Comments on: Top 5 WordPress Security Tips You Most Likely Don’t Follow

By: Weekly WordPress Review – Security Edition - WPCanada

Weekly WordPress Review – Security Edition - WPCanada — Thu, 09 Dec 2010 07:08:41 +0000

[...] Top 5 WordPress Security Tips You Most Likely Don’t Follow (WordPress Tavern) [...]

By: Terry Carmen

Terry Carmen — Mon, 08 Nov 2010 18:55:54 +0000

First, I’d like to say that the difference between “insightful” and “paranoid” is only visible in hindsight.

Next, I’d like to say that I’ve been extremely happy running Mobile One Time Passwords on my cell phone: http://motp.sourceforge.net/ and mod_authn_otp: http://code.google.com/p/mod-authn-otp/ on the web server.

Coupled with a .htaccess file in wp-admin, and fail2ban to firewall repeated password failures, means that nobody is getting in unless they have both your cell phone and your PIN.

This is world-class security for zero cost. Both projects are covered by the GPL and are completely free.

By: Melissa Thompson

Melissa Thompson — Sat, 06 Nov 2010 02:55:28 +0000

@James M. -

I didn’t think my little blog would get noticed either. My front page was changed. Took me 30 minutes to get it changed back. Am going to implement security on all my blogs now.

Great blog for all of us who really didn’t understand about hackers. I shall return!

By: Elpie

Elpie — Mon, 06 Sep 2010 16:48:23 +0000

@John Adams - A salt is similar to a nonce. It is a type of encryption that uses the secret key to generate a random mashup of the salt + password and sends it encrypted. This makes it harder for anyone to guess passwords or use dictionary attacks against them. The generated password has an expiry time which also helps deter attacks. I'd add another security tip to this excellent list - change passwords regularly and make sure they are strong ones. There's no such thing as 100% secure passwords and the longer an admin password sticks around, the more opportunities hackers have to decrypt them. Using a tool such as KeePass (http://keepass.info/ makes changing passwords a piece of cake. Use something like that to generate a very strong password (say, around 20 or so characters) enhances the security of the salted password. If the salt is, say 64 characters, and your password is, say 22 characters, that makes for an 86 character password that hackers would have to decrypt, unscrabble and try. It can be done, but it takes time and a hacker would have to be really determined to get in if they were going to be bothered trying.

By: True Up | All Fabric, All the Time » Blog Archive » Hacked!

True Up | All Fabric, All the Time » Blog Archive » Hacked! — Wed, 01 Sep 2010 15:14:54 +0000

[...] WordPress Support Forum Thread on the Pharma Hack Understanding and Cleaning the Pharma Hack on WordPress on Sucuri How to Completely Clean a Hacked WordPress Installation Top 5 WordPress Security Tips You Most Likely Don’t Follow [...]

By: John Adams

John Adams — Wed, 01 Sep 2010 05:56:54 +0000

@Jon: I am not an expert on the salts, so I dont know what they do. But the advice made sense so I implemented them.

Interestingly, yesterday I installed wp 3.0.1 on a new site and I noticed that all the 8 salts were automatically filled in during the installation process.

By: Tony

Tony — Tue, 31 Aug 2010 05:48:58 +0000

I wish I had known about the table prefix advice when I first started…Now, I’m reluctant to install a plugin just to change the default prefix.

By: Terri Ann

Terri Ann — Sun, 22 Aug 2010 03:33:33 +0000

@Jon – when I was at word camp someone asked that and the answer right now is no AFAIK

I also like to use htpasswd to 2x password protect my admin panel.

Also, while I 100% agree you shouldn’t use the admin account it sucks that any use of author archives or author feeds use the username and not some different slug. So if you do use a different name and delete admin it is not hard to apply a dictionary attack from scraping the username from an rss feed.

By: June 2010 Handout: WordPress Security Basics | East Bay WP Meetup

June 2010 Handout: WordPress Security Basics | East Bay WP Meetup — Mon, 16 Aug 2010 03:22:24 +0000

[...] Top 5 WordPress Security Tips You Probably Don’t Follow (WordPress Tavern Guest Post) [...]

By: Jon's Weight Loss Guide

Jon's Weight Loss Guide — Fri, 06 Aug 2010 17:54:45 +0000

That is news to me John. What do the additional secret keys do? I assume that it is mentioned in the latest readme files, but I admit I upgraded to the latest WP version without reading those!