Posts tagged security

Best Security Practices for WordPress

Dont look surprised when your wordpress site is hacked, is wordpress security so weak?

No, not really, its just popular and as such there are more vectors to attack its security, still as a heavy wordpress user i can give you some good tips to keep your site secure, ill divide this into setup the site and securing the site, once you should only need to do once, the other its best to be ongoing, im also assuming that you have your server setup correctly and secured as well as your wordpress is up to date and your computer is secure as well, if those are good, then what i say bellow will keep you 99% safe!

Secure on Setup

On wp-config.php when you install on $table_prefix  = ‘whateveryouwant’ put a random string! – This will prevent mysql injections that might target the default wp_ table prefix (if already installed use something like phpadmin to go into the database and change the prefix there and then add it to the wp-config.php file)
On wp-config.php under define(‘WP_DEBUG’, false); put define(‘DISALLOW_FILE_EDIT’, true); – This prevents editing of php files under wordpress, most people dont edit them anyways (i just login with sftp and edit directly), so people trying to exploit will have more difficulty doing so
Use a strong password – I know its silly to say but a strong unique password with lots of letters, numbers and characters is always a good thing.

On First Login

Login with your default admin account, create a new account with admin privileges and then delete the old admin account – This prevents login requests or brute-force that would go directly to account number 1 or admin account
Disable user registration, go the options panel and disable user registration – If you dont intent for other users to post, there is no point in allowing registration.
Install only the Plugins you Need – Even if disabled, only have plugins and themes that you need, they could be used

Security Plugins to Install

BruteProtect or Login LockDown – To Prevent login attempts and brute force attacks (or in alternative find a Two-Step Authentication plugin).
Install a Clean Theme – Make sure you get a nice free theme from WordPress.org or a paid from a good provider and keep it up to date, the more complex the theme the more likely it will have code that might become insecure, so get a good one and keep it updated.
Advance Automatic Updates – Will keep your wordpress install and plugins up to date!
Akismet – It comes with WordPress for a reason, before it, wordpress comments were horrible and plagued with tons of spam.

Extra!

Please pleassseeee make backups, dont trust your webhost, make your own, thats the only true way of being 100% secure, use a plugin for it, i like BackUpWordpress and Keep Backup Daily, but any you like will do!
Use Cloudflare or Incapsula – These give pleanty of extra features, like cdn but they also filter and protect your traffic from a lot of nasty stuff on the web.
Wordfence or Better Wp Security – If you want more heavy security, its totally optional and in my opinion if you are well locked down they dont add anything!
Use htaccess to lock in wp-admin if you are the only user, search for this on Google pleanty of sites explaining.
Use WordPress Jetpack plugin it protect you from some security flaws and it will help on automatic plugin installs, plus a ton of other things
Use Mx Toolbox or Sucuri Site Check to check if your site has been exploited!

The best rule of all is to be prepared for the worst, have backups and check from time to time to see if your site is up to date and everything is running fine, most of these are automated but its best to always keep an eye and if everything breaks just clean everything and put back a backup 🙂

WP Super Cache Vs W3 Total Cache Vs WP Fastest Cache Vs Hyper Cache Vs Quick Cache Vs Wordfence Security

Yes i know plenty of wordpress cache plugins comparisons posts, but i went around checking those and most are just a matter of opinion and taste or had some good data on performance both on the frontend and the backend of wordpress, my sites tend to have some optimisations built in mostly on the server so even with plugin there is some cache going on both on php and mysql as well as using nginx as a reverse proxy for the static files.

