lonestarwood Posted July 29, 2013 Report Share Posted July 29, 2013 I have been a Joomla guru for many years and had tons of websites based upon it because I didn't like the blog feel of Wordpress. Now that Wordpress has caught up and made their CMS more website-like, I have switched. I found too many vulnerabilities in the Joomla CMS and you had to constantly update the software and plugins which in the older versions was a pain. Wordpress on the other hand will tell you what needs to be updated and with the click of a mouse will update everything and you are ready to roll. Can't beat that. On to my point: IF you go the way of WP for your website, there are a few essentials that I would highly recommend before you publish page one of your site. I install the following plugins on every site to insure a fortress of protection against hacking and hijacking of your site (and I speak from experience) and a couple upgrades from what come standard with WP as well: 1. Bulletproof Security - FREE. Download it, run it, follow the on-screen instructions. 2. OSE Firewall - FREE. INstall it and run it. 3. Contact Form 7 - FREE Allows you to set up a customized contact form and hides your email address so that you dont get spam from scripts seeking out email addy's. 4. Really Simple Captcha - FREE - Accompanies the Contact form and adds that annoying little box with the letter and number combos to insure that whoever is contacting you is a real human and not a script fishing for you. 5. Wordpress DB Manager - FREE Helps manage your DB if you ever have a crash. 6. Wordpress Database Backup - FREE - Backs up your entire DB so if you DO get hacked you have a backup to help restore the files. 7. Better WP Security - FREE Additional security for your WP site. 8.- 9. IF you are going to promote yourself through your wordpress site, I suggest Wordpress SEO and / or All In One SEO Pack to aid in getting you noticed out on the web. The ones I have in bold should be imperitive, the others is personal preference, but highly useful. Never think you need it until something happens and you DON'T have it. Oh, your password for your site should not be anything easy. upper case and lower case letters and numbers mixed with symbols are the best. Just my two cents. I had a couple of my sites hacked before I learned about these security features. I get around 15-30 attack attempts a day because my sites are on some hack list in Russia and hackers LOVE Wordpress. Anyone have something to add I may have missed? 2 Quote Link to comment Share on other sites More sharing options...
G S Haydon Posted July 29, 2013 Report Share Posted July 29, 2013 Great Info L, I use wordpress for my blog. I would like to think I understand some of what you mention although I will share it with my bro who maintains the background stuff for me. Quote Link to comment Share on other sites More sharing options...
jhl.verona Posted July 29, 2013 Report Share Posted July 29, 2013 Very useful information lonestar. Though most people just want to blog, it's a big bad world, and certain precautions are unfortunately very necessary. Most successful attacks are caused due to: 1. Server vulnerabilities 2. Through FTP access 3. Through the web site. The first is the most difficult to cure. You have to choose a reputable provider. In this case one that specialises in Wordpress software, or at least PHP based software. The cheap and very uncheerful providers simply don't harden the servers enough, and viruses and malware get passed from one server to another internally. There is one famous provider in Italy that is extremely cheap - but also has the highest number (by percent) of infested servers. The second gateway is through the FTP connection. If that is cracked (I prefer the term cracker to hacker) then practically anything can be modified, including the database. Protect your FTP connection with a different user name and password than that of the site. The third gateway is the site itself. Other than the PHP software itself, you can protect your site through some careful modifications to the web server access file (if it's Apache - which is extremely probable) this is the .htaccess file. There's an interesting article on the Wordpress site which also discusses some of the .htaccess file modifications which help. None of this will stop denial of service (DOS) or similar attacks however, which simply overwhelm the server with requests, thus stopping the site being available to valid users. This is normally achieved by running malware on several hundred PC's connected to the internet - unbeknown to their owners. Here you must remember that when you are connected to the internet, the internet is connected to you, so protect your computer too, if you can. John 1 Quote Link to comment Share on other sites More sharing options...
thewoodwhisperer Posted July 29, 2013 Report Share Posted July 29, 2013 I would also suggest folks look up the basics of "hardening Wordpress." There are simple modifications you can make to your htaccess file and database tables that will make it harder to be hacked, or at least less likely. You'll also find instructions for setting proper folder/file permissions. And while Bulletproof security is a capable plugin, be careful with it. It is very aggressive and can affect general usability and access for legit users. Also can conflict with other plugins. But configured properly for your installation, it can be good. Finally, if you can, test your database backups. A backup isn't really a backup until you verify that it actually works. Personally I have found making my own full database backups to be more reliable and versatile than auto-generated backups. And I have had the opportunity to test this more times than I care to admit. 1 Quote Link to comment Share on other sites More sharing options...
lonestarwood Posted July 30, 2013 Author Report Share Posted July 30, 2013 I agree with both of the previous posts. I forgot to add the link to the site that has a pretty good script to add to the .htaccess file. BPS Security is aggressive, which is why i install it first that way if there are any issues, i will see it ahead of time. Also it is imperitive to keep WP and plugins updated. Here is the link to the htaccess I use. This guy is pretty thorough. http://perishablepress.com/5g-blacklist-2013/ Quote Link to comment Share on other sites More sharing options...
