Web Hosting Forum Login
Not a member yet? Sign up

How to make your Wordpress site secure?

  • FORUMS
  • WEB DESIGN
  • WEB HOSTING OFFERS
  • ADVERTISING
  • WEB HOSTING
  • REQUEST A HOST
  • BEST WEB HOSTING
  • QUICK MENU
  • REGISTER HERE - Join us for FREE
Page 1 of 2 12 LastLast
Results 1 to 25 of 27
  1. #1
    Join Date
    Apr 2016
    Posts
    167
    Thanks
    52
    Thanked 3 Times in 3 Posts
    Thumbs Up/Down
    Received: 14/0
    Given: 198/0

    How to make your Wordpress site secure?

    One of my WP sites got malware and I had to reinstall wordpress cms and plugins but I still couldn't find out where it came from. Everything is fine now but how to avoid getting malware again? do you guys share any tips to make Worpdress site secure?

  2. #2
    Join Date
    Apr 2016
    Location
    Perth, Australia
    Posts
    64
    Thanks
    1
    Thanked 18 Times in 15 Posts
    Thumbs Up/Down
    Received: 33/0
    Given: 4/0
    Hi Chris,

    Sorry to hear your Wordpress site was infected with malware.

    I'd recommend you install the Wordfence, Clef and Codeguard plugins. Wordfence will harden your site's security, Clef will lock access down and with Codeguard, you can get backups automatically taken so if your site does become infected again, you can restore the files or databases, at any time. You would have to sign up to a Codeguard plan, though.

    This guide is excellent: http://codex.wordpress.org/Hardening_WordPress

  3. #3
    Join Date
    Apr 2015
    Location
    South Carolina USA
    Posts
    1,007
    Thanks
    41
    Thanked 408 Times in 291 Posts
    Thumbs Up/Down
    Received: 326/4
    Given: 18/3
    Honestly, if your concerned about security, I would recommend moving away from WordPress. It is so commonly used, it is the ideal target for hackers. When they find a way to hack the new version, they have essentially hacked thousands of websites since the same exploit can be applied to all WP sites running that version.

    If you want to stay with WP, then you need to be very diligent with updating WP and all of your plugins as soon as new versions are released.
    RDO Servers - Shared Hosting, Resellers, VPS, Dedicated Servers & Clusters
    Windows - Plesk Onyx - Linux - cPanel/LiteSpeed/CloudLinux/MariaDB
    Live Chat - Automated Backups - SSD's

  4. The Following User Says Thank You to RDO Servers For This Useful Post:
    Maxoq (05-16-2016)

  5. #4
    Join Date
    May 2016
    Location
    France
    Posts
    1,240
    Thanks
    67
    Thanked 282 Times in 225 Posts
    Thumbs Up/Down
    Received: 642/1
    Given: 258/0
    Using something else than wordpress

    To be more serious, the first problem with wordpress is plugins & themes.
    - What plugins or theme do you use ? Some nulled ?
    - Who code them and does he know to code (
    - When is the last update -> plugins and theme : are they totally compatible with WP 4.5

    There is a lot of sites which report all security issues with WP themes and plugins and I can only say there is a lot of issues.

    But before starting to investigate, check your server security :

    - Do you have CSP ? -> http://content-security-policy.com/
    - Check your HTTP headers to see if you have XSS protection, Xframe protection etc : https://tools.keycdn.com/curl
    - Analyze your logs to understand how you got the malware. What does it do ? Is it wordpress the problem ?

  6. The Following User Says Thank You to VirtuBox For This Useful Post:
    Maxoq (05-16-2016)

  7. #5
    Join Date
    Dec 2015
    Posts
    167
    Thanks
    0
    Thanked 55 Times in 49 Posts
    Thumbs Up/Down
    Received: 95/0
    Given: 1/0
    The basics:
    Make sure the computers you use are free of spyware, malware, and virus infections.
    Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
    Use long passwords for your WordPress login. Preferably hard to guess, with numbers.
    Keep your WordPress and plugins up-to-date.
    If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
    When connecting to your server you should use SFTP encryption.