So i went ahead and made a basic wordpress site with one of the official themes and some random content, good enough, then checked some of the memory consumption and speed inside wordpress with the P3 Plugin and used Gtmatrix and Google Pagespeed to check the performance on the page, i also checked server side but as far as i can tell all the plugins didn’t use enough resources to be negligible, so what are my findings:

Performance Comparison of WordPress Cache Plugins

Cache Plugin Memory (sec) Speed Size (KB) Requests Pagespeed
No Plugin 0 5.49 965 32 75/100
WP Super Cache 0.084 5.0 962 33 75/100
W3 Total Cache 3.6 11.33 965 33 75/100
WP Fastest Cache 0.083 4.7 757 30 90/100
Hyper Cache 0.008 5.0 961 32 75/100
Hyper Cache + Autoptimize 0.097 6.7 690 24 90/100
Quick Cache 0.04 4.93 961 32 75/100
Quick Cache + Autoptimize 0.1 5.44 696 24 91/100
Wordfence Basic 0.15 6.97 965 33 75/100
Wordfence Falcon Engine 0.14 5.63 762 34 90/100

Notes: I’ve added Autoptimize to the cache plugins that don’t have the ability to combine and minify code, to see if it helped. Also note that all of these results besides pagespeed are averages i did test 3 times to make sure, although gtmatrix does use random servers to check so the speed part can be a bit off, so dont take it literally its more important the size and requests as well as overall pagespeed ranking for true performance, yes i know i could have used a fixed server but i wanted a more normal usage scenario.

No Plugin

Like i said above by default my sites work and cache well enough to rate a standard 75/100 on Pagespeed, also enabling by default gzip and other small wordpress tweaks help too, still its only here as reference point, of course most wordpress sites would rate a bit lower.

WP Super Cache

I’ve used it a lot in the past, still i’ve moved on to other cache plugins because its a bit like W3 Total Cache, it has become with time less user-friendly, from all the plugins it was the most troublesome to turn on and to turn off (leaves a lot of stuff behind) also with default settings it didn’t cache much, also one of the reasons i left was that sometimes updates would kill my sites, its still a standard but i think its not good enough anymore.

W3 Total Cache

This one is WP Super Cache on steroids, im sure its awesome since it has everything and then some, and although a bit easier to setup than it used to be, its kinda one that need a lot, i mean A LOT of pampering, it should only be used on large sites and sites where you control the server side and can enable the caches that W3 will use, also on my test and with default settings on it clearly was the worst plugin of them all, probably cause i should have changed something somewhere.

WP Fastest Cache

Although this plugin kinda broke a part of the wordpress backend (probably a css out of place), it was one of the most complete and simple plugins and you can see that it did a pretty good job and i didn’t even enable all the functions, it incorporates pretty much everything you expect in a small package, however 2 things keep me from using it, first there is no control over the html/js/css minify, and from my experience most my sites would break if i cant tweak this (Autoptimize does give you that control) the second is that the panel tries to ping ipinfo.io i don’t like plugins that do stuff like that.

Hyper Cache

The one I’m currently using on most of my sites, its simple clean and to the point and as you can see it does its job, besides one nagging issue when the plugin or wordpress updates the plugin seems to stop working and you get the “You must save the options since some files must be updated.” still unlike WP Super Cache the site doesn’t stop working, so it a safe and good plugin with very low memory consumption.

Quick Cache

I like this one, its has a nice panel, its simple and it worked just fine, still some of its best features are hidden away for a premium package and well that makes it under perform, i would understand if these features were more high end stuff like using CDN’s or tweaks around server side, but things like minify should be part of the basic feature set and as such this plugin is comparable with Hyper Cache but with more resource usage.

Extras to Consider

Wordfence Security

Its mostly a security/firewall plugin for your site that also has a caching plugin built in, so why not try it out, it has 2 settings so i tried them both, the basic and their so called falcon engine, i did see a improvement and it worked fine, still its of course a much bigger plugin that does a lot of things besides the caching, but if you are looking for both a security plugin and a cache plugin, this might be good for you.

Autoptimize

Its a plugin that minifies html/css/js and combines it, it can do it both on the head or move those scripts to the end of the body to help the page load, its also very flexible and you can skip files or tweak so it doesn’t break your site, some of the other plugins had these features or part of it, but this plugin gives you complete control and as such is a nice combination with other caching plugins.

