What do you think of all changes 'Better WP Security' makes?

I'm thinking about using this plugin to increase site security. What do you think? Is there something better?

It kind of worries me that it makes a LOT of fundamental changes. On one hand, changing the folder names and other things can definitely "solid-up" a site. On the other, I'd imagine upgrading would be a nightmare.

What do you think about implementing best-practices security for WP?

  • Timothy
    • Chief Pigeon

    Hey David.

    I think ultimately the best practices are to hire a knowledgable system admin to tighten up and optimise your server.

    Don't install things which are not needed, this also applies for server software. cPanel is cool but is it needed for example.

    Ensure you stay on top of Apache, MySQL & PHP versions where security is concerned. Be strict with permissions on folders and files.

    Fewer plugins is not just a faster install its also a more secure install with less code to worry about and potentially have flaws in.

    Use strong passwords, the longer and higher mixture of chars the better.

    Lets look at some of their features:

    Remove the meta "Generator" tag

    Hiding it is cool to prevent people seeing the version but chances are if you sites on the net a hacker would take a punt at a known security issue.

    I use to do this all the time, didn't really help.

    Change the urls for WordPress dashboard including login, admin, and more

    Not going to work in a multisite where people get a site, because they will find the link once signed up.

    What about the login for commenters or BP/Forum users?

    If a vulnerability is in the front end, a plugin or theme then this won't make much odds.

    Completely turn off the ability to login for a given time period (away mode)

    That pretty cool if your going away, would help with Bruteforce I suppose.

    Remove theme, plugin, and core update notifications from users who do not have permission to update them

    I personally like this option but for branding than security.

    Remove Windows Live Write header information
    Remove RSD header information

    Again crackers will take a punt

    Rename "admin" account

    I do like this option, good for brute force on the admin account.

    If you were really worried then just use a different username for admin stuff and then another one for front end content submission and interaction stuff.

    Change the WordPress database table prefix

    If there was a security vulnerability they could utilise a WP function to pull or even dump the DB. Further more if they have access to your site by this point they will have your wp-config file and thus all the credentials.

    Change wp-content path

    Your content saves here, right clicking on an upload to get the info would reveal the path unless they do something like Membership to obscure the path through PHP. Doing that for absolutely all images, downloads, etc then it would increase the overheads required on your server.

    Removes login error messages

    I suppose this is the no username, invalid username or pass message. Maybe helps with bruteforce....

    Display a random version number to non administrative users anywhere version is used

    Same as the version info above.

    Scan your site to instantly tell where vulnerabilities are and fix them in seconds
    Ban troublesome bots and other hosts
    Ban troublesome user agents
    Prevent brute force attacks by banning hosts and users with too many invalid login attempts
    Strengthen server security
    Enforce strong passwords for all accounts of a configurable minimum role
    Force SSL for admin pages (on supporting servers)
    Force SSL for any page or post (on supporting servers)
    Turn off file editing from within WordPress admin area

    I can see how many of these could be useful just be careful with banning bots if you enjoy your content being seen in search engines.

    Some of the other features look rather handy but I suppose it depends on how efficient and affective their plugin is.

    Ultimate a sys admin can add a solid layer of security.

    Take care.

  • David
    • The Crimson Coder

    Thanks, Tim. Sadly I'm the knowledgeable admin on this project, so that's why I've asked. Do you recommend a tool (particularly one that double-checks permissions -- I've checked them by eye, but I wouldn't mind some automated help)?

    Thanks, foodfriend... I'll check it out.

    Anyone else have suggestions, feel free to chime in!

  • Timothy
    • Chief Pigeon

    For permissions you can just set them recursively through SHH or FTP.

    Other things like software/server optimisation which the site runs on, thats a tough one with so many variables to consider. Really would need a good system admin for that though.

    Some of the security plugins do look quite tasty but you won't know how good they they are until its to late.

    They could be real super though and save you a ton. I'm not able to say for sure, sorry.

    Take care.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.