Plugins That Make WordPress Security Easy

Published on Dec 20, 2013   //  Reviews, Security, WordPress

WordPress is one the most widely used pieces of software on the web, making it a huge target for attackers regardless of their intentions. The great thing is that, being so widely used and respected, WordPress also benefits from a large community of supporters that develop plugins to enhance its functionality.

One area that benefits from this fervor is security. Multiple services and plugins exist to help you lock down your WordPress site, making it far more difficult to attackers to gain access to it. Today we’re going to take a look at two leading security plugins: WordFence and Better WP Security.

 

WordFence

The story of how WordFence got its start was new to us, but the reason is one we know well. The creator, Mark Maunder, is the person responsible for discovering a massive security hole in what was a very popular thumbnail plugin called TimThumb. He patched it, donated the code back to TimThumb, and then set about building his own security plugin to protect his WordPress-based website after it was exploited via TimThumb.

WordFence’s name is very appropriate; it effectively puts up a virtual fence around your WordPress site. We feel some of the most important features include:

  • Scans of WordPress, theme files, and plugins
  • Real-time views of hacking traffic
  • Blocking fake search engine crawlers
  • Tracking IP address to their source
  • Scans for backdoors
  • Blocking brute-force attacks

WordFence also offers a premium version of their plugin for $39 per year, which is likely worth the cost if you run a popular website. The premium version offers more frequent scans, two-factor authentication, and country blocking which can be highly useful for locally-focused websites.

 

Better WP Security

Better WP Security has been developed by multiple people, but development is now led by Chris Wiegman at iThemes. It attempts to take WordPress security best practices and package them all into a single plugin, which has led to features like:

  • Removing or obscuring information about your WordPress install
  • Removing the default “admin” account
  • Vulnerability scans and fixes
  • Banning bots and malicious agents
  • Forcing SSL
  • Monitoring the file system for changes

While the goals are the same, WordFence and Better WP Security do not overlap entirely. For example, Better WP Security helps prevent many potential vulnerabilities from becoming problems, even for unpatched WordPress installations, by obscuring information like the version of WordPress being used, which plugins and versions are installed, and changing several defaults to make it harder for attackers to even figure out what exploit to take advantage of. This helps deter attackers in the first place, and they will typically move on to an easier target.

WordFence, on the other hand, has a mix of proactive and reactive measures. It will block known bots, brute force attacks, scan your WordPress site for vulnerabilities and backdoors, and it takes advantage of machine learning capabilities to automatically block new types of attacks. The real-time view of attackers and crawlers could be a boon for those of you looking to identify a resource hog.

Regardless, both plugins are very good at what they do and will protect the average WordPress site extremely well. If you feel it’s worth the money, WordFence Premium is your best bet for features like country blocking, two-factor authentication, and remote scans. If you’re on a budget, install either plugin and get it configured. Regardless, in this day and age you must be taking advantage of the free, easily accessible security measures available to you.

Secure FTP Required

Published on Dec 9, 2009   //  Security

In an effort to continually improve security on the servers we have now set all our servers to require TLS Encryption.

Did you know that standard FTP sends your password and usersname through text?

That means anyone with a packet sniffer could easily scoop up your login details and access your account. As that can be detrimental to you and others on the server we feel it is important to close that hole permanently.

I have tested and the current release of FileZilla has no problem with SFTP. If you get any error be sure you upgrade your FTP software to the newest one or download the free FileZilla software and use it.

SSL Exception

Published on Oct 26, 2009   //  Security

As most of our customers have come to find out the migration to using Tokens means that the login page has changed and that we now need to use SSL to login. This means that your using 128 bit encryption every time you connect to the server. Is it important? Yes your account and files are important to us because it stops people from maliciously using your account. There are exploits out there that people can use to find your cPanel username and password with the old method of how we use to login and this new way prevents those exploits.

So to connect to cPanel you have to use ssl like this:

https://yourdomains.com:2083

To connect to your webmail:

https://yourdomains.com:2096

If you have a legacy reseller account you have to use:

https://serverIP:2087

Now you will notice when you login that you will get notices that you are connecting to a none secure SSL. The warning are 100% correct we are not using a certificate from a provider instead the servers are using a self signed SSL. Basically it means we are using a free SSL which we can set up on the server to still provide 128 bit encryption w/o an added expenditure which is not required.

To by pass this notice just add an exception and it will not prompt you for it again.

I know this has been a headache for some as is any change but it is one for the better of your site and the server. If you have issue or concerns be sure to open a ticket at our heldpesk.

WordPress 2.8.5

Published on Oct 21, 2009   //  Security, WordPress

Attention bloggers if you have manually installed WordPress then you should upgrade to 2.8.5. This upgrade has a lot of security fixes. Full details on what has been updated are here.

For those who installed WordPress with Fantastico, Netenberg usually has the upgrade released a week or two later. We do post Fantastico updates on the blog so keep an eye open for that.

Please also note we will post when it is time for Managed Blog hosting customers to upgrade in this blog.

Update WordPress 2.8.2

Published on Jul 20, 2009   //  Security, WordPress
Off

Attention bloggers if you have manually installed WordPress then you should upgrade to 2.8.2. This upgrade fixes an XSS vulnerability. Full details on what has been updated are here.

For those who installed WordPress with Fantastico, Netenberg usually has the upgrade released a week or two later. We do post Fantastico updates on the blog so keep an eye open for that.

Please also note we will post when it is time for Managed Blog hosting customers to upgrade in this blog.

Update WordPress 2.8.1

Published on Jul 9, 2009   //  Security, WordPress
Off

Attention bloggers if you have manually installed WordPress then you should upgrade to 2.8.1. This upgrade fixes many bugs and tightens security for plugin administration pages. Full details on what has been updated are here.

For those who installed WordPress with Fantastico, Netenberg usually has the upgrade released a week or two later. We do post Fantastico updates on the blog so keep an eye open for that.

Please also note we will post when it is time for Managed Blog hosting customers to upgrade in this blog.

Page 1 of 512345