Making WordPress more secure

  • Jon

    (@jonpaulwade)


    11 years, 11 months ago

    I have read the various hardening wordpress posts here and on other sites.

    I already white list IP addresses for access to wp-admin and wp-login, as well as running WordPress Security and a WordPress Firewall plugin.

    I also remove mention of WordPress from the site theme.

    I am wondering, is there still a way for somebody to hack the site? Is more needed? If you white list by IP, how would somebody ever access the site?

    I have seen that there are some tools designed for hacking WordPress. Watched some scary looking Youtube videos. Does blocking Ips stop these tools getting anywhere? Or do these script injections bypass /wp-admin?

    I have been running a site with the above mentioned security features for some time with no problems (always update the site and keep plugins to a minimum). But do not want to rest on my laurels.

Viewing 9 replies - 1 through 9 (of 9 total)
  • esmi

    (@esmi)

    11 years, 11 months ago

    I am wondering, is there still a way for somebody to hack the site?

    Gosh! That’s a little bit like asking “how long is a piece of string?”. It depends upon so many different factors. How secure is your server? Where are you your plugins from & are they secure? The only 100% secure site is the one that no one can access. As soon as other people can access your site, you, in theory, open it up to hack attempts.

    Thread Starter Jon

    (@jonpaulwade)

    11 years, 11 months ago

    Ok, so let’s assume in this case that the server is secure and there are no plugins at all.

    Could this really be hacked? If so, how? And is there a way to prevent it?

    If there are many examples of ways it can be done, what are the most frequently used one? Has anybody ever written about this somewhere?

    Maybe it is a case of block bots? Lots of these hacks come from tools that sniff out details quickly.

    Any tips / suggestions welcomed.

    esmi

    (@esmi)

    11 years, 11 months ago

    I think it would be unrealistic to assume that anything is 100% secure, so in theory, WP could still be hackable, yes.

    If there are many examples of ways it can be done, what are the most frequently used one?

    If we knew that, this particular routes would all have been patched. 🙂

    Maybe it is a case of block bots?

    How would you identify these bots?

    Thread Starter Jon

    (@jonpaulwade)

    11 years, 11 months ago

    OK, so the answer is, “nobody knows”.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    11 years, 11 months ago

    OK, so the answer is, “nobody knows”.

    Not at all. The answer remains “At this time there are no known exploit or vulnerabilities in the current version of WordPress.”

    If you really are concerned about this (and that’s not a bad thing BTW) start with this link.

    http://codex.ww.wp.xz.cn/Hardening_WordPress

    Often getting access to someone’s WordPress installation is a matter of just logging in after obtaining the password via brute force attempts. To guard against that give this article a read and ensure you have a good password.

    http://codex.ww.wp.xz.cn/Brute_Force_Attacks

    It contains some simple things to make your WordPress installation harder to brute force into.

    esmi

    (@esmi)

    11 years, 11 months ago

    Not at all. The answer remains “At this time there are no known exploit or vulnerabilities in the current version of WordPress.”

    And to extend Jan’s answer – we do not have the ability to foresee what (if any) security issues might be found in WordPress in the future. One of the downsides of using open source software is that potential hackers can also download copies of the complete source code and try to pick it apart. If (and when) security issues are uncovered (often by white hat hackers), they are closed as quickly as possible and a core update is pushed out.

    At the end of the day, all you can do is to follow good security practices (as advised on the page that Jan linked to) and update WordPress as soon as a new version becomes available.

    Thread Starter Jon

    (@jonpaulwade)

    11 years, 11 months ago

    Thanks.

    Thread Starter Jon

    (@jonpaulwade)

    11 years, 11 months ago

    Following on from Jan’s post, if wp-login and /wp-admin only allow access from whitelisted IPs, Brute Force is not possible is it?

    My concern is really about these cross script things (which I do not understand anywhere near as much as I understand the idea of only allowing people from a specific IP number / network).

    FTP is also locked down by my web host (again, IP whitelist or time based access).

    Moderator James Huff

    (@macmanx)

    11 years, 11 months ago

    if wp-login and /wp-admin only allow access from whitelisted IPs

    Correct, though I personally don’t recommend that, as your ISP could change your IP address at any time. IP blocks sound fool-proof, but when it comes to security, they are often the furthest from it.

    If you want to protect your log in form from brute force attacks, this is the plugin for you: http://ww.wp.xz.cn/plugins/limit-login-attempts/ Don’t mind the warning about its age. It’s very simple, still works great, and is actually installed by default by many hosting providers.

    My concern is really about these cross script things

    Don’t be too concerned about them, just follow the best security practices, never disable auto-update, and let the WordPress security team handle those. When reports of such things are received, they’re usually patched within the day.

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Making WordPress more secure’ is closed to new replies.