Malware, malware, malware and security

Really need some help and direction. We recently had a few malware attacks that infiltrated our htaccess file. We have 1100 users, and this redirect was really inappropriate.

Can anyone suggest some best practices for a WMPS install that will make our installation the MOST secure? Keep in mind that many of our users are 7/8 years old and up- and we’d like to make things as simple for them as possible. Long captcha codes do not work for the young ones.

We have the latest version of WP. We were using WP Total Cache- and we suspect that the malware attack was a vulnerability in that- not sure.

The MS has also been running a little slow- and we’ve been trying to speed things up. Your help and direction are very much appreciated.

What are your best practices?

Thanks!

  • Timothy
    • Chief Pigeon

    Hey there.

    If you want totaal security you could look at hosting from such people as EduBlogs WP Engine:

    http://edublogs.org/campus/

    And:

    http://wpengine.com/

    These are managed WordPress installs, so they take care of all the security stuff for you.

    What makes you believe that WP Total Cache is the culprit here?

    There are better ways to speed up websites than using plugins. For example WP Engine use Varnish:

    https://www.varnish-cache.org/

    I don’t know you’re full set up, but where do you get themes and plugins from apart from here?

    You might like to read:

    https://premium.wpmudev.org/blog/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

    The article is about themes but it relates just as well to plugins.

    All the usual things of ensuring you set correct permissions on files and folders, remove code you’re not using,

    You may also benefit from a service such as:

    http://sucuri.net/

    – Refresh your WP-Config keys.

    – Always ensure your plugins, themes and WP are up to speed.

    – Ensure you always keep a backup of your working site.

    – Ensure file and folder permissions only give access which is needed to function.

    – Keep an eye on malware (see link above – Sucuri)

    – Force strong passwords, random numbers, letters, higher and lowercase. This is applicable to accounts including FTP and cPanel.

    – Limit against brute force, cPanel has options for things like this.

    – Use plugins and themes because you need them for a reason not just because they might be good or because you’ve had one request. Remember more code, more resources used, more potential for hacks.

    – You could have a strong password but how are the machines you use to connect to your site? Check for keyloggers, malware, etc.

    You could keep changing your passwords and securing everything but if the vulnerability is hidden on a computer you’re always going to be giving away your secrets.

    There are a number of plugins out there, I don’t personally use any myself but you’re welcome to experiment.

    This is a start and I’m sure many members could share their own practices and advise which would extend much more on all of this, I guess it depends on how many times a site has been attacked and the paranoia level of it happening. :slight_smile:

    Take care.

  • Timothy
    • Chief Pigeon

    Hello, hope you’re well!

    How’s things going now, we haven’t heard from you in a short while and as such he thread became marked as “Resolved”.

    If you’re still in need any help then please feel free to reopen or create a new thread as needed for any issues.

    Cheers.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.