We recently interviewed 4 wpmu dev members who provide professional WordPress security services for WordPress security maintenance. What they said was At the beginning of this month, we released a series of tutorials on WordPress security, held a member forum discussion on WordPress security issues, and invited WordPress security experts to interview Yes, although you guessed WordPress safe! Then, we collected and published many excellent skills and expert answers from members on the discussion forum. We will discuss the following topics: The
Please consult a WordPress security expert. What kind of WordPress site does the expert usually use when talking about WordPress security? What are the most common security issues with client WordPress sites? What is the worst security problem you need to solve for your customers? Can you share some processes used to protect WordPress sites and how client sites access security violations? Which word press security plug-ins are used or recommended, and why? What can WordPress users not ignore in terms of website security? Do you have any security tips or favorite resources that you would like to share with other WordPress web developers? What would you like to add about WordPress security? Members’ additional word press security tips are your website online under attack? What happened and how did it change? Can’t you buy it without any security tools? When was the last time you thoroughly checked WordPress security? Therefore, instead of worrying, we will meet with WordPress security experts to discuss how to safely maintain the WordPress site. The
Go to WordPress security expert androg Richard van Denderen is wphelpdesk. The creator of NL. Richard started his website at the age of 14 and started using WordPress in 2008. He is the host and volunteer of meetup and wordcamps in the WordPress community in the Netherlands, as well as Dutch WordPress. Org supports the moderator of the forum, and its activities are very active. Richard said: The common problem we solve is a website that provides error or abnormal redirection caused by malicious code. Over the years, we have helped hundreds of website owners clean up websites invaded by hackers. \
Jesse waitz is flagtaffconnection. Com provides hosting and website development services, and works in AZ flagship store in the United States. Local WordPress developer and codeable. IO expert Jesse started hosting and developing websites in 1999. His expertise comes from long, difficult and sometimes painful experiences. As he said, \
Male cliff Rohde is the owner and CEO of goatcloud communications LLC established in 2013. Cliff is passionate about the intersection of communication and technology, and supports the online prosperity of various types of enterprises and non-profit organizations. Cliff created the first website in 1995 and the first WordPress website around 2007. He was a former lawyer who gave up his legal practice and focused on goatcloud. Male Logan Lenz Logan lenz
Is the head of awesomeness at guys, the awesome web site. Logan is a website innovator and digital marketer with more than 20 years of industry experience. The
As the owner of the digital business agent, Logan uses a large number of technologies, tools and resources to meet customers’ digital needs and meet the above requirements. As Logan said \
Jesse: I mainly spend time developing, maintaining and hosting WordPress based websites. I mainly work in small and medium-sized client websites. I have about 12 successful e-commerce websites and about 12 multi website settings. I have hosted more than 200 sites on 7 servers, providing continuous maintenance and security for about 150 WordPress sites. More than 60 companies have separate mail servers and hosted more than 180 e-mail accounts. Cliff: the website maintained by goatcloud is mainly for small businesses and personal business personnel. However, we also maintain multiple websites for non-profit and medium-sized enterprises of considerable scale. The
Logan:awesome website guys cooperates with other small enterprises including various industrial websites. These include e-commerce, multi website, non-profit, restaurants, communities, hotels, activities, construction, automobiles, health and wellness, fitness, real estate, and other institutions. 2. what are the most common security problems on the client WordPress site? Richard: the most common security problem is overdue maintenance. Sometimes, the latest version no longer gets updated plug-ins from developers released more than 9 years ago. Therefore, in many cases, available updates are not reported because there are no advanced plug-ins and themes with valid licenses. Then, end users are confident that they are up-to-date because word press does not display available updates. The
Another common security problem I often encounter is that multiple sites in the same (budget) web hosting package cannot be well isolated from each other, resulting in pollution between sites. Jesse: the indifference intrusion attack of WordPress login is the most widespread problem for me at present. But defender will handle it for me. Second, the most common vectors are through weaker or older plug-ins and themes. Update the core, themes, and plug-ins of all sites on a weekly basis to resolve this issue. Keeping everything up to date is the best defense against this problem. The
