Welcome to WebmasterWorld Guest from 107.20.34.173

Forum Moderators: rogerd & travelin cat

Message Too Old, No Replies

Wordpress security

make WP site more secure

     

ankit13

2:58 am on May 21, 2014 (gmt 0)



Hello,
I want to know how can we increase the security of our wordpress website.
Not by plugins as they can be vulnerable at times.
How can we hard code something into our website that would make it hack proof?
TIA

not2easy

3:14 am on May 21, 2014 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



Welocme to the Forums ankit 13. Wordpress offers good advice and information on things you can do to help keep your Wordpress site secure. Their own support site is probably a good place to start: [codex.wordpress.org...]

vishwa

3:34 am on May 21, 2014 (gmt 0)



You simply passwod protected your wp admin page from your cpanel account. Use Strong password combination of capital, small and special characters. I also suggest you to use Wordfence security plugin because i have use it from starting of my blog and it is very reliable and one of the best security plugin.

lorax

11:54 am on May 21, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Welcome to WebmasterWorld ankit13,

I lock down access to my login page and to the /wp-admin/ directory by IP address. Be sure to read that doc at WordPress. not2easy is absolutely right, it's THE place to start.

And just to be clear, there's no such thing as hack proof (true for any CMS) - not unless you're a top notch cyber-security expert or can afford one. We as WordPress website owners can stop common hackers that use exploits and brute force attacks but unless we own the server, have the skills & knowledge, and control at least the first level of equipment that connects to it, we are vulnerable.

ergophobe

2:08 pm on May 23, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I lock down access to my login page and to the /wp-admin/ directory by IP address


Which means that you need a static IP at home/work and can't, for example, blog from a cafe, right? For me, my IP is going to change every time I reboot my modem, AKA every time the power goes out, which is about 1x per month. I suppose a VPN would solve that.

Kendo

6:12 am on May 24, 2014 (gmt 0)

10+ Year Member Top Contributors Of The Month



For me, my IP is going to change every time I reboot my modem


Maybe it's time to get a fixed IP number from your provider. Or change providers. Some charge a small additional fee per month while others include it for free if you ask nicely.

Locking admin logins down to an IP address overcomes all exploits including when someone has guessed the admin username and then only needs to packet sniff a password request/reset email to get your password.

ergophobe

8:44 pm on May 24, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Maybe it's time to get a fixed IP number from your provider. Or change providers.


Neither of which are a remote possibility in our area. We tried to spend $328/month to get a 1.5Mbps T1 line, but even at that price, they refused to provision it and that was my second option.

lorax

6:42 pm on May 25, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



That's true ergophobe but I don't go to public cafe's and access my sites. You could use a higher level block of IPs instead of the exact IP. xxx.xxx. for example.

Kendo

10:44 pm on May 25, 2014 (gmt 0)

10+ Year Member Top Contributors Of The Month



Another thing you can do is play with user-agent. Some browsers like Firefox allow the use of an add-on that changes the user-agent string that the browser sends with each page request. Then by using some code on your login page you can check that user-agent and redirect if necessary. But don't use javascript for that check as it needs to be most secret and "behind" the html... use PHP or ASP if available.

No need to change "Firefox/*" as this may affect CSS but you can add an extra word like "MyAdminBrowser" and then your login page can check for the presence of "MyAdminBrowser" in the user-agent.

I recommend resetting the add-on when not using it because it will be recorded when visiting other websites.

ergophobe

7:03 pm on May 26, 2014 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



That's a cool idea Kendo. I tend to maintain a separate Firefox profile for some tasks, so it would profile-specific.

lorax

12:23 pm on May 27, 2014 (gmt 0)

WebmasterWorld Senior Member lorax is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Nice idea Kendo. Now you have me thinking about other ways of doing something similar.... :)
 

Featured Threads

Hot Threads This Week

Hot Threads This Month