Essential security plugins?

Hello,

What would be the security plugins you consider essential for every wordpress installation? (my account was hacked twice)

I read some articles advising to use a 3 plugins combo to increase the security of wordpress installations. The plugins are wp secure, wp security scan and login lockdown.

Recently I had to remove wp secure because it was conflicting with s2member.

Thank you,

Luciano

  • aecnu
    • WP Unicorn

    Greetings Luciano,

    Thank you for the great question.

    Security begins at the host level and though we cannot directly affect their security we can indeed beef our own up and my favorite place to start is with the .htaccess file doing two things:

    One locking down the wp-config.php file so that it cannot be read or tampered with:

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    If this file is read then the criminals will have access to the database user name and password which in turn gives them control over the site or course.

    The other item is to make sure directory browsing is turned off, so that hackers cannot cruise you file folders:

    Options All -Indexes

    Which should be the first line in your .htaccess file.

    Security plugins, in which I more a less know which not to use then to use though Wordfence plugin has worked well for a few members.

    Cheers, Joe

  • aecnu
    • WP Unicorn

    Greetings Luciano,

    Thank you for the additional question.

    I believe it will be just fine as the first line Options All -Indexes which simply keeps folks from browsing your directories/folders.

    Thank you for being a WPMU Dev Community member!

    Cheers, Joe

  • klogan
    • WPMU DEV Initiate

    Hi Joe

    Thanks for sharing this info.

    I’m a newbie with the .htaccess file.

    I’ve looked in my .htaccess file and I see this:

    # BEGIN WordPress

    <IfModule mod_rewrite.c>

    RewriteEngine On

    RewriteBase /

    RewriteRule ^index.php$ – [L]

    RewriteCond %{REQUEST_FILENAME} !-f

    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule . /index.php [L]

    </IfModule>

    # END WordPress

    If I was to add in what you have suggested above, would this then be correct?

    # BEGIN WordPress

    Options All -Indexes

    <files wp-config.php>

    order allow,deny

    deny from all

    </files>

    <IfModule mod_rewrite.c>

    RewriteEngine On

    RewriteBase /

    RewriteRule ^index.php$ – [L]

    RewriteCond %{REQUEST_FILENAME} !-f

    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule . /index.php [L]

    </IfModule>

    # END WordPress

  • aecnu
    • WP Unicorn

    Greetings klogan,

    Thank you for the great question.

    No you would not add it in the manner as shown in your above description, you would want to do something like this:

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ - [L]

    # uploaded files
    RewriteRule ^files/(.+) wp-includes/ms-files.php?file=$1 [L]

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^ - [L]
    RewriteRule . index.php [L]
    # END WordPress

    Would be most accurate.

    Thank you for being a WPMU DEV Community Member!

    Cheers, Joe

  • marcelo_rocha
    • Design Lord, Child of Thor

    Hello, Joe.

    I was reading some articles trying to give some security to my sites. I was hacked twice last month and this caused a huge problem for me also…

    I’m going to improve my .htaccess file in the way you recommend but what about the “Options All -Indexes” line? Do we have to place it before the <files wp-config.php>..., right?

    Thanks! :slight_smile:

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.