Best practice to secure my sites

Hello,

After recently being hacked (first time ever) I need help to secure my site(s). I have deleted all content completely, to start afresh.

Before I start again, I am wondering what steps I should take immediately after I re-install WP.

For example, immediately after installing WP should I:
1. Install WordFence (https://wordpress.org/plugins/wordfence/)
2. Install Sitelock (http://help.secureserver.net/article/12273?locale=en&prog_id=uworlds)
3. Install iThemes Security (https://wordpress.org/plugins/better-wp-security/)
4. Do everything on this page: http://codex.wordpress.org/Hardening_WordPress
5. Do everything on the list on this page: https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/

Is this a bunch of overkill? I don't have the expertise this afternoon to dissect which elements of which of the 5 links above would be the most relevant for me but I am rolling out 40 sites so to have to do all of the above for all of the sites seems positively overwhelming!

From what I have read Multisite does not sound like a viable option in my scenario.

If there is an easier way to secure 40 sites all at once I am all ears! I don't want to embark on anything and waste time in case there is an easier method and don't want to have to roll back a mistake 40 times and apply a fix 40 times.

Also ... I really need to learn how to back up all my sites in such a way that I can rollback in the event of a disaster / hack etc.

If anyone could help me with this, it will help me actually get started as I don't want to do anything until I have this piece sorted out.

Kind regards,
Michael

  • Sajid
    • DEV MAN’s Sidekick

    Hi Michael! Hope you are doing good today and thanks for your question :slight_smile:

    Secure your WordPress website is a vast subject and you can find lots of plugins and resources out there describing how you can keep your site secure and safer. It involves lots of factors including securing your website for potential threads, keep update your WordPress, hiding your wp admin area and still scheduling backup of your website (including database and files).

    All of the plugins and resourses you mentioned are good and provide bulletproof security. I am personally using iTheme security plugin to protect my website from potential threats. For your 40 websites I can understand it will be very difficult to setup each plugin on each of your individual website specially when Multisite is not viable solution for you. In this case I suggest you check ManageWP, they have one dashboard to manage all your websites (single WordPress installations) and they do have "HIGH SECURITY" option to keep your websites secure.
    https://managewp.com/

    Hope this will help :slight_smile:

    Cheers, Sajid

  • Michael
    • The Crimson Coder

    Hello Sajid,

    Thank you for this. I found ManageWP a while ago, but I actually thought they were you, and I also thought Multisite was also part of the service of WPMU, not just a feature of WordPress. I guess I found it quite confusing trying to piece it all together as the 3 seemed to intersect to me. But I guess I thought that the functions that ManageWP offers is what I was paying for when I signed up for WPMU, in other words a simple way to manage multiple sites in one go (which Multisite made a bit confusing), complete with security, in separate hosting spaces, and so I could roll a plug-in out to all my sites at once without having to spend hours per plug-in, installing one at a time.

    Normally I have always built all my sites from scratch using HTML/CSS/Dreamweaver and have never had a hacking attack in the past 16 years that I've built&run Web sites (lucky me?), but now that I have tried WP and got hacked within 3 days of running a site (not any theme from your site as I was still not a member) my WP launch hasn't exactly been off to a great start, but I just never expected that there would be so many steps that I would need to learn to secure a WP site. I deleted everything last week after the hacking, and signed up with you yesterday to start afresh.

    I am sure that you can see from my point of view (my poor assumption) that if a platform powers 20% of all Web sites on the Internet (even if it's free and open source) that it would have more settings built into it -- at this point in its evolution -- to automatically protect against hackers simply by default and a matter of course, as opposed to leave it to the WP site owner to go out and almost have to learn a career in Web security to ascertain which plug-in(s) they need from a palette of choice to handle the big list of security vulnerabilities.