A few years ago, I ran my website on a server, providing email and hosting services. This may cause site activity to affect e-mail delivery, or the e-mail virus may become a Trojan horse of an attacker, resulting in many problems. In the past few years, I have separated e-mail from the website on another server, and the cross problems have disappeared. It is much safer. Cliff: when inheriting a site, the site owner
I often find how loose my site developers are when setting up accounts. In many cases, the software is old, the password is insufficient, or it is easy to guess the user name. For inherited sites, the site or host usually does not have software for site protection. The
Logan: the most common security problem for client WordPress sites is DoS attacks. For those who first come into contact with the term, DoS attack means that multiple requests are sent to the client’s website at the same time, resulting in server overload and site crash. Hackers can use data query to add, delete or steal site content at the client site. Another common security problem is that hackers invade the client site, add new users, random content (usually code or heap content), and modify the management site settings. 3. what is the worst security problem solved for customers? Richard: the worst security problem I’ve seen is that there are 8 web hosting accounts. Only one website is used. There are various problems. I have tried to do something with backup myself, but it doesn’t help. Before they turn to us for help, there is another \
Contains links to sites, etc. Multi site installation complicates the problem. It took a lot of time to organize everything through the WordPress form! Logan: we have encountered some truly intelligent phishing scams, which need to be stopped. I remember one day, a customer realized that he had provided the bank qualification certificate to the person he thought was CFO at that time and hung up in a panic. Look, what we learned later was that we knew hackers before we found a way to penetrate all types of customer systems and obtain profitable information. The problem was solved before the problem was solved. However, due to the importance of high security in the business, it sounded an alarm. 4. can you share some processes for protecting WordPress sites and methods for client site access security violations? Richard: the first point of my process is to check whether the website has its own hosting package or multiple old websites. Then, restrict file permissions and public access, as well as folders that do not need these. Restrict the running of PHP files. Also check users and roles, pending \/ old themes, and plug-ins. In addition, thank you for all the plug-ins and topics that exist but are not actively used. In general, I now have an extensive checklist that is constantly updated with new points every time I use and find good additions. If there is a violation, it varies slightly according to the type of violation. Generally speaking, one of the first things I do is. Add deny all items to htaccess, and then view the log file to determine the way and content of the violation. Most of the infringement incidents of the client sites I maintain are caused by dismissed and dismissed employees trying to cause confusion. In this case, you can revoke access rights, change passwords, and audit changes in recent months. I have found that it is really easy for many (small) companies to grant their employees login credentials for all types of systems and tools, without considering the consequences of the method of revoking access rights. Jessie: that’s not an easy question to answer. I use both server and site-based solutions. There are multiple bash scripts on the server, which are automatically run on the server every night to lock everything. A script runs rkhunter, LMD scan, and clamscan every night to search for and delete injected content or files. In addition, a script is provided to check all public files and folders and ensure that the correct permissions are used (file 644, directory 755). If the script finds anything, change it now. In addition, a script is provided to back up all sites and databases to a remote digital ocean space every day. The site uses defender to lock down all regular attack points and uses a program called ninjafirewall to create a web application firewall for my site. This is a plug-in, but it is actually a firewall loaded before reading a line of PHP or running a single MySQL query. This is the most important site-based solution that can be implemented. Ninjafirewall is free. Wordfence WAF is very expensive. Ninjafirewall WAF is as good as wordfence WAF, so I chose it. For infringement, there are different solutions to all problems, but usually, we will understand how it intrudes, and then try to work again there. Cliff: first, update all software such as word press core, plug-ins, themes and managed environment (such as PHP). Use a user name that is difficult to guess. I use a secure password (long and unpredictable, which is convenient for password administrators). That
