Essential security plugins?

Hello,

What would be the security plugins you consider essential for every wordpress installation? (my account was hacked twice)

I read some articles advising to use a 3 plugins combo to increase the security of wordpress installations. The plugins are wp secure, wp security scan and login lockdown.
Recently I had to remove wp secure because it was conflicting with s2member.

Thank you,
Luciano

  • aecnu

    Greetings Luciano,

    Thank you for the great question.

    Security begins at the host level and though we cannot directly affect their security we can indeed beef our own up and my favorite place to start is with the .htaccess file doing two things:

    One locking down the wp-config.php file so that it cannot be read or tampered with:

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    If this file is read then the criminals will have access to the database user name and password which in turn gives them control over the site or course.

    The other item is to make sure directory browsing is turned off, so that hackers cannot cruise you file folders:

    Options All -Indexes

    Which should be the first line in your .htaccess file.

    Security plugins, in which I more a less know which not to use then to use though Wordfence plugin has worked well for a few members.

    Cheers, Joe

  • klogan

    Hi Joe

    Thanks for sharing this info.

    I'm a newbie with the .htaccess file.

    I've looked in my .htaccess file and I see this:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

    If I was to add in what you have suggested above, would this then be correct?

    # BEGIN WordPress
    Options All -Indexes
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    # END WordPress

  • aecnu

    Greetings klogan,

    Thank you for the great question.

    No you would not add it in the manner as shown in your above description, you would want to do something like this:

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
    
    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    
    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]
    
    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . index.php [L]
    # END WordPress

    Would be most accurate.

    Thank you for being a WPMU DEV Community Member!

    Cheers, Joe

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.