So what was my choice?

Ill keep using Hyper Cache, it works well, the feature set is good enough and it doesn’t break my site ever, when i need to give a bit more i add Autoptimize or if its on Cloudflare i just tweak the html/css/js from there, it was my choice about a year ago when i move away from WP Super Cache and as far as i can tell it still was the best choice.

Review of Tresorit “Secure” Cloud Sync

In my quest for some good secure cloud hosting/sync aka Dropbox clone, ive tested and used a lot of diferent cloud sync providers, might as well start posting my findings, today im starting with TresorIT, coming from Hungary, being their main features their client side encription and any folder can be synced.

So lets start with the install, I installed it on a Windows7 Laptop, that went fine and started fine, standard stuff here, i do note that this soft is installed on a very strange place (it installs on AppData instead of Program Files), also it created a ton of .tresor or .tresorit hidden folders, a bit weird but nothing much.

On running its a bit bare with information, username and password (so i assume the client side encription is done with that password) and off it goes, syncing away, however there is no way of knowing what is it doing, also its not as fast as say Dropbox or Skydrive, but the worst thing is that if you turn it off and delete a file and then turn the program back on… it wont retrieve the file from the server… so whats the point here?

That is pretty much standard syncing operation (if the software is not online at the time of the deletion you bring back the file from the server or if there is a new file update the file on the server, you dont erase the file on the server), so basically if there is corruption or you accidentally delete a file, or if you need to retrieve a file from the server online you are screwed, so what are you syncing for?

Yeah as of now TresorIT is pretty much useless, if you want syncing without protecion of data you might as well choose Bittorent Sync, its way safer (cause you at least know more about the security than blindly trusting TresorIT), its way quicker (on LAN its Blazing!!!!) and well if you delete something you are also screwed anyways!

TresorIT Advantages:

  • Stable enough Software
  • A presumption of security

TresorIT Disadvantages:

  • Basically if it stores files in the cloud, yet there is no clear way to access them if you need them (so what the point?!?!?)
  • Lack of information on syncing
  • Not the fastest of the bunch
  • Weird Instalation on Windows 7
  • Contacted Community and Support about issue, didnt get any reply from support >_< meh cryptic organizations dont give a nice vibe!

If you reeeeaaalllllly need to check them out, its TresorIT.com!

Should You Use Hotlink Protection?

This is a quick post about something that has troubled and intrigued me over the years, should you use hotlink protection?

What is a Hotlink?

First of all if you don’t know what im talking about, its pretty simple, when someone visits your site, their browser downloads all the pictures, text, code to make the page show up, but what happens if someone copies the url of one of your images and puts it on their page? then when someone goes to their page, it will show up your image on their site, so effectively you are giving away bandwidth to someone else.

Sounds bad, right? That is when hotlink protection comes up, there are different ways of doing it, but its basically just a couple of tweaks to the software/code/server to block anyone besides your site from using your content…

The Rise of Social and CDN’s

There was a time when bandwidth and hosting was expensive (like in Australia heheheh), where hosting a image or video was costly, but nowadays we live with a different set of rules, hosting and bandwidth is pretty cheap, not only that but a lot of the social websites depend and interconnect with the content on the web (facebook, twitter, pinterest, etc… are very popular because they provide a platform for sharing content, and sometimes that content is in your site).

I kinda think that whats important now is to have good content and popular content, so things like someone hot-linking are no longer a issue of cost, but one of opportunity, its also a type of problem that nowadays can be easily fixed with the use of CDN’s or cheap hosting.

Hotlink protection is also another form of a walled garden, and although suitable for some types of sites, most would gain more from being open and easily accessible, search engines will appreciate and users even more, so… should you use hotlink protection, im kinda inclined to say no! not anymore ^_^.