Build Your Own Business Website header image

Welcome to our Members Only Forum

You are welcome to view the content on our Forum, just scroll down to view this forum post.
If you like what you find and want to be able to post a question, please check out our subscription options.
Please feel free to search the forum using either the Google Site Search above or the forum search below.

Avatar
Search

— Forum Scope —




— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

sp_Feed sp_TopicIcon
wordpress installations and security questions
Avatar
Katy Martin
Steamboat Springs, CO
Jedi
Members

Community Member
Forum Posts: 109
Member Since:
December 12, 2012
sp_UserOfflineSmall Offline
1
March 25, 2014 - 8:50 pm
sp_Permalink sp_Print

A developer friend of mind was telling me that using the one-click Wordpress installation tools in most common hosting cpanel accounts is rife with problems and security issues. I have always installed WP this way. He was recommending a manual installation. What are your thoughts on this? Is this unnecessary fear, or is this method of installation truly a bad practice?

 

Secondly, I use ithemes Backup Buddy to replicate a lot of sites. In fact, I have a backup of a site that has all the generic changes I make to sites before I get into the custom design - and I use backup buddy to install this backup on new test domains to save several hours of work for nearly every new project. Are there security issues that I am ignorant of by using the same 'site' over and over?

Avatar
Rick Anderson
Desert Hot Springs, CA
Admin
Forum Posts: 13637
Member Since:
November 8, 2009
sp_UserOfflineSmall Offline
2
March 28, 2014 - 10:50 am
sp_Permalink sp_Print

No - you're fine.  The only thing you can do with a manual install is control the database prefix.  Otherwise there is no difference.

Controlling the database prefix has VERY marginal value - yes, it is always in the list of things to do - but, if they can hack your database you're sunk anyway.

This used to be an issue prior to the huge security updates of WordPress 2.9.  MySQL injections can now only be accomplished if you are using an old plugin (or a deliberately evil plugin) that bypasses WordPress database communuications.

The most important things to do for security are:

1.  Have strong passwords

2.  Keep WordPress, plugins and themes up to date

3.  Don't use plugins or themes from untrusted sources

In addition you can use a service like Sucuri to protect your site.

Avatar
Katy Martin
Steamboat Springs, CO
Jedi
Members

Community Member
Forum Posts: 109
Member Since:
December 12, 2012
sp_UserOfflineSmall Offline
3
March 28, 2014 - 4:12 pm
sp_Permalink sp_Print

Thanks so much for this reply. I appreciate how 'straight to the point' you are. Thanks again.

Avatar
Rick Anderson
Desert Hot Springs, CA
Admin
Forum Posts: 13637
Member Since:
November 8, 2009
sp_UserOfflineSmall Offline
4
March 29, 2014 - 10:00 am
sp_Permalink sp_Print

You're welcome Katy.

Avatar
Lynne Route
New Hampshire
Jedi
Community Member

Members
Forum Posts: 65
Member Since:
March 2, 2015
sp_UserOfflineSmall Offline
5
September 25, 2015 - 12:15 pm
sp_Permalink sp_Print sp_EditHistory

I am using your recommendations for a secure website. My password is extremely difficult, even for me to remember, and I have been using securi and limit login attempts for about 4 months. All was going well until a couple of weeks ago.

For the past week or so I have been under bruteforce attack. My settings are to alert me when there are more than 30/hour. I have been receiving 10-20 such alerts each day. The good news is that according to the log, almost all attacks used a generic username. One cluster of alerts, on one day, had the correct username. But so far no crisis.

Should I be worried? Can this use up too many resources? Or should I just change my alert settings to a higher number of attempts per hour and not worry about it?

 

Thanks,

Lynne

Avatar
Lynne Route
New Hampshire
Jedi
Community Member

Members
Forum Posts: 65
Member Since:
March 2, 2015
sp_UserOfflineSmall Offline
6
October 10, 2015 - 6:25 am
sp_Permalink sp_Print

What do you hear about this plugin? "Disable XML-RPC plugin". Sucuri recommends it as a way to protect against bruteforce attack

Avatar
Rick Anderson
Desert Hot Springs, CA
Admin
Forum Posts: 13637
Member Since:
November 8, 2009
sp_UserOfflineSmall Offline
7
October 13, 2015 - 10:39 am
sp_Permalink sp_Print

I don't know anything about it but I would love to hear how it works for you.

Avatar
Lynne Route
New Hampshire
Jedi
Community Member

Members
Forum Posts: 65
Member Since:
March 2, 2015
sp_UserOfflineSmall Offline
8
November 7, 2015 - 2:11 pm
sp_Permalink sp_Print

I installed “Disable XML-RPC plugin” about a month ago and I have only received 1 bruteforce attack message since then. At the time I was getting them daily- sometimes dozens of them.

I guess it worked?

Avatar
Lynne Route
New Hampshire
Jedi
Community Member

Members
Forum Posts: 65
Member Since:
March 2, 2015
sp_UserOfflineSmall Offline
9
November 15, 2015 - 8:26 am
sp_Permalink sp_Print

I just tried to enter my website admin and I received the message below. Should i be worried? How are other folks dealing with this Brute Force issue?This page is temporarily not available and will be available soon.

This page is temporarily not available and will be available soon.
Currently the wp-login.php script is under a heavy brute force attack. We have temporarily blocked access while the attack is present. Once the attack subsides access to this script will be restored.

We apologize for any inconvenience this may cause and appreciate your patience.

Avatar
Lynne Route
New Hampshire
Jedi
Community Member

Members
Forum Posts: 65
Member Since:
March 2, 2015
sp_UserOfflineSmall Offline
10
December 6, 2015 - 8:24 am
sp_Permalink sp_Print

My service provider changed my wordpress admin login for security reasons. I can get into admin but I am unable to have password protected pages on my site. My clients and even myself cannot open the password protected pages.

Is there a way to fix this?

 

Thanks,

Lynne

Forum Timezone: America/Los_Angeles

Most Users Ever Online: 228

Currently Online:
12 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Top Posters:

Keith W Jones: 1441

Brian Tozer: 1004

Carolin: 984

Heidi Hafner: 509

John Cunningham: 423

Reece Morrel: 353

Newest Members:

soundpilot

digitalaerolus

emma62755

sharonmarks

emma80233

Tijs de Jong

Forum Stats:

Groups: 8

Forums: 46

Topics: 7003

Posts: 34845

 

Member Stats:

Guest Posters: 6

Members: 6763

Moderators: 2

Admins: 2

Administrators: Rick Anderson, Rick Anderson

Moderators: Pierre Cote, Laura Nugent