post-page

WordPress security monitoring and diagnosis

11
responses
heading
heading
heading
11
Responses

 

Comments

  1. quicoto (39 comments.) says:

    How many WordPress (self hosted) sites has been hacked?

    I mean… Maybe WordPress is quite safe by default.

    Regards

    • Klint Finley says:

      WordPress is quite safe by default, and yet many self-hosted WordPress sites have been hacked. All software has vulnerabilities. I don’t have any specific information, but I would guess the vast majority of cases of a hacked WordPress site are the result having an outdated version of WordPress. So staying up-to-date is the most critical thing you can do.

      However, there’s always a chance you’ll get hit some sort of exploit before WordPress has patched it, or that you’ll be out of town or away from your computer for a few days and miss an update. It pays to have some extra protection.

      The plugins I mention in this article won’t protect you from attacks, they will only help you know if your site has already been hacked.

      My previous articles on security have some plugins you can install and steps you can take to make WordPress even more secure than it already is.

  2. Andrew@BloggingGuide (90 comments.) says:

    I am using antivirus for wordpress but I guess I would have to try WordPress File Monitor and maybe wordpress exploit scanner too since us said it does a more thorough scan. Then I’ll see which will work best for me.

  3. Mihai Secasiu (12 comments.) says:

    If someone can break wordpress security it’s very likely that they will be able to check for the plugins and deactivate them.
    They might stop some stupid bots/worms but they won’t protect you against a custom attack.

    • Klint Finley says:

      I should point out that none of the plugins above will protect you against any sort of attack – they will only let you know that your site has been hacked.

      If you want to protect your site, you should install the plugins from my previous posts.

      Most of us will never have to contend with a custom attack because it’s much easier and more effective for hackers to use generic attacks that target large swaths of blogs. That said, some of the plugins I recommended before (particularly Login Lockdown and Chap Secure Login) will help protect against even a custom attack (so will changing your default admin username).

      Of course, nothing is 100% secure, which is why you should always have good backups.

  4. Alex Sysoef (8 comments.) says:

    Nicely written! I have been using and encouraging other to implement WordPress File Security for quite a bit now and glad to see other push it through! I found it absolutely invaluable for myself to monitor what is happening on my blog and help me protect it.

    Thanks!

  5. naeem (3 comments.) says:

    i had an annoying issue on my selfhosted blog. Some script used to inject about 200 hidden links to spam medical sites.

    my site was
    – self hosted on media temple
    – fairly high traffic (2000+ page impressions daily & peaks with news to about 15 000 daily)
    – ALWAYS upgraded to the latest version
    – used woothemes that was legal (ie. not torrented)

    Anyway, for nearly a month, twice a week i had to get into the editor and edit header.php to remove the links. I tried WP Antivirus & Exploit scanner but didnt work well.

    Installed
    WP Extra Security http://lelkoun.cz/wordpress-plugin-extra-security
    and
    WP Malwatch http://how-to-blog.tv/security/wp-malwatch/

    seems to have worked for me.

    (ps. i also did manual upgrades and overwrote install files)

    • Klint Finley says:

      I hadn’t heard of those two plugins, will check them out. It sounds like you had the same problem I had with webadmin.

  6. David Richards (3 comments.) says:

    Outstanding article, anything that helps the WordPress platform to become even more secure/stable gets a big thumbs up from me.

  7. bubazoo (213 comments.) says:

    is there a way to run “grep -r ‘webadmin’ *” on a server that doesn’t allow SSH access? I am finding out that more and more web hosting providers are blocking SSH access, which I think is crazy, but my host does, and several hosts I’ve been with before that all block SSH completely, not even jailed…os is there like, a plugin that I can install that would run a series of commands like this on a server for those who don’t have SSH access to their servers?

    because alot of times, I find out I can’t even change file permissions or ownership of files without SSH access, and it annoys me to no end, because not all FTP clients, or servers apparently, allow for file permissions to be set or reset in your FTP client either, I found that out the hard way a few times..

    • Klint Finley says:

      I don’t know how to do it w/o SSH – there might be a way to do it through your hosts’s control panel. But really I’d suggest getting a host with SSH access!



Obviously Powered by WordPress. © 2003-2013

page counter
css.php