    Restrict access to your WordPress admin area
    Code:
    # BEGIN RESTRICTION
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^xx.xxx.xxx.xxx$
    RewriteRule ^(.*)$ - [R=403,L]
    # END RESTRICTION
    Place this in your .htaccess replace "xx.xxx.xxx.xxx" with your IP.
    Also replace the wp-login bits if you have your backend hidden.

    Don't use the "admin" username.
    Consider two-factor authentication.

    Plugins like iThemes and Wordfence definitely help.

    Always make sure Wordpress and plugins are up to date!

  8. The Following 2 Users Say Thank You to Localnode For This Useful Post:
    Julio (11-24-2016),regularjoe (05-05-2016)

  9. #6
    Join Date
    Feb 2015
    Posts
    231
    Thanks
    113
    Thanked 26 Times in 24 Posts
    Thumbs Up/Down
    Received: 36/0
    Given: 273/0
    Quote Originally Posted by leto12 View Post
    .....
    - Analyze your logs to understand how you got the malware. What does it do ? Is it wordpress the problem ?
    I also heard of analyzing log files to find out error on your web hosting or websites but I don't know where to start and how to find errors.

    Quote Originally Posted by Localnode View Post
    The basics:
    If you have an SSL certificate, connect to your WordPress admin login using HTTPS.
    I have not ever used SSL for my sites. Does it really help in secure your site? how?

    For SSL, how much can I pay for a year or it's free?

  10. #7
    Join Date
    Dec 2015
    Posts
    167
    Thanks
    0
    Thanked 55 Times in 49 Posts
    Thumbs Up/Down
    Received: 95/0
    Given: 1/0
    Quote Originally Posted by Maxoq View Post
    I also heard of analyzing log files to find out error on your web hosting or websites but I don't know where to start and how to find errors.



    I have not ever used SSL for my sites. Does it really help in secure your site? how?

    For SSL, how much can I pay for a year or it's free?
    Your host should be able to help you analyse the log files.

    An SSL makes sure the information you submit is encrypted i.e establishing an encrypted link between a web server (using an SSL) and a browser.
    So yes, it really helps secure your site.

    Some SSL's are free, and some are not. StartSSL and Lets Encrypt both offer free SSL's. My personal recommendation is paying the $10 or less per year for a paid SSL that has the widest compatability. Plus it helps your Google ranking having an SSL.
    Localnode
    24/7 Support | Superior Hardware
    Blog

  11. The Following User Says Thank You to Localnode For This Useful Post:
    David Makogon (05-17-2016)

  12. #8
    Join Date
    Nov 2014
    Posts
    25
    Thanks
    0
    Thanked 1 Time in 1 Post
    Thumbs Up/Down
    Received: 9/1
    Given: 2/0
    First of all, the most important thing to do is to change your default Wordpress login page. Its so common knowledge for any hacker to know to add wp-login.php after domain name to reach your login page. I use plugins to change my login page to some anonymous links so that hackers dont get any chance of coming near my website.

  13. #9
    Join Date
    May 2016
    Location
    France
    Posts
    1,240
    Thanks
    67
    Thanked 282 Times in 225 Posts
    Thumbs Up/Down
    Received: 642/1
    Given: 258/0
    Quote Originally Posted by noorucn View Post
    First of all, the most important thing to do is to change your default Wordpress login page. Its so common knowledge for any hacker to know to add wp-login.php after domain name to reach your login page. I use plugins to change my login page to some anonymous links so that hackers dont get any chance of coming near my website.
    That's not a good idea to change the WordPres login page. Because using a plugin to do it mean it can include some security breachs.
    Protect it against bruteforce with a captcha or a Nginx/Apache rules is a better solution.
    It's harder to bruteforce properly a wp-login.php page than trying with ssh or ftp.

  14. #10
    Join Date
    Nov 2016
    Posts
    30
    Thanks
    0
    Thanked 3 Times in 3 Posts
    Thumbs Up/Down
    Received: 13/1
    Given: 2/0
    Doing things like adding recaptcha to login forms, disabling unused or unnecessary plugins and doing external audits with tools like wpscan are good baseline efforts.

    Choosing a web host that offers managed wordpress or are experienced in wordpress security are the next thing to consider. After you take precautions securing your site, you have to ensure the environment through which it is hosted is also secure to the best of their abilities.

