Decent security

  • Ive used WP on a number of my own sites for a while but now Im doing one for a ‘client’ and the idea of decent security has come back to the front of my mind. Ive read the ‘Hardening WordPress’ article but to be honest it asks more questions than it answers:

    WP Security Scan, which that article recommends, isn’t available for the most recent version of WP. Since its littered with warnings about making sure you get it right for version it IS supposed to run with, I dont fancy just ‘having a go’ with a WP version it isnt supported on!

    Similarly, WordPress Firewall has “not been tested with your current version of WordPress”.

    And to add insult to injury AskApache Password Protect has also not been tested with latest WP version.

    Going down the list I come to Security through Obscurity. Nope, it isnt the best way, but since none of the above can work for me this is where Im at. First idea sounds sensible – ‘rename the admin account’. And it says you can use phpMyAdmin to do it, great, I have that. But _how_? Nope, not a word.

    Backups. At last, something that I can use – right I now have backups of my database and my file structure. Doesnt seem like a lot though, that the only thing I appear to be able to do to increase security is to simply copy files in case something happens! Surely security is an important enough issue that there should be plugins available that work on the latest release of WP, or at least instructions on how to manually perform the tasks these plugins do. Will WP3 remove some of this worry, or am I just thick :o(

Viewing 3 replies - 1 through 3 (of 3 total)

  • I use the WP Security plugin with the latest version. The thing with this plugin is that it doesn’t really add security, it just checks. What it does do is ‘security through obscurity’ by hiding the version in the source of the blog and it has a nice feature about which more below.
    I use an ages old version of Ask Apache and I only use it to protect the wp-admin and wp-includes folders with an htaccess password. This can also be done manually. There are plenty of instruction on the www, but I preferred to have Ask Apache do it for me.

    The easiest way to change the default “admin” user, is to make a new user, promote it to administrator and delete the old user named “admin”.

    Another smart thing is to not use the default table prefix wp_. You can do that youself when you install WP, since in the wp-config file you can choose the table prefix. If you have an up-and-running installation the WP Security plugin can do it for you. Be sure to make a backup before you try, because when this goes wrong (and it did with me), your entire database is wrecked. It wasn’t extremely difficult to edit, but it costed some sweat.

    Most plugins work with the latest version. It is just that with every dot.something (2.9.2 or so) all plugins are no longer tested with the latest version. When the info says that it works with 2.9, that is enough for me. When the info in the plugin repository has 2.7, I wouldn’t use the plugin.

    Endnote: you’re looking at some pretty ‘hefty’ plugin. Changing the table prefix is quite something, Ask Apache runs a whole lot of tests and gives a whole lot of features. When you have everything doing what it should, your blog will be a lot harder to hack, but it is a path to walk with care. That shouldn’t prevent you from walking it though! Quite the contrary actually.

    Valid points all around. I’m working on an upgrade now.

    Might be finished in a few hours… have to remember to keep it simple.. being a perfectionist is a disability at times…

    Anything I can fix for you for this release? Email me webmaster at askapache.com

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Decent security’ is closed to new replies.