Best setup to lock down WordPress sites

[SenseiSteve]

We all know that WordPress websites can be messy when it comes to securing/recovering it from malicious attacks AND we've seen lots of web hosting providers offering WordPress hosting, even though some of them are really just offering the same old shared hosting packages under a different name.

I've seen a lot of piecemeal recommendations on how to best address this, but I wanted to start a thread dedicated to addressing WordPress security - all by its lonesome.

All advice is welcome.

 

[cheapdedicated]

Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.

 

[IkY0294]

There are many ways of going about securing wordpress. Multiple ways and combinations it's just all about how well of a job you want to do it and how much time / effort into doing so. It's all about budget and what type if audience you will be dealing with.

The number one best thing with wordpress that you could do is to ensure its up to date at all times and so are the plugins. Also don't try using to many plugins. Lastly always remove any out dated plugins just like what was mentioned above.

 

[HostColor]

I would also add that it is worth providers to offer Managed WordPress Hosting and consumers to pay a little bit more to keep their installations secure and well maintained.

 

[cheapdedicated]

I would also add that it is worth providers to offer Managed WordPress Hosting and consumers to pay a little bit more to keep their installations secure and well maintained.

Because of the popularity of wordpress in the shared hosting customers we decided to just offer free wordpress hardening services for any user that needs it. We take it upon ourselves to harden any website we find vulnerable. Of course we inform the client in question the measures we will be taking to secure their site.

 

[AltairHosting]

Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.

These suggestions are good and I would add the following:

• Enable SSL, even if it is just the admin section.

• If you have a fixed IP address you're accessing the site from you can lock down the admin section to it.

 

[cheapdedicated]

These suggestions are good and I would add the following:

• Enable SSL, even if it is just the admin section.

• If you have a fixed IP address you're accessing the site from you can lock down the admin section to it.

Now that is for really advanced users but I agree it helps

 

[coloAZ]

Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.

This is a pretty good list. One more I would add is password protecting or IP limiting the wp-admin folder. (eg, using .htaccess)

 

[cheapdedicated]

This is a pretty good list. One more I would add is password protecting or IP limiting the wp-admin folder. (eg, using .htaccess)

The only reason I never added it on the list is because of the too many users on dynamic IPs

 

[Localnode]

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.

• Enable SSL, even if it is just the admin section.

• If you have a fixed IP address you're accessing the site from you can lock down the admin section to it.

These suggestions are really good.

To add on to both of them - you can change the database prefix from "wp" to something else (when installing) Softaculous provides this option.
You can also change it after installation - which is slightly trickier.

There's multiple security plugins for WordPress - one of my favourites is iThemes.
2 Factor authentication should not be overlooked - it's mentioned before but it's a seriously good suggestion. iThemes has this option (in paid) but there's free plugins for this.
Don't use old plugins!

To restrict access to your admin area from certain IP addresses add the following to your .htaccess file in your WordPress installation directory. Replacing xx.xxx.xxx.xxx with your IP address.

# BEGIN RESTRICTION
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
# END RESTRICTION

Naturally if you have changed any of the default settings to something else - you will need it changed in the above code.

 

[ughosting]

We've put various features in place to ensure our WordPress hosting is up with the best.

1. Softaculous is setup, so that the table prefix is random and not WP. We've also tried to ensure that "admin" is not selected as the default admin name.

2. We have "patchman" which spots vulnerable scripts in WordPress core and templates and patches them (having first given the customer a heads up about what will happen and the choice of them fixing them first).
This is less likely to break the script than forcing an update.
That said, we recommend updates and softaculous can automate them if you are feeling lazy.

3. Hourly R1Soft Backups.
Nothing gives me more peace, should a site become compromised, than knowing I have hundreds of restore points to which I can regress.

4. LiteSpeed webserver (or NGINX/Apache on VPS). LiteSpeed, with lscache ensures that your site is snappy!!
(LiteSpeed are due to release a wordpress cache plugin soon, which could be a big game changer)

5. CloudLinux with CageFS. If one user gets compromised we're confident that our other users remain safe.

6. CloudLinux OptimumCache keeps your Wordpress files cached longer, minimising disk I/O and keep your site fast.

7. We also have a special feature, our Security-Robot
A log trawler, which is owner aware.
If an IP tries to log into wordpress instances which belong to different people. (Not different users, different payment sources). You immediately know that is a hacker and can ban that IP on only two connection attempts.
(When combined with the fact that we use of 50 different class C ip ranges on each of our shared servers, the hackers don't know which IPs are connected to a given server, their "only use an IP once per server" doesn't work.)

