post-page

More plugins for securing your WordPress install

27
responses
heading
heading
heading
27
Responses

 

Comments

  1. quicoto (39 comments.) says:

    I’m using WP Security Scan some times.

    I always thought WordPress was safe enough (I want to believe :P)

    Regards

  2. Doug Hill (6 comments.) says:

    Using the WP Security plugin, I ran the facility to change my Database prefix, and am locked out of my dashboard. It tells me my “admin” username no longer exists. I checked the database and discovered that the prefixes have all been changed as I instructed.

    I am a medium level user. Must I now emppty the tables in my database and import my backup to get back in?

    • Klint Finley says:

      Sounds like something went wrong along the way it’s having trouble accessing the table w/ your username and password. So yes, it’s probably time to drop the tables and restore. Are you familiar with phpmyadmin?

      • Doug Hill (6 comments.) says:

        I went through the MySQLAdmin drop and import procedure, but was greeted by a first table duplicate error no matter what backup I used.

        Then I had my ISP restore my site to yesterday, and that restored my site, but I could not log in, as my login reuest brought up a fake link to what appeared to be WordPress.org, but using a weird URL that did not refer to it.

        My ISP was able to fix that, and I have access to the dashboard now.

        But it would appear that the plugin download has been hacked. I can’t see what else could have caused the problem since everything was okay until I activated the link in the plugin.

        Any ideas?

        • Texx Smith (6 comments.) says:

          It sounds like perhaps you had a virus already before you tried to clean all that up.

          Look for an article about how to access WordPress when locked out. You’ll find instructions on how to use PHPMyAdmin to change the password in the database and restore access for you.

    • Klint Finley says:

      That’s really really weird. You should drop the plugin author a line. Like Texx says, there could have been something already going on. I don’t know. Here’s how to change the admin user account through phpmyadmin (or MySQL command line):

      http://codex.wordpress.org/Resetting_Your_Password

  3. Chris (29 comments.) says:

    Klint, I see you recommended the Login Lockdown plugin. I am currently using the Limit Login Attempts plugin, which looks to do the same job. Do you have a preference for one over the other? I’m just curious if I should change plugins. Thanks, and thanks for the great article!

    • Klint Finley says:

      I haven’t used Limit Login Attempts – if it works, it works. Does it also mask login errors?

      • Chris (29 comments.) says:

        It doesn’t mask login errors, and for that reason, I will be switching plugins. Thanks again for the guide.

      • Chris (29 comments.) says:

        I just noticed that the Login Lockdown plugin adds a link to the author’s site on my login page. This might break the WordPress Plugin Repository Guidelines. Restriction #4 is:

        The plugin must not embed external links on the public site (like a “powered by” link) without explicitly asking the user’s permission.

        Now, I don’t know how anyone else views the login page (public site or not), but it is wise to advertise what security plugins I’m using on the site where hackers will visit? This to me seems like an inherent security risk.

        • Klint Finley says:

          Hm, good catch re: repository rules.

          I thought about whether advertising the use of that plugin was a security issue, but I think considering what it specifically does, it doesn’t matter a lot of people know it’s there. I wouldn’t necessarily want WordPress Firewall advertising that it’s installed (of course, now everyone in the world knows I use it), but having ppl know there’s a login attempt limit doesn’t seem like a big deal.

          Anyone else have thoughts on this?

          Also, it probably wouldn’t be that hard to remove this part of the plugin.

          • bubazoo (213 comments.) says:

            yeah thats what I was thinking, about removing that part of the plugin. You could probably just remove a single line to keep it from doing that no big deal.

        • Klint Finley says:

          So here are the lines to remove the protected by link:

          Lines 303 and 304, starting with “function ll_credit_link”

          And line 316 which also references ll_credit_link

  4. Zatz (6 comments.) says:

    We need more of this in the core. Along with caching.

  5. JhezeR (2 comments.) says:

    Im using wp firewall and success to block any sqli + directory traversal script.

  6. V.C (44 comments.) says:

    I actually don’t use any secure plugin for my wordpress blog.
    However, due to the high risk of attack, I’ve changed my mind and am gonna installed some plugins that you mentioned above. Thanks!!

  7. Andrew@BloggingGuide (90 comments.) says:

    This is really a very detailed article and because of this, it has become really useful. I am using all the other plugins mentioned, however, I am also interested in trying Bad Queries and WordPress Firewall.

  8. Kevin Love (4 comments.) says:

    Did your site ever get hacked as well? It is always interesting the stories of how they did and the consequences of the hack.

  9. bubazoo (213 comments.) says:

    I probably have more exploit issues with plugins then wordpress itself, so I think securing wordpress is a very good idea. I use all these plugins myself, except the firewall plugin which doesn’t work on my setup either. The bad queries plugin is most definitely useful because its gotten rid of all those error_log files in my FTP directories about missing files when the files aren’t missing, I used to get that issue all the time, thinking my WSP was just being finiky or something, but bad queries fixed that problem immediately :) which has also added to fixing most of the issues I’ve had with making my site as close to XHTML compliance as possible. The plugins still break XHTML compliance, which makes my blog still unreadable by people with disabilities not complying with accessibility guidelines, but WP itself has always been solid and stable as far as security is concerned. its always the plugins that cause more exploits then anything else it seems to me like.

  10. Alec (2 comments.) says:

    Our developer used WordPress for a film review blog some time ago. The site was on an old server and got hacked. Since that episode we’ve steered clear of WordPress but having read more and more on security and security plugins (especially these blogs) we’re much more inclined to start using it again.

    • Klint Finley says:

      Well, if the server itself wasn’t patched and updated it could’ve been an issue with the server and not with WordPress itself.

      • Alec (2 comments.) says:

        We pretty much nailed it down to WordPress at the time, although it did prompt patching across the server.

        • Klint Finley says:

          Gotcha. Since you said “old server” I thought it might have been outdated.



Trackbacks/Pingbacks

  1. […] More plugins for securing your WordPress install – Useful guide for making WP a bit more impregnable. […]

  2. […] More plugins for securing your WordPress install […]

  3. […] If you use WordPress Firewall (and I recommend you do), you’ll need to deactivate it while you install, activate, and configure this […]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php