WordPress Security For All WordPress Users (Not Just Catalyst Powered Sites)

[caymanhost]

I thought I'd post this here as I see so many users who have certain doors and windows wide open on their Catalyst powered sites.

These basic security issues are not a Catalyst problem per se and are common to millions of WordPress powered sites. If you are one of those site owners it might be time to do some housekeeping - it's not difficult or technical.

What many WordPress users don't understand is that each time they upload a compressed file such as a plugin or theme via their WP-Admin, a copy of those zipped files remains on their server (usually) in their wp-content/uploads directory. If they do not then delete those zip files and have left their directories open to browsing, anyone can waltz in and download the files.

Try browsing to yourdomain.com/wp-content/uploads and see what happens. If you know the first thing about security you should see a "page not found" error or a "forbidden" error. If you see the contents of your directory you need to read on.......

Not only is this costing you bandwidth, it also makes you look a little foolish if you are trying to make sales as a Catalyst affiliate and have the theme and all the Dynamik child themes sitting on your server for free download :-) Or indeed any other plugin or theme.

The simplest way to turn off access to your directories is via .htaccess. There is one very effective plugin that can do the work for you and add significant additional hardening to your entire site - it's free from the plugin repository. If you prefer not to use plugins I've linked to an article of mine below that will show you exactly what to do and gives all relevant information (including a link to this and several other plugins) which I hope Catalyst members will find useful:

http://www.thecaymanhost.com/?p=1618

If you really don't want to harden your sites against script kiddies, hackers and casual nosy browsers, at least make sure you delete the zip files from your uploads directory after you have installed things - you don't need them there taking up space.

[ian241]

Hi Caymanhost - thanks for your comment on my post on here and also this information. You mention bulletproof security, could you tell me which settings you select for this plugin? I think one of the things that puts me off this plugin is the plethora of options, half of which I don't understand. How do you set yours up and what are the best "basic" settings?

[caymanhost]

Hi Ian,

Bulletproof Security is quite straightforward set up wise and I'll try to give a brief summary of the steps to take after installation.

1) IMPORTANT: First place to go is the backup and restore tab to back up your existing .htaccess file(s). Select the first radio button and click "Backup Files"

2) Go back to "Security Modes" and click on "Create Default .htaccess Files" (The correct button to use for your installation will be noted in green text)

3) Next click on "Create Secure .htaccess File" (The button below the one used in step 2) (If you wish you can now make backups of your BPS master files or wait until step 5)

4) You can now activate each of 4 the Bulletproof Security options in turn (If in doubt there is a Read Me link explaining each one but they should not cause any problems with your site)

5) Go back to the Backup and Restore tab and click on "Backup your BPS Master .htaccess Files"

That's it in a nutshell. If you want to use the maintenance mode option you can but it's not essential.

You can check your progress at any stage by clicking on the "Security Status" link which will highlight any areas that need your attention in red text.

(I should add a note for all readers that if your host doesn't support .htaccess then you won't be able to use it at all. Most do nowadays so it's unlikely to be a problem for most. If you have an .htaccess file already then you know you're very probably OK).

[divavocals]

You speak of other WP security plugins besides Bulletproof Security. Do you have recommendations on any other plugins to be installed along with Bulletproof Security or is Bulletproof Security a GOOD all-in-one (as it were) plugin??

http://www.thecaymanhost.com/?p=1618

If you really don't want to harden your sites against script kiddies, hackers and casual nosy browsers, at least make sure you delete the zip files from your uploads directory after you have installed things - you don't need them there taking up space.

[caymanhost]

BPS is a pretty good plugin that does enough on its own to protect your site and directories, your WP-admin areas etc. from hackers. It doesn't really need supplementing with anything else and can be tweaked to your own preferences - i.e. if you already have certain aspects in your existing .htaccess you can paste them in to the file that is generated by the plugin but again, it is set up pretty well to begin with.

The only plugin that I mention in my article that must NOT be used with BPS is WordPress Firewall as the two do not play nicely together. You can use any of the others you wish but the original article was written before BPS was introduced to my own WP installs. If you install BPS and it works OK you have a pretty good defence against most hackers, at least as far as your WP powered sites go; certainly far better than sites without it. (I do have one site on which BPS seems to be having issues and I'm still trying to figure out why with the plugin developer but I've installed it in all others without any problems at all).

As I said, if you prefer to keep plugin use to a bare minimum, and some folks do, there are links in the article that show you how to use .htaccess to protect your wp-admin, your wp-config and other directories and even your .htaccess file itself by adding a few lines of code manually.