    I also wrongly assumed that this was the job of a Web host (I am with an excellent one) to protect sites from hacking and never expected WP to have so many vulnerabilities (I was using the latest version) so it has really thrown my whole thinking and basis for my Web businesses if WP is still right for it. I just never thought WP could have a vulnerability to let people get in and change files in one of my sites which could get past my Web host's firewall ... I'm really floored by that actually, I thought that's what paid hosting to a top provider was for.

    You see where I am coming from right, I am not criticizing you, it's just me being surprised that WP hasn't come as far as I would have expected in terms of basic security out of the box so that people can just use it from moment dot without these sorts of worries and upsets. I have had to start from scratch from the recent hacking but it seems to me it could have been preventable? Does anyone think this is an unfair take?

    I would like to try to make WP my platform of choice and create all the site ideas that I have been working on.

    Could you recommend just one plug-in that does it all, in terms of security, from my original list of 5 points? They all seem to do different things. For instance, is just iTheme sufficient?

    Many thanks for your kind assistance.

    Best regards,
    Mike

  • Sajid
    • DEV MAN’s Sidekick

    Hi Mike! Hope you are doing good today and welcome back :slight_smile:

    Yes ManageWP is a separate company than WPMUDEV. Multisite previously called WPMU was WPMUDEV's product since WordPress version 3.0. But we do provide support for WordPress Multisites and WordPress. You can ask any question related to WordPress and WordPress Multisites. here being member of WPMUDEV.

    Yes being widely used of WordPress as content management system, is the reason hackers target WordPress. Yes ofcourse there are some loopholes in WordPress and wp community is constantly updating core and focusing on security. They just release another version of WordPress to address some security issues. Besides all these threats WordPress is still own 20% of websites over internet. So it means there must be some thing that users love it :slight_smile:

    I can understand the frustration of being hacked. I personally got hacked once or twice. But after taking some security measurements, I did not get hacked almost from an year. If you just install WordPress and do not take any security steps is just like having a home without a door. As an answer to your question whether its preventable or not. Yes its definitely preventable and with one click :slight_smile:

    Yes iThemes security plugin provides simple one click security option. See their official blog for more details. This is the best place to get started for WordPress security.
    https://ithemes.com/2014/01/22/14-wordpress-security-tips-in-one-plugin/

    You are welcome and feel free to post reply or start new thread if you need further assistance :slight_smile:

    Take care and good luck :slight_smile:

    Cheers, Sajid

  • Sajid
    • DEV MAN’s Sidekick

    Hi Mike! Hope you are doing good today :slight_smile:

    Well I did not tried both and don't know whether their will be conflicts but it will definitely slow down your website and effect your website's performance. In windows operating system background do not run two security software at the same time like Norton and McAfee. But in our case things can be different because plugins works differently than softwares.

    I found a good article, comparing both plugins in details. iThemes Security formerly it was Better WP Security.
    http://www.reginaldchan.net/better-wp-security-vs-wordfence-security-the-battle-best-wordpress-security-plugin/

    Hope this helps :slight_smile:

    Cheers, Sajid

  • Ginny66
    • New Recruit

    I don't know if this will help you Mike, but it has definitely helped me. I had a WP site that was hacked also. So, the next time I set it up I placed Wordpress in a subdirectory of my root directory, rather than directly in my root directory. In other words, instead of WP residing at: http://mysite/wordpress/ .... it resides at: http://mysite/artisan/wordpress/ .... of course you can use any word you like in place of "artisan". The more obscure the better.

    In order to hide this obscure subdirectory name from hackers and make it very hard for them to find wordpress on your site you will need to do the following after you have installed WP:
    Copy the index.php file and the .htaccess file from the "artisan" folder and paste into the root directory. If an .htaccess file doesn’t exist in your "artisan" subdirectory, go ahead and create one.
    Then for the last step, open index.php (in your root directory) and change this:
    require('./wp-blog-header.php');
    …to this:
    require('./artisan/wp-blog-header.php');
    You’ll now have to log in at http://mydomain.com/artisan/wp-admin/,
    but WordPress will be in control of the root just as if that were its actual location.
    Once you have installed WordPress and logged in to the Admin area, go to Settings
    > General and ensure that the settings for your WordPress address (URL) points
    to http://mydomain.com/artisan/ and Blog address (URL) points to
    http://mydomain.com/.