  15. #11
    Join Date
    Nov 2016
    Posts
    12
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 7/0
    Given: 3/0
    I use wordfence on my blog and it works great but I also look for other means of securing my blog with plugins and htaccess code.

  16. #12
    Join Date
    May 2016
    Location
    France
    Posts
    1,240
    Thanks
    67
    Thanked 282 Times in 225 Posts
    Thumbs Up/Down
    Received: 642/1
    Given: 258/0
    Quote Originally Posted by Julio View Post
    I use wordfence on my blog and it works great but I also look for other means of securing my blog with plugins and htaccess code.
    Wordfence do nothing. You can read their TOS to see they apply security patches only 30 days later if you have no premium subscription.

  17. The Following User Says Thank You to VirtuBox For This Useful Post:
    Julio (11-23-2016)

  18. #13
    Join Date
    Nov 2016
    Posts
    12
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 7/0
    Given: 3/0
    I read about that but I really did not understood what they meant about 30 days community patch.

    When I installed it almost 2 weeks ago I did not look at it until yesterday I might upgrade to the premium.

  19. #14
    Join Date
    May 2016
    Location
    France
    Posts
    1,240
    Thanks
    67
    Thanked 282 Times in 225 Posts
    Thumbs Up/Down
    Received: 642/1
    Given: 258/0
    Quote Originally Posted by Julio View Post
    I read about that but I really did not understood what they meant about 30 days community patch.

    When I installed it almost 2 weeks ago I did not look at it until yesterday I might upgrade to the premium.
    That mean when there are a security issue with WordPress, they will apply the patch only 30 days after the premium. So during this time, they don't protect your site at all.
    Upgrade to premium ? If you have a vps, all the Wordfence features can be setup with more settings for free.
    If you have a shared hosting, don't try to make WP more secure, because you are already limited by your provider settings and shard hosting doesn't offer enough isolation between websites to make sure there is no risks.

  20. The Following User Says Thank You to VirtuBox For This Useful Post:
    Julio (11-24-2016)

  21. #15
    Join Date
    Nov 2016
    Posts
    12
    Thanks
    3
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 7/0
    Given: 3/0
    Thanks VirtulBox,

    I'll look into getting a vps server then since i'm already paying about the same of a vps server.

  22. #16
    Join Date
    Dec 2016
    Location
    bogota
    Posts
    49
    Thanks
    0
    Thanked 1 Time in 1 Post
    Thumbs Up/Down
    Received: 19/1
    Given: 0/0
    Good day

    I recommend the following plugin for wordpress

    Wordfence.com

    It protects you from attacks, malware and many other threats

    If the security of your website is compromised

    Install the plugin, run a scan and indicate where the threat is, to remove it and secure your web

    Blessings

  23. #17
    Join Date
    Jul 2016
    Posts
    23
    Thanks
    14
    Thanked 4 Times in 4 Posts
    Thumbs Up/Down
    Received: 13/0
    Given: 16/0
    Quote Originally Posted by Colombiawebs View Post
    Good day

    I recommend the following plugin for wordpress

    Wordfence

    It protects you from attacks, malware and many other threats

    If the security of your website is compromised

    Install the plugin, run a scan and indicate where the threat is, to remove it and secure your web

    Blessings
    Wordfence is a good plugin to scan malware and virus on WP site but take care when removing it, if not it will leave on your database with a dozen of tables and it can make your database size bigger.

  24. #18
    Join Date
    Nov 2014
    Posts
    354
    Thanks
    16
    Thanked 24 Times in 20 Posts
    Thumbs Up/Down
    Received: 146/1
    Given: 99/0
    It's best for the provider to secure everything at the network/server level thus saving resources used by hundreds or thousands of customers all running the same security plugins. Using many security plugins for WordPress just slows everything down. Sure the odd one of two may help for very high traffic sites which are more likely to be targeted, but the majority of the commonly used plugins aren't needed, and attacks are usually best stopped at the network/server level using CSF, mod_secuirty rules, LiteSpeed/Nginx/Varnish etc.

  25. #19
    Join Date
    Dec 2016
    Posts
    39
    Thanks
    0
    Thanked 1 Time in 1 Post
    Thumbs Up/Down
    Received: 28/0
    Given: 0/0
    Wordfence is recommended for securing Wordpress. I have been using it since long and it does a tremendous job. Also, make sure to keep your wordpress, plugins and themes updated with latest versions otherwise even Wordfence may fail.