jmaichel Posted October 7, 2013 Report Share Posted October 7, 2013 Holly Cow! I don't want to even begin to try and explain what I went through this morning when my site crashed (my fault) I was messing around with the SEO settings and installed another SEO plugin, which caused my site to crash. I then had to figure how to disable plugins via the PHP file. I changed my PHP password and could not get my page to load. I was supposed to have backup last night but I may have configured dropbox incorrectly. In the end I ended up having to enter the new password in the php-config file in the file manager. What a mess, it has been a very stressful morning!!!! Quote Link to comment Share on other sites More sharing options...
Dan S Posted October 7, 2013 Report Share Posted October 7, 2013 My only recommendation, would be to not trust plugins in general. I'm a senior php developer by day, and I'm responsible for all my company's WordPress installations. WE inacted a policy a few years back of no longer using plugins written by people outside the company. The main reasoning for this was when we started auditing the plugins we had installed we found a lot of security holes, and inefficiencies (the main one being code bloat). Personally I'd say if you are using akismat and you have passwords that are atleast 12 characters long and contain special characters, numbers, lower and uppercase letters you are good to go. I use contact from 7 on my personal blog, but I'm seriously considering getting rid of it, because it's seems to have new revisions way to often. Quote Link to comment Share on other sites More sharing options...
jmaichel Posted October 7, 2013 Report Share Posted October 7, 2013 My only recommendation, would be to not trust plugins in general. I'm a senior php developer by day, and I'm responsible for all my company's WordPress installations. WE inacted a policy a few years back of no longer using plugins written by people outside the company. The main reasoning for this was when we started auditing the plugins we had installed we found a lot of security holes, and inefficiencies (the main one being code bloat). Personally I'd say if you are using akismat and you have passwords that are atleast 12 characters long and contain special characters, numbers, lower and uppercase letters you are good to go. I use contact from 7 on my personal blog, but I'm seriously considering getting rid of it, because it's seems to have new revisions way to often. Thanks for the info Dan. I am just not well versed in PHP nor do I have the time to learn it right now. I do use some of the plugins and would like better SEO optimization, any suggestions? Quote Link to comment Share on other sites More sharing options...
Dan S Posted October 7, 2013 Report Share Posted October 7, 2013 for seo you need to focus on 2 things 1. key words 2. the meta description for key words, the easiest thing to do is just use WordPress tags. so if you are on a single post page, get the tags for that post and use those as the key words. if your on an archive/index page get a list of all the tags, and then list out the top dozen or so (Google seems to ding you if you have to many key words). for the description its similar. on a single page just use the first few sentences of the post. no more than 160 characters. on an index or archive just describe it. tags and categories have a description field by default. all you have to do is fill it out when you make a new one and then make sure you echo it out in the template. Quote Link to comment Share on other sites More sharing options...
jmaichel Posted October 7, 2013 Report Share Posted October 7, 2013 Thanks Dan, any quick and dirty guide for Wp tags Quote Link to comment Share on other sites More sharing options...
Boatworks Today Posted October 8, 2013 Report Share Posted October 8, 2013 All of this just makes me feel like a Re-Re . My BWT site is WP and I don't have any security features (nobody get any wise ideas!!) The farther down this road I go the more I feel I need to have someone who knows what they're doing to set things up.... Thanks for the info! I'll be doing more reading and updating tomorrow !! Quote Link to comment Share on other sites More sharing options...
Tom Crawford Posted October 8, 2013 Report Share Posted October 8, 2013 For managing those long passwords with special characters I've been using 1Password https://agilebits.com/onepassword for a few years. It generates long random character passwords and will fill in the logon screen with it. You only need to remember the password to unlock 1Password on your computer. Quote Link to comment Share on other sites More sharing options...
Dan S Posted October 8, 2013 Report Share Posted October 8, 2013 Thanks Dan, any quick and dirty guide for Wp tags I assume you mean how to get a list of the onese from the current page? if so try this: function getPageTags(){ global $wp_query; foreach ($wp_query->posts as $val){ $ids[] = $val->ID; } if($ids !== null){ $tags = wp_get_object_terms($ids, 'post_tag'); } if($tags !== null && is_array($tags) && count($tags) >= 1){ foreach ($tags as $key => $val){ $tags[$key] = $val->name; } } if($tags !== null && is_array($tags) && count($tags) >= 1){ $tags = array_count_values($tags); arsort($tags); $tags = array_slice($tags, 0, 15); $tags = array_keys($tags); $tags = implode(", ", $tags); }else{ $tags = ''; } echo $tags; } Quote Link to comment Share on other sites More sharing options...
jmaichel Posted October 8, 2013 Report Share Posted October 8, 2013 Thanks Dan! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.