LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestras Condiciones de uso y nuestra Política de privacidad para más información.
LinkedIn emplea cookies para mejorar la funcionalidad y el rendimiento de nuestro sitio web, así como para ofrecer publicidad relevante. Si continúas navegando por ese sitio web, aceptas el uso de cookies. Consulta nuestra Política de privacidad y nuestras Condiciones de uso para más información.
We use WP Engine. They keep daily backups for 30 days and have a partnership with Sucuri for scanning havked sites and fixing issues
This gives attackers less avenues for gaining access.
- Formerly BetterWPSecurity (believe the free version shows up as that still in the file directory) - Upon activating iThemes Security you’ll get the important first steps screen
Good idea to take care of high priority items
Need to allow for iThemes to write to wp-config.php file
- Error messages to display to users / hosts for different lockout reasons
- Allows users / hosts to be banned for hitting a certain limit of lockouts within a certain time period
If you’re forgetful you may want to white list your IP. - Use this sparingly
Detects hosts that are hitting an unusually high number of 404 pages This can occur when an attacker is scanning for known vulnerabilities in plugins and themes on your site if those files don’t exist
Let’s you completely block access to the backend during certain periods Can set up daily or one-time limits
-Allows you to use hackrepair.coms list of known bad hosts / bots -Enabling ban users let’s you permanently ban bad hosts
- Brute Force Protection let’s you limit the number of bad login attempts before temporarily locking out the offending host
Good idea to avoid the iThemes defaults because as it becomes more commonly used attackers will learn the defaults (not a big thing)
Let’s you get a copy of the database emailed or stored on the server I’d suggest using other backup software that let’s you store backups at an external source such as Dropbox or Google Drive
Can detect if files were changed and show which files Can be annoying with plugin / theme updates
Makes it harder for an attacker to find your login area
-Allows you to force SSL if you have it set up on your server -
Allows you to force users at or above a certain role to use a strong password
Probably good to have these on for most simple WordPress sites
Removing the generator meta tag and displaying a random version make it more difficult for an attacker to zero in on known vulnerabilities with past versions Who doesn’t want to reduce comment spam?
-Disable the file editor hides the edit function from plugins and the Apperance menu. If you edit your theme directly form the WP-Admin you’ll want to leave the file editor on. I always edit my code from a separate program as it is more secure to have the file editor hidden.
-I don’t mess with replacing the jQuery version as it could cause issues with themes functionality if they were built for a specific version I generally leave the login error message enabled Forcing a unique nickname helps prevent users from displaying their username within a post.
Allows you to change the admin username if ‘admin’ exists and change the user id if there is a user with id of 1. Both are good to do as an attacker usually knows that account has the most access
-Salts are secret keys used by WordPress in the wp-config.php files to increase security. These can be updated from iThemes. -I generally don’t mess with this as I generate salts during the initial WordPress install
- This one can be tricky. It’s probably unneccesary on WP specific hosts as they’ll have measures in to protect wp-content and may not even allow you to change the name of this directory
-changing the database prefix to something other than wp_ is good to make it harder for an attacker to find your database tables
-These are some of the pro features for the paid version - Privilege escalation let’s you temporarily increase a users privileges, say if you have a developer that needs admin access for a week
Pro also gives you more password options such as: - adding a password generator to user profiles - setting password expirations - and forcing users to change their password on their next login
You can also add a Google reCAPTCHA field to your login screen that will help to prevent people from brute forcing your site
Pro also allows you to give users the option for Two Factor Authentication through the Google Authenticator app. This requires users to enter a specially generated 6 digit code from their phone when logging into the site A huge increase of security
-User logging let’s you track actions of users at or above a certain role -Actions like logging in and saving content
WordPress Security using
Jason Yingling | Lead Developer
Red8 Interactive | red8interactive.com
@jason_yingling | jasonyingling.me