[divavocals]

Thanks.. I'm all for limiting plugins, but I am selective about the plugins I use anyway.. Most of them are all about site maintenance and monitoring.. With Catalyst some of the layout type of plugins I have used are no longer being used.

One good thing about BPS is it allowed me to dump my my Maintenance Mode program.. This plugin was nice, but it wasn't playing well with Theme My Login without a hack.. So having this feature as a part of BPS is a good thing.. I am still on the fence about whether or not to dump the Memory Usage plugin though.. It has overlapping features with BPS, but it also has features BPS does not include.. However, it looks like the BPS Pro version fills the gap between these two plugins and provides error logging/monitoring to boot. So if I upgrade to the BPS Pro version I could dump TWO plugins..

Anyway, thanks for the information.. I have copied the contents of your BPS setup post ad link to your blog into my BPS notes..

BPS is a pretty good plugin that does enough on its own to protect your site and directories, your WP-admin areas etc. from hackers. It doesn't really need supplementing with anything else and can be tweaked to your own preferences - i.e. if you already have certain aspects in your existing .htaccess you can paste them in to the file that is generated by the plugin but again, it is set up pretty well to begin with.

The only plugin that I mention in my article that must NOT be used with BPS is WordPress Firewall as the two do not play nicely together. You can use any of the others you wish but the original article was written before BPS was introduced to my own WP installs. If you install BPS and it works OK you have a pretty good defence against most hackers, at least as far as your WP powered sites go; certainly far better than sites without it. (I do have one site on which BPS seems to be having issues and I'm still trying to figure out why with the plugin developer but I've installed it in all others without any problems at all).

As I said, if you prefer to keep plugin use to a bare minimum, and some folks do, there are links in the article that show you how to use .htaccess to protect your wp-admin, your wp-config and other directories and even your .htaccess file itself by adding a few lines of code manually.

[deepsouth]

I have folder access turned off at the server. I also find that Better-WP-Security covers many holes:
http://wordpress.org/extend/plugins/better-wp-security/

PS: Had a look at your site Cayman, nice but very heavy with ads!

[caymanhost]

I have folder access turned off at the server. I also find that Better-WP-Security covers many holes:
http://wordpress.org/extend/plugins/better-wp-security/

PS: Had a look at your site Cayman, nice but very heavy with ads!

Thanks deepsouth, looks like another good plugin - although a lot of what it does I have done manually or with similar security plugins. Still a good one to know about for everyone reading though, thanks for posting it.

That site is ad heavy yes, it's one of my moneymakers and as such there is no point being a shrinking violet. Only ads for quality products and services make the grade, invariably things I have bought and tested myself, and, ads for which I am paid monthly by the advertisers themselves (It's also a site that doesn't run on Catalyst - about the only one I've got left that doesn't in actual fact).

[caymanhost]

Thanks divavocals - I liked the built in maintenance mode too and did the same as you - dumped the Maintenance Mode plugin once I set up BPS. For me I don't think the pro version gives me any more than I want and get from the freebie but I can see the benefits for some folks certainly. I'm glad you found BPS useful and that it hasn't given you any problems/conflicts.

Agree that Catalyst does indeed make a lot of plugins redundant - I dropped all the usual SEO plugins when I switched and rankings have not suffered for any of them. The only thing I tend to keep is the robots meta plugin from Yoast which has a few useful tweaks. I do use a few not so common plugins here and there on occasion such as RSS feed and backlink indexing type tools that seem to be effective - if a plugin doesn't help me it soon gets binned

[blueedge]

I installed Bulletproof Security on my site. In addition, for added protection, I wanted to password protect the wp-admin directory. Unfortunately, though, password protecting the directory results, not in a directory password login box popping up, but in a Page Not Found.

Using the cPanel, I password protected the wp-admin directory. Now, after logging in using the domain.com/wp-login.php page, a custom Page Not Found page is displayed. (The same custom Page Not Found page is also displayed when attempting to access domain.com/wp-admin/.) The WP admin page cannot be reached.

Since the WP login (domain.com/wp-login.php) is in the root and then redirects to the wp-admin directory, I was expecting to first login into WP and then be greeted with a password login box for the wp-admin directory, not a Page Not Found.

I suspect that this has something to do with Bulletproof Security, as the cPanel password protection works on directories of other sites with the same host. However, in reviewing the wp-admin directory .htaccess file created by Bulletproof Security, it mentions being able to password protect the directory.

Any suggestions on how to password protect the wp-admin directory while using Bulletproof Security?