What security solutions do you use?

Security seems to be a big topic for WordPress developers lately. One of my sites was also hacked twice in late May and Early june 2013 and the security has been incresed afterwards. Personally, I am currently using the Better WP Security plugin, All in One WP Security plugin, Wordfence plugin and Securi thorugh ManageWP. I am curious to know what solutions are being used by other members.

  • Alexander
    • DEV MAN’s Mascot

    Definitely interested to see what other members are using for this at the moment.

    One plugin that might no be mentioned here would be Anti-Splog. It’s not a security plugin by itself, but it changes enough of the registration process that several good security measures are enforced already.

    It can make your signup URL dynamic – so the actual URL will change periodically. It also has great captcha support built in.

    It’s for Multisite only, and it’s a real life saver when it comes to preventing spam blogs!

    Best regards

  • Imperative Ideas
    • HummingBird

    BWPS is a good product. It doesn’t block the enumeration of users on ID 1-10 though. You need to block user enumeration, change any admin ID’s in the 1-10 slot to a random 7 digit number, then re-associate their posts. I dished out the SQL commands for that in another post yesterday.

    My strong recommendation is that you visit http://wpscan.org/ and make a Backbox CD. Boot that up and scan your site using wpscan and if you don’t see any major problems, 99.9% of the bots will ignore you. They look for soft targets and use the same commercially available scanning software that you can download from the provided link.

  • Imperative Ideas
    • HummingBird

    Changing user IDs in WP works like this: http://pastebin.com/pebddqPY

    Go into PHPMyAdmin, click on a DB, click on a table. At the top of the page, you’ll see a represntation of your SQL query. Edit that (there is a link). Now you are into ez mode.

    Click on Query.

    Paste the linked code. If you haven’t changed wp_ to something else, then it will work fine. If you did, just change the table prefix, The first run will work. For the second run, change “1” to “2” and “123456” to another random string of numbers.

    Repeat for 3-10

    Now if you block all user ennumeration, you are very hard to hack. The next step is to make your admin a user that NEVER posts, so that username is never revealed in the code. Remove WP version numbers by deleting readme.html and changing the RSS feed, lock down your htccess, change your php.ini so you aren’t revealing your full path, and from there BWPS has your back.

    WPScan will prove it.

  • Decura
    • The Bug Hunter

    @imperative Ideas

    I’m glad that you mentioned the part about the modifying the htaccess file as I read it on your blog a couple of weeks ago. Could you please explain how the block scan code works in more details or perhaps refer us to a place where we can get more information about it?


    Duo Factor Authentication is another great point. I forgot about to mention this. Imperative Ideas also writes about this in his blog.

  • lol
    • The Incredible Code Injector


    Very interesting thread.

    From my side I recommend this:

    * Do not use a shared hosting

    * Do not use a Windows server …

    * Always have WordPress and plugins up to date.

    * Protect your SSH FTP and anything-PANEL accesses with passwords reinforced concrete

    * Use fail2ban to block repeated login attempts (and ban recidivists for months …:wink:.

    Luckily IPv6 are not yet targeted by hackers, but it will come …

    Wpscan is a good tool, but do you know w3af ? http://w3af.org/

    It will found a LOT of vulnerabilities, All directories and files of your site, and so more

    Don’t forget that sql injections are one of the prefered way to hack sites. And it’s more easy than brute force paswwords.


  • Imperative Ideas
    • HummingBird

    @decura sure, I can break it down line by line for you.

    # BEGIN block author scans
    # END block author scans

    Anything preceded by a hash sign (#) is a comment

    RewriteEngine On

    The RewriteEngine directive enables or disables the runtime rewriting engine. WordPress does this by default so, technically, it’s redundant. Technically, it’s good practice to include all parts of the code when giving an example. It is expected that the end user will refactor the full script on their own.

    RewriteBase /

    The RewriteBase directive specifies the URL prefix to be used for per-directory. Had we been working on http://mydomain.com/blog, the rewrite base would have been /blog/

    RewriteCond %{QUERY_STRING} (author=d+) [NC]

    RewriteCond sets the condition that must be met in order for the rule to be applied. In this case, we are looking for something like this:


    Which, given the size of the target that site has painted on it, makes it kind of amazing that it redirects in to this: http://www.gop.com/author/myadmin/

    Good job GOP, I see you are also running version 3.3.2 of WordPress. Here is a good example of what we are trying to AVOID.

    So we accomplish that by looking for a string like “author=1” with regular expression. Apache is looking for a query string (after the ?) using the regex “(author=d+)” – which means author= followed by d+. d is a digit (a character in the range 0-9), and + means 1 or more times. So, d+ is 1 or more digits. That bit of code matches author=(any numeric string of any length) and [NC] means we are not looking at case-sensitive code (default but again, good practice to include).

    So we’re hunting for that string because, if it’s entered, we don’t want WordPress sending along the user name to a program like wpscan that is seeking them. This isn’t a problem when the admins are randomly numbered in the 7 digit range either because, let’s face it, most bots are only interested in 1-10.

    RewriteRule .* - [F]

    Finally, we come to the RewriteRule. This is the code that gets executed when the condition is matched. In this case, * is a wildcard for “all” and [F] is a switch telling Apache to returns “Forbidden” – better known as a 403 error. WordPress typically interprets that by keeping you on the same page but bots interpret it as a fail.

    The end result is that your usernames are only revealed when they post something on the site.

    Again, this is why security dictates that your administrative user should not be a posting account, though this means you need to remember to log in and update your plugins daily. Running a management interface like ManageWP is a different type of security risk but it’s far less damaging than posting 5 blogs a week as an account with access to nuclear weapons.

  • Imperative Ideas
    • HummingBird

    Happy to help man, thanks for the points. If you want to learn Regular Expression, check out Jeffrey Way’s course at TutsPlus Premium.


    He also does stellar courses in PHP and jQuery, the jQuery course is free.



    The courses are really well explained but super dense. When you find yourself staring at the screen like a blank wall – stop. Go back and practice some of what you have learned. He gets into the cool bits really fast and it’s stuff you can really use. Go back after a few days of working on sites and re-watch the video that lost you. It’ll be easy.

    This is how code is learned, it’s not like anyone just picks up a book and gets it Matrix style.

  • Imperative Ideas
    • HummingBird

    If you want to have some fun with site security, burn a CD of http://www.backbox.org/

    WPScan and it’s Joomla cousin both come pre-installed. The best way to secure your site is to use the same tools that the pros do to investigate. Unfortunately, none of these tools handle private repositories. You have to watch the boards like a hawk if you use a lot of private code. Even WPMU comes up every few months, though the guys here are very fast to respond.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.