homepage Welcome to WebmasterWorld Guest from 54.205.189.156
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / WordPress
Forum Library, Charter, Moderators: lorax & rogerd

WordPress Forum

    
Wordpress security
make WP site more secure
ankit13




msg:4672895
 2:58 am on May 21, 2014 (gmt 0)

Hello,
I want to know how can we increase the security of our wordpress website.
Not by plugins as they can be vulnerable at times.
How can we hard code something into our website that would make it hack proof?
TIA

 

not2easy




msg:4672902
 3:14 am on May 21, 2014 (gmt 0)

Welocme to the Forums ankit 13. Wordpress offers good advice and information on things you can do to help keep your Wordpress site secure. Their own support site is probably a good place to start: [codex.wordpress.org...]

vishwa




msg:4672906
 3:34 am on May 21, 2014 (gmt 0)

You simply passwod protected your wp admin page from your cpanel account. Use Strong password combination of capital, small and special characters. I also suggest you to use Wordfence security plugin because i have use it from starting of my blog and it is very reliable and one of the best security plugin.

lorax




msg:4673056
 11:54 am on May 21, 2014 (gmt 0)

Welcome to WebmasterWorld ankit13,

I lock down access to my login page and to the /wp-admin/ directory by IP address. Be sure to read that doc at WordPress. not2easy is absolutely right, it's THE place to start.

And just to be clear, there's no such thing as hack proof (true for any CMS) - not unless you're a top notch cyber-security expert or can afford one. We as WordPress website owners can stop common hackers that use exploits and brute force attacks but unless we own the server, have the skills & knowledge, and control at least the first level of equipment that connects to it, we are vulnerable.

ergophobe




msg:4673939
 2:08 pm on May 23, 2014 (gmt 0)

I lock down access to my login page and to the /wp-admin/ directory by IP address


Which means that you need a static IP at home/work and can't, for example, blog from a cafe, right? For me, my IP is going to change every time I reboot my modem, AKA every time the power goes out, which is about 1x per month. I suppose a VPN would solve that.

Kendo




msg:4674147
 6:12 am on May 24, 2014 (gmt 0)

For me, my IP is going to change every time I reboot my modem


Maybe it's time to get a fixed IP number from your provider. Or change providers. Some charge a small additional fee per month while others include it for free if you ask nicely.

Locking admin logins down to an IP address overcomes all exploits including when someone has guessed the admin username and then only needs to packet sniff a password request/reset email to get your password.

ergophobe




msg:4674287
 8:44 pm on May 24, 2014 (gmt 0)

Maybe it's time to get a fixed IP number from your provider. Or change providers.


Neither of which are a remote possibility in our area. We tried to spend $328/month to get a 1.5Mbps T1 line, but even at that price, they refused to provision it and that was my second option.

lorax




msg:4674370
 6:42 pm on May 25, 2014 (gmt 0)

That's true ergophobe but I don't go to public cafe's and access my sites. You could use a higher level block of IPs instead of the exact IP. xxx.xxx. for example.

Kendo




msg:4674393
 10:44 pm on May 25, 2014 (gmt 0)

Another thing you can do is play with user-agent. Some browsers like Firefox allow the use of an add-on that changes the user-agent string that the browser sends with each page request. Then by using some code on your login page you can check that user-agent and redirect if necessary. But don't use javascript for that check as it needs to be most secret and "behind" the html... use PHP or ASP if available.

No need to change "Firefox/*" as this may affect CSS but you can add an extra word like "MyAdminBrowser" and then your login page can check for the presence of "MyAdminBrowser" in the user-agent.

I recommend resetting the add-on when not using it because it will be recorded when visiting other websites.

ergophobe




msg:4674650
 7:03 pm on May 26, 2014 (gmt 0)

That's a cool idea Kendo. I tend to maintain a separate Firefox profile for some tasks, so it would profile-specific.

lorax




msg:4674881
 12:23 pm on May 27, 2014 (gmt 0)

Nice idea Kendo. Now you have me thinking about other ways of doing something similar.... :)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / WordPress
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved