Affiliate affiliate

    10
    8
    3
    Wordpress is a good CMS but you always have to keep everything updated. All plugins included.
     
  13. wpcycle

    wpcycle Affiliate Manager Affiliate Manager affiliate

    54
    12
    8
    One plugin that was not mentioned is WordFence. It's a great plugin that will protect WordPress from attacks. It has the ability to scan for malware, and can compare your WordPress installing to the files on WordPress-dot-org. OS patches are usually left to the host. One thing with WordFence...disable the Live View option. It's not needed.

    Another option to protect your Dashboard is setup a htaccess file to either only allow a specific IP (you) or a user name /password combination that needs to be entered to access the Dashboard.
     
MI