8. We use BitNinja, which keeps the majority of the naughty people out.

Whilst you could say this is just shared hosting "called something else" it's pretty damned good.
(But then we don't call it anything else, just shared hosting)

 

[ughosting]

At the risk of making myself look silly.

LiteSpeed had already released their LiteSpeed Plugin around 2 weeks ago.

It's a simple "purge the correct cache" plugin at the moment
But with promised ESI includes in the future (like LiteMage) it will likely be able to cache visitors and logged in users in the future, making this a possible "must have" for community sites.

 

[SwitchMyServer]

Disabling template editing and restricting admin to 1 IP via .htaccess seems to work best for us.

 

[iHostiGo]

its easy to clean wordpress from viruses, if you are using wordpress hosting it won't help to protect it viruses instead you can use the security plugins for wordpress

 

[RosenHost]

Forcing lates updates to users might be a starting point. Softaculous is useful to one click update many scripts and I think should be encouraged. However, it's default db prefixes should be edited.

Other than that, I saw a security measure on Eleven2. They are asking the visitor to solve a simple math question to enter wp-login.php . This is useful to prevent bots' brute force attacks on wp-login.

 

[storminternet]

Major security flaw comes when you use third party wordpress plugins. Being hosting provider you can not have control on your customers regarding use of the plugins.

Any vulnerable plugins or infected site can create problem for others even though you tweak the server with necessary securities. It is recommended that customer should have regular backups for their websites.

 

[easyhostmedia]

Major security flaw comes when you use third party wordpress plugins. Being hosting provider you can not have control on your customers regarding use of the plugins.

Any vulnerable plugins or infected site can create problem for others even though you tweak the server with necessary securities. It is recommended that customer should have regular backups for their websites.

Also the amount of clients that do not update the scripts can also cause an issue.

like now WP is version 4.4.2 and i still have clients using version 4.1 even after the various reminders to update.

Looks like another day of me manually updating these scripts through Softaculous

 

[cheapdedicated]

Major security flaw comes when you use third party wordpress plugins. Being hosting provider you can not have control on your customers regarding use of the plugins.

Any vulnerable plugins or infected site can create problem for others even though you tweak the server with necessary securities. It is recommended that customer should have regular backups for their websites.

I think that is why you should have in your TOS a clause that empowers you to update wordpress for your clients where reminders to them to do so have not worked and you notice a security problem with their websites. Of course as a good practice you would still have to engage them before you do it for them. A full back up before the update is a must too.

 

[archlinux]

These suggestions are really good.

To add on to both of them - you can change the database prefix from "wp" to something else (when installing) Softaculous provides this option.
You can also change it after installation - which is slightly trickier.

There's multiple security plugins for WordPress - one of my favourites is iThemes.
2 Factor authentication should not be overlooked - it's mentioned before but it's a seriously good suggestion. iThemes has this option (in paid) but there's free plugins for this.
Don't use old plugins!

To restrict access to your admin area from certain IP addresses add the following to your .htaccess file in your WordPress installation directory. Replacing xx.xxx.xxx.xxx with your IP address.

# BEGIN RESTRICTION
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
RewriteRule ^(.*)$ - [R=403,L]
# END RESTRICTION

Naturally if you have changed any of the default settings to something else - you will need it changed in the above code.

you can add use some plugins like firwall 2and Anti-Malware from GOTMLS.NET

 

[NetM]

Well there are a zillion ways to harden your wordpress installation but you might want to start with the following.

Keeping WordPress up-to-date
Keep plugins and themes up-to-date
Delete any plugins that are not use
Avoid using nulled themes and plugins.
Backup your site regularly in case you have to revert to a safe site.
Change file permissions of folders to 755
Change your Admin Url path
Don’t use “admin” or any other predictable username.
Change your password often and to a hardened password
You may also need to add two-step authentication.
Limit logins to reduce chances of Brute Force Attacks.

Nice list!!! Also you can use plugins for security like WP Security!