- Joined
- Dec 26, 2007
- Messages
- 7,357
- Reaction score
- 223
First, I'll agree most people would think this belongs in the CMS development section but honestly, the last thing I want is a "how to" for hackers indexed by Google - this section is hidden to all except logged in Platinum or higher level members here.
Recently I've set up a (highly) political site based on WordPress and even though I considered the chances of hack attempts low (which it is apparent that I was VERY wrong with that) I took some precautions.
First - when setting up the blog, yes, set up the admin account and give it a GOOD password. Set the display name to be something different in the control panel when it is all set up (say, the name of the blog).
Next, get these plugins:
Simple Login Log - http://wordpress.org/extend/plugins/simple-login-log/
This will allow you to have a log of EVERYONE who attempts to log into the site in the control panel great for FYI.
Wrong Password - http://wordpress.org/extend/plugins/alex-wrong-password/
This little gem will be a godsend in the case of brute force attacks. This will email the administrator when anyone attempts to log into the site and gets the password wrong. This is what is in the email:
Look at that - the IP address. THis way you can block it in the .htaccess file, report it to the abuse@ email address, or if you need to, report it to the FBI. This plugin is the most important one. Instant email notification, with good details.
While logged in as the admin, set up another admin account with a unique name (not easy but something you'll remember) - make the password BETTER than the one for the admin account - even use non traditional characters if you need to. Set the display name as the same as the admin account.
Next, log in as the new admin and confirm everything is all set up - if it is edit the "admin" (login) account to one with NO rights (set the role to "No role for this site") - this way if they do log in as the admin (despite your good password) they'll have no rights to do anything and you'll still have their information.
Also, make sure you always keep WordPress and ALL your plugins current - log in at least once a week to check for updates.
Feel free to add to the list if you've found any good tips for WordPress security.
Recently I've set up a (highly) political site based on WordPress and even though I considered the chances of hack attempts low (which it is apparent that I was VERY wrong with that) I took some precautions.
First - when setting up the blog, yes, set up the admin account and give it a GOOD password. Set the display name to be something different in the control panel when it is all set up (say, the name of the blog).
Next, get these plugins:
Simple Login Log - http://wordpress.org/extend/plugins/simple-login-log/
This will allow you to have a log of EVERYONE who attempts to log into the site in the control panel great for FYI.
Wrong Password - http://wordpress.org/extend/plugins/alex-wrong-password/
This little gem will be a godsend in the case of brute force attacks. This will email the administrator when anyone attempts to log into the site and gets the password wrong. This is what is in the email:
Code:
[COLOR=#500050][FONT=arial]Someone tried to log into your WordPress site, and failed.
They used the following details:
Site URL: [URL="http://caninecomputing.com/"]([/URL]site URL)
Referer:
Username: admin
[/FONT][/COLOR]
[FONT=arial]Password: (password used)[/FONT][FONT=arial]
[/FONT]
[FONT=arial][COLOR=#500050]Email:
IP Address: [B]IP Address[/B]
User Agent: Mozilla/5.0 (compatible; bingbot/2.0; +[URL]http://www.bing.com/bingbot.htm[/URL])[/COLOR][/FONT]Look at that - the IP address. THis way you can block it in the .htaccess file, report it to the abuse@ email address, or if you need to, report it to the FBI. This plugin is the most important one. Instant email notification, with good details.
While logged in as the admin, set up another admin account with a unique name (not easy but something you'll remember) - make the password BETTER than the one for the admin account - even use non traditional characters if you need to. Set the display name as the same as the admin account.
Next, log in as the new admin and confirm everything is all set up - if it is edit the "admin" (login) account to one with NO rights (set the role to "No role for this site") - this way if they do log in as the admin (despite your good password) they'll have no rights to do anything and you'll still have their information.
Also, make sure you always keep WordPress and ALL your plugins current - log in at least once a week to check for updates.
Feel free to add to the list if you've found any good tips for WordPress security.