May be damaged by more vulnerability. According to the type of WordPress site, hackers can easily invade the site, steal the site content, change the administrator settings, and prohibit access to the site. This may cause you to lose all the time, energy and money you have invested in the website, which will have a fatal impact on your business. There are many free word press security plug-ins, which can easily prevent network attacks. Therefore, users are advised not to ignore the use of security plug-ins for the site. A few clicks makes the site safer than before. 7. do you have any security tips or favorite resources that you would like to share with other WordPress web developers? Richard: many experts have been working in wpscan. Com (formerly wpvundb) I feel very familiar with it. Actively recommend their mailing lists. Now most of them are charged, but I think it’s worth it. Email warnings are useful for finding plug-ins and are important for new vulnerabilities. In addition, the blogs of Sucuri, wordfedence and nintechnet always introduce new vulnerabilities in great detail! Jesse: first of all, I know you don’t want to hear this. But I use mainwp in all website maintenance. Second, good trusteeship may be the best investment. If people like me don’t have time to manage the website, please don’t use cheap hosting. Find the service that protects and updates your site on a weekly basis (not GoDaddy or BlueHost). You’ll get what you pay Third, don’t host your site and email on the same server! Finally, never use a host that uses cPanel. Open too many items on a server that is slow, old-fashioned, rarely used, or unavailable, such as e-mail on a web server. I think my soap box is over! Cliff: malicious actors like to attack WordPress login and try to invade indiscriminately. Wordfence is a good way to prevent too many malicious attempts. However, cloudflare also sets firewall rules to prevent many clients from trying to log in to the external IP. Obviously, if the site owner wants people to log in outside the United States, it won’t work. This is becoming more and more common. However, many U.S. – based small businesses do not need a login URL, nor do they need to follow or visit foreign IP sites. Logan: as for website security, it’s more secure than sorry. With the rapid development of network security, hackers are looking for loopholes that may damage customers’ websites. Continue to study best security practices, use the best security plug-ins for customers, and regularly monitor customer sites for information. Most security plug-ins provide the option to set up automatic daytime reports. The client can receive the main information of the site. If there is a security vulnerability, this is an ideal opportunity to resolve and repair the vulnerability. Therefore, the customer’s site is more secure, and the risk of becoming the next target of hackers is less. 8. about WordPress security, what would you like to add? Richard: Security plug-ins are not solutions, but tools. Jesse: it seems to have been mentioned above. Cliff: keep spreading security rumors! Logan: as mentioned above, WordPress security will continue to develop and improve. This is good news, because cyber criminals are also evolving. If you are using live and know the current network attacks and threats, you can help you implement the plug-ins and technologies required to ensure the security and safety of the client site. Experts who interviewed members to add WordPress security tips
In addition to its many advantages, we also held a forum discussion on WordPress security and raised the following questions to members: Have you ever operated or managed a website that has become a victim of online attacks? So, please tell me what was interrupted and how to modify it! Can’t you buy any security tools without them? When was the last time you thoroughly checked WordPress security? Do you think this is the part that will take more time? Here are some answers: 1. has your website been attacked on the Internet? What happened and how did it change? What I often see is idle websites. No prisoner license, no updates over the years, or no advanced themes \/ plugins. In addition, we also sorted out the malware, and the WordPress password in the email ranked among the top 10 insecure passwords actually used Richard, fortunately not. Defender, powerful password and 2 FA. – Yes, someone accessed the hosting account and deleted the site and all backups. The intruder guessed the password (company name and number 1) of the client. Start a new user, change the password, enable 2fa, and restore the site from an offline backup. – Chris, I really appreciate the last client that I repaired with defender pro and the client that I can sort everything out and resubmit to Google! Make me look like a superhero! Thank you I remember the customer called me because the Victorian customer’s website (which I didn’t