  26. #20
    Join Date
    Dec 2016
    Posts
    66
    Thanks
    0
    Thanked 13 Times in 10 Posts
    Thumbs Up/Down
    Received: 51/0
    Given: 11/2
    To be honest all you need is vigilance. You have to make sure your core, plugins and themes are up to date and you have to ensure your plugins have active development. That plugin you installed 5 years ago? Go its wp.org plugin page and if it said Last Updated: 3 years ago you probably want to find something else that does the same job. Try and use as few plugins as you can and remove any themes you don't use. Your host should do the rest with (1) mod_security rules, (2) firewall rules and (3) malware scanning. Since we beefed up security years ago we went from seeing multiple malware tickets per day to maybe 1 a week. On 5000 sites with half running WP.

  27. #21
    Join Date
    Nov 2016
    Posts
    36
    Thanks
    6
    Thanked 0 Times in 0 Posts
    Thumbs Up/Down
    Received: 8/0
    Given: 35/0
    Quote Originally Posted by Laurence Flynn View Post
    malware scanning
    Are you sure malware scanning will work, I tried to install a malware software that my host provider recommended but after installed and tt took so long, more than 1 day to scan with no virus or malware is detected while my site was alerted by Google due to it contained malware and they inserted links or posts into WP site.

  28. #22
    Join Date
    Dec 2016
    Posts
    66
    Thanks
    0
    Thanked 13 Times in 10 Posts
    Thumbs Up/Down
    Received: 51/0
    Given: 11/2
    Your host should be doing a basic scan every day and a deep scan once a week. A basic scan just scans new files and a deep scan scans all files. On Linux this is easy with Maldet. If your host doesn't scan you should buy a malware detection scanner. This is just a web crawler usually and should only take a few minutes. However, there are many options and many are super pricey (like Detectify at $60/mo!). There are others like SiteLock, GeoTrust Anti-Malware but their basic packages scan limited pages. There's Sucuri at $200/yr. If your host doesn't have you covered then you should have something, especially running WP.

  29. #23
    Join Date
    Dec 2016
    Posts
    26
    Thanks
    0
    Thanked 2 Times in 2 Posts
    Thumbs Up/Down
    Received: 13/0
    Given: 0/0
    Rename your mysql Wordpress tables from wp_* to something obscure.

  30. #24
    Join Date
    Feb 2017
    Location
    Guntur
    Posts
    190
    Thanks
    3
    Thanked 17 Times in 17 Posts
    Thumbs Up/Down
    Received: 124/1
    Given: 20/0
    How to secure wordpress is a good topic, let me add my inputs as well.

    1) Get SSL on front end and back end as well
    2) Install a wordpress firewall or security plugin. If you are new to WP then stick with wordfence, or else iThemes wordpress security or iControl WP simple firewall are more advanced.
    3) change the wordpress prefix from wp_ to something else
    4) Restrict strong password to subscriber role, this is the least role on WP.
    5) Use third party commenting systme like Disqus or something else, this will eliminate users from becoming memebers on your wordpress installation
    6) Do regular scanning
    7) Avoid pirated or nulled or cracked plugins and themes
    8) If you are on windows computer or laptop, make sure that your system is clean and safe. Most malwares get into wordpress from your own system
    9) Disable directory indexing on your CPanel.
    10) Always have regular backups of your wordpress website, the plugins suggested above will do that job.

    Most important thing is, you need to harden wordpress and manage it. Lot of people say that wordpress gets hacked easily, its true only if we are not managing it. We have dealt with lots of wordpress websites and our sites never got malware or hacked, because we manage things in proper way. So not matter whether you follow 10 points or not management is important.

    Hope this time, you will take care of things, happy blogging.

  31. #25
    Join Date
    Jun 2017
    Posts
    197
    Thanks
    0
    Thanked 8 Times in 8 Posts
    Thumbs Up/Down
    Received: 28/0
    Given: 0/0
    If you have SSL certificates on your website it protects your sites from malware and other attacks. You can also use security plugins. The one that I can recommend is called Word Defense, which is available as free. This plugin stops unauthorized access to your websites. Since it provides IP of the person who is trying to hack your website, you can block the IP so that there will be no problem in the future.