    This is how I set up my site... which has the word "bank in it, making it a very attractive site for hackers. This has kept many evil bots from being able to find my WP directories. I also use Wordfence for security. I really like it. It allows me to see who has visited my site or tried to visit it. I can see what directories they tried to find, but were unsuccessful. It has been a real learning experience for me. I can say with confidence that any evil bots scanning and probing your site
    looking for possible WordPress exploits probably won’t even be able to find your WordPress files.
    Setting it up this way also keeps your root directory clean. Nothing worse than a messy root
    directory... eExcept for maybe a hacked site!

    • Michael
      • The Crimson Coder

      Thanks so much for this, interesting, and I do appreciate all the detail. I do have my installations in subfolders but did not realise about the manual changes you mentioned .. good to know, and sound logical, but not sure I have the confidence to implement just yet :slight_smile:

    • Michael
      • The Crimson Coder

      Hello,

      Thanks for letting me know about Cloudfare, sounds very interesting.

      Basically I have 40 separate WordPress sites, all stored on Deluxe hosting at Godaddy on shared hosting. I can't segregate sites into standone, can't use SSL on each one, not really sure I understand the level of protection that's there anymore.

      The sites are all very simple one-pagers and that will be it ... not a lot of budget at the moment and not sure I understand a lot in this security area, but I am learning tons every single day since I've been hacked.

      Would I be able to find out more about how your product differs from all the ones listed in all the links above (in all the lists in my original post)?

      Many thanks :slight_smile:

      • c0d3r
        • Design Lord, Child of Thor

        first, I check manually, I will try to see if you have any vulnerable plugin, SQL Injections or command execution
        check if there injected codes in files, you can do that by click on Virus scan in your cpanel if you have it, if not you can do it with SSH access, if you don't have SSH access, download all your files then examine them.
        then I will check any injected codes database level, or JavaScript files which sends your username and pass to the hacker.
        by the way I will be writing on WP security so check my blog corered.com
        and about the budget I'm trying to help, no money or anything in return

      • Webmaster
        • Site Builder, Child of Zeus

        Hello again,

        Actually, CloudFlare is not my product. I provide dedicated servers (including managed servers) to small businesses and hosting providers. The advantage of a dedicated server is that you are the only one on the server, so you can allot hard drive and memory as you prefer, and you don't have to worry about some other user crashing or locking up the entire server. Additionally, you can firewall the entire machine instead of just your assigned IP number on the shared hosting service. Also, you can install programs and scripts that you cannot as a hosting customer.

        Actually there are many, many advantages of having a dedicated server, but the cost difference is substantial between a deluxe hosting package (usually around $29) and a dedicated server (starting around $129). And if all your websites are essentially one page, then you shouldn't need a dedicated server (unless your ability to change settings for configurations is too limited for your project).

        I would still recommend considering CloudFlare. I use it on some troubled websites even though they are on dedicated servers. It can really help filter out problems and cost less for each additional website. (I think it's $20 for the first site and $5 for each additional website, but you should verify that as it was a few years ago when I opened my account.)

        Good luck!

  • Twedros
    • Site Builder, Child of Zeus

    I haven't read the entire thread, but from my experience, I-Themes Security was the best option for me. Wordfence consumed too many resources and my host threatened to shut me down as I am on a shared hosting plan. Also, another biggie is to change your admin name from "Admin" and to also change the default wp login page to something else.

  • Sajid
    • DEV MAN’s Sidekick

    Hi Michael,

    Hope you got your answer and have enough and useful information to secure your website.

    Thanks @Twedros, @c0d3r for sharing your views and helping the community. Sending some points your way :slight_smile:

    Take care and have a nice day :slight_smile:

    Cheers, Sajid

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.