create) was hacked. Because there is no website created, it is difficult to know the dependencies between plug-ins. I need to \/ scan \/ clean up \/ re upload several times to remedy all security violations. Finally, I ask all employees to change email passwords and all passwords to add a security layer. – Acquired two websites attacked by gig hackers. Both of these problems are old kernels and plug-ins. Fortunately, this was a problem, and both were asked to interrupt the hacker’s website, create a new website, and reinstall it with the pages to be provided during the construction process Kiss yes, a few years ago, a website became a victim of inserting scripts. It shared hosting with some old plug-ins and required a lot of manual file cleaning. At that time, I learned that in addition to passwords, I also need security. Recently, Defender locked me in an indifference login attempt, but changed the administrator login URL. Everything has been quiet since then. – Danny, my website has been hacked more than twice. Webarx exists and is still hacked. Using Eli’s anti malware security and Brite frace firewall. Installing and running the program will remove all malware. – In the 15 years of Sarah ward fries and 20 years of web development, I handled a lot of hacker websites. Everything from DDoS and Brite force login to photos that are not as good as complimenting the image of all her husband’s blog posts, to an angry ex-wife. In most cases, backup restore is the fastest and easiest. If it does not exist, malicious content must be eradicated and deleted in a difficult way, sometimes even completely rebuilt Wolf bishopna cleaned up several damaged WP websites. Almost every time a plug-in or WP update is lost Catalin I. people keep trying to sign in to my account. Defender Pro is helpful for word press. I also use a plug-in called stop spammers, so I get a lot of spam. Many bots and hackers disclose site information for plug-in file paths Jonathan 2
What is a security tool you can’t buy without? No plug-in can provide 100% security. In most cases, the user \/ site owner may have done or made a mistake. WP website can be greatly enhanced without tools or plug-ins. What you need is anti-virus software for your computer. It doesn’t matter how secure the site is. If there are buttons on the PC, it’s almost done. – Richard Eli’s anti malware security and indifference proxy firewall. Now all wpmudev plug-ins. – Backup Diaz is for sure Alvaro defender. Required for all single word press installations. Antispam bee – Qiuxin defender pro, I can’t believe it took so long to find you!!!!!– Victoria backup tools, migration tools, scanners and firewalls. – Jones defender. I had a sitelock account, but finally realized that it was a waste of money. Then several different WP plug-ins were used, but most of them were replaced by defender I think kanfusion security is very important. Websites that have not been hacked. I mainly use wordfend and defender. In addition, please pay attention to the vulnerability wpscan database. Frequent updates and backups Chip defender Pro for several years. I was surprised to find that the learning curve is easy to approach, but still learning every month. Suggestions, correct settings, avoiding spam, etc. – Gigro defender and wpmudev hosting. All options of security header + vulnerability scanning +waf indicate that the developer thinks it is correct Use fall defender to block the IP after 3 login failures within 60 minutes. Just like the defender default value, login fails 5 times in 5 minutes. Then shield for about 1 hour to 1 week. Also use defender’s login mask, forbidden user names, and other features – Tony guard and wpmu dev waf. – Kiss customers’ secure hosting, regular backup, firewall, 2fa – Danny WAF is big. Please stop before starting. It also uses defender to help pull general security measures into one place- Anti malware security and Brite frace firewall of Li Eli (gotmls) are excellent plug-ins. The most important thing is that the price is reasonable. They are different from other very expensive and invalid plug-ins. Unfortunately, it is only used to treat malware, not to detect malware Shalla difender, wpscan, sqlmap. – From the perspective of wolf bishop security tool, it is called Malwarebytes, and the website now uses defender pro. But I’m interested in windows security – Ship partel 3. When was the last time you checked WordPress security thoroughly? I pay close attention to all websites I maintain and track all plug-ins and theme vulnerabilities. If there is no suspicious behavior, a thorough inspection will be conducted at least every year. So far, *knock on wood* has a WP website, and I am responsible for being hacked due to zeroday vulnerability. In addition, my network hosting provider was once a victim of Lanson software hackers. Fortunately, I have my own remote backup, because his backup server is damaged at the same time. I was back online with the other hosts a few hours later. His other client was offline for 3 days – Richardna confirms almost daily or at least weekly -diaz at least weekly. If Cris defender is set, usually
