Basic Wordpress security

[souljazk]

Yes yes, wordpress... Will do for now...

I know f all about security but I use the following tools to check my site and then make corrections as per Google:

Analyse your HTTP response headers (current have an A+ , started at F, but have 1 more header to implement).
/wp-login has 2FA + sec Q & will be moved to random name scheme.
Using WP-scan to do a deeper scan of my site.
Firewall plugin that gives daily logs re file changes (helps me see that backups are being done aswell) ;
Fairly well adjusted HTACCESS
Protected wp-config


Implementing most of this article -https://sucuri.net/guides/wordpress-security/?utm_campaign=WordPress%20Security%20Email%20Course&utm_source=hs_automation&utm_medium=email&utm_content=66814851&_hsenc=p2ANqtz-_oLBiAMommxPv9PCC69YdO5NRskQfazchrYizaYPlhzpd8uJbUHnuyBMwRlHbelOXPg6w4vMFcJR839tuCudGm217ozQ&_hsmi=66814851#harrec?utm_source=HubSpot&utm_medium=Email&utm_campaign=WPSecurity_Course&utm_content=Email_7

Also implementing better SPF, DMARC & DKIM records to try stop domain spoofing of my emails.

Any other suggestions from you wise men & woman?

 

[Azamorn]

Some of the things we've done recently to help with Wordpress security as we're constantly bombarded with botnets trying to gain access.

• Change your wp-admin to something else, there is a plugin that handles this but we do it via nginx rules.
• Make sure that login ban's are in place so that if an IP tries to login more than 3 times incorrectly it is temporarily banned.
• A great thing we did recently is if you have your site setup with cloudflare, you can enable the cloudflare country variable for PHP.
  Basically it is just a $_SERVER variable that you then have access to that allows you to check what country the visitor is from, we then basically ban every non South African IP from accessing wp-admin using Nginx rules.
• If you have control over the web server your website runs on, switch to Nginx. It is easily a million times better than Apache in every single way and personally I find it's way easier to get setup just the way you want it, Nginx also can handle a lot more requests than an apache server so you're more able to handle high loads without freezing up.
• As for passwords, forget about trying to remember your passwords, sign up for LastPass and start using 16 character passwords everywhere at a minimum, 2FA is a great second layer security measure too.
• If you're website isn't protected by cloudflare then make that you're highest priority, it's a godsend and can easily mitigate most DDOS attacks and botnets from hitting your site.

I think above all else the most important points I can think of is Cloudflare & Nginx.

 

[souljazk]

"

• As for passwords, forget about trying to remember your passwords, sign up for LastPass and start using 16 character passwords everywhere at a minimum, 2FA is a great second layer security measure too.

"

Just yesterday I was resetting a clients Dropbox & OneDrive... The receptionist tell me I MUSt make it easier to remember... Told her no, not doing that & told her why. Put it in writing to the boss aswell, to cover my ass incase they change it.

Unfortunately , people are just clueless...

 

[thombain]

Thanks for the 10/10 info guys. Will implement this on a NPO's site I've taken over pro bono recently. Last dev seems to have been using "Wordfence Web Application Firewall". Any comments on this or similar WAF's?

Sent from my SM-N950F using Tapatalk

 

[souljazk]

Thanks for the 10/10 info guys. Will implement this on a NPO's site I've taken over pro bono recently. Last dev seems to have been using "Wordfence Web Application Firewall". Any comments on this or similar WAF's?

Sent from my SM-N950F using Tapatalk

It's well rated, how goods it is though, I don't know. I use it & iThemes security. Seems they work well together.

 

[GoldynChylde]

It is easy to put passwords in place with characters that resemble the actual number or letter. One must just remember to hold the [shift] key when typing the characters. Not always an easy feat when dealing with technophobes I think.

 

[souljazk]

It is easy to put passwords in place with characters that resemble the actual number or letter. One must just remember to hold the [shift] key when typing the characters. Not always an easy feat when dealing with technophobes I think.

I work with a principle of avoiding legal liability as much as possible, IE the unique passwords I generate ; refusing to change them (leaving that to the clieent if they want to go against what I'v said) ; and putting what I'v said in writing.

It's FAR too easy for someone to stand in court & say "I don't do IT, how must I know" .. Which scares me.

 

[GoldynChylde]

Very true. Been through the whole court thing with generic passwords and data recovery. You get to see some freaky shit man.

 

[Benjin]

Speaking of passwords, you can also check which hashing algorithm you are currently using. Last I checked, Wordpress was using MD5, which is considered too fast to be a hashing algorithm for storing passwords.

This won't be a problem if you have control over all passwords and you make them complex enough, but if users can create their own passwords then using a better algorithm is a good idea. In the event of a data breach, the passwords will take longer to crack.

Wordpress uses the portable PHP password hashing framework so you can switch to bcrypt (blowfish) quite easily.