Page 1 of 2 12 LastLast

Newer Threads

  1. TheCompWiz
    VirtuBox
    Replies: 3 | Views: 632
    Last post by VirtuBox, 05-04-2016, 11:23 AM
  2. Mihai B.
    VirtuBox
    Replies: 1 | Views: 605
    Last post by VirtuBox, 05-04-2016, 10:23 AM
  3. VirtuBox
    fwh
    Replies: 6 | Views: 1438
    Last post by fwh, 05-11-2016, 02:47 AM
  4. VirtuBox
    VirtuBox
    Replies: 10 | Views: 2305
    Last post by VirtuBox, 06-28-2016, 06:03 AM
  5. regularjoe
    VirtuBox
    Replies: 1 | Views: 663
    Last post by VirtuBox, 05-05-2016, 10:34 AM

Older Threads

  1. VirtuBox
    Zarko
    Replies: 12 | Views: 950
    Last post by Zarko, 07-06-2016, 11:42 PM
  2. meetdilip
    Virtualmin or VestaCP
    By meetdilip in forum VPS Hosting
    Polymath
    Replies: 11 | Views: 3451
    Last post by Polymath, 01-14-2017, 09:50 AM
  3. meetdilip
    ZenHosting
    Replies: 3 | Views: 713
    Last post by ZenHosting, 05-01-2016, 11:54 AM
  4. Mihai B.
    micheallang
    Replies: 1 | Views: 391
    Last post by micheallang, 05-17-2016, 04:56 AM
  5. TheCompWiz
    buzwebhost-dian
    Replies: 6 | Views: 830
    Last post by buzwebhost-dian, 05-30-2016, 03:59 AM

Latest Threads

  1. HostColor
    HostColor
    Replies: 0 | Views: 3
    Last post by HostColor, Today, 04:13 PM
  2. jude22
    jude22
    Replies: 0 | Views: 1
    Last post by jude22, Today, 06:13 AM
  3. Cheerag Nundlall
    Dr. McKay
    Replies: 2 | Views: 22
    Last post by Dr. McKay, Today, 02:21 PM
  4. Dr. McKay
    Dr. McKay
    Replies: 2 | Views: 20
    Last post by Dr. McKay, Today, 02:16 PM

Similar Threads

  1. aquileana
    24x7servermanageme
    Replies: 9 | Views: 1194
    Last post by 24x7servermanageme, 08-23-2017, 09:21 AM
  2. BillEssley
    khassani
    Replies: 6 | Views: 879
    Last post by khassani, 02-18-2016, 05:20 PM
  3. CyberAlchemist
    Tips to Secure WordPress
    By CyberAlchemist in forum Website Design
    Hawker
    Replies: 5 | Views: 748
    Last post by Hawker, 02-09-2016, 04:09 PM
  4. Dionte
    SEOPub
    Replies: 2 | Views: 828
    Last post by SEOPub, 07-29-2015, 10:01 PM
  5. Harry P
    Hassan
    Replies: 3 | Views: 903
    Last post by Hassan, 04-05-2015, 04:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Web Hosting Forum

ForumWeb.Hosting is a web hosting forum where you’ll find in-depth discussions and resources to help you find the best hosting providers for your websites or how to manage your hosting whether you are new or experienced. You’ll find it all here. With topics ranging from web hosting, internet marketing, search engine optimization, social networking, make money online, affiliate marketing as well as hands-on technical support for web design, programming and more. We are a growing community of like-minded people that is keen to help and support each other with ambitions and online endeavors. Learn and grow, make friends and contacts for life.

Community

The world's smartest hosting providers come here to discuss & share what's trending in the web hosting world!
Copyright ©2017, ForumWeb.Hosting. All rights reserved. Web Hosting Forum for webmasters, web hosting providers, designers and web developers.

Welcome to Forum Web Hosting

The World's Number 1 Web Hosting Community, Reviews & Services

Log in!

Continue with Facebook
Continue With Email. By signing up you indicate that you have read and agree to the Terms of Service and Privacy Policy.

Sign in Manually

Need an account? Sign up now!