[wp-edu] WP - security concerns?

Covello, Steve Steve.Covello at granite.edu
Tue Sep 10 12:55:50 UTC 2013


1 – Security alerts are good thing. It means the hardening strategies are actually working. I get TONS of alerts from my firewall – all of which report that the robotic efforts of hackers are being repelled. Security alerts do not mean WP is "bad" for security. Your domain will be hacked no matter which platform you use, or even if you use plain HTML. There are certain vulnerabilities in WP that hackers know about, but these are accounted for in the hardening plugins I mentioned.

2 – You do not need a username named "admin". It happens to be the default username WP gives on install, but NEVER use it. Any user can be given Administrator privileges. This is how you solve your problem (assuming you are "admin"):

  *   In your "admin"user acct, change the email address to something different (doesn't matter – it's going to be deleted)
  *   Create a new user with "admin's" old email address.
  *   Delete the "admin" user and ascribe all of "admin's" posts/pages to the new user.

That's it.

--
Steve Covello
Rich Media Specialist/Online Instructor
Granite State College
603-513-1346
Skype: steve.granitestate
Scheduling: http://meetme.so/stevecovello


From: Brianne Binelli <bbgoldkey at gmail.com<mailto:bbgoldkey at gmail.com>>
Reply-To: "Low-traffic list discussing WordPress in education." <wp-edu at lists.automattic.com<mailto:wp-edu at lists.automattic.com>>
Date: Tuesday, September 10, 2013 7:03 AM
To: "Low-traffic list discussing WordPress in education." <wp-edu at lists.automattic.com<mailto:wp-edu at lists.automattic.com>>
Subject: Re: [wp-edu] WP - security concerns?

I receive a lot of security alerts on wp.  I do have a Admin user name to get into the dashboard do you think this may be causing the problem.  I thought you need to create a admin user name.

thanks
have a great day



On Mon, Sep 9, 2013 at 8:19 PM, Covello, Steve <Steve.Covello at granite.edu<mailto:Steve.Covello at granite.edu>> wrote:
Geez - I have had ZERO infections via WordPress in 4 years.

Plugins:

Wordfence Security
WP Firewall 2
Secure WordPress
WP Secure Scan
WordPress HTTPS
WP Ban

Best Practice:

NO accounts named "admin"
htaccess file in wp-admin
NO default table prefixes in wp-config, such as "wp_". Change it to "wp_xRwFG_" or whatever.
original salt data in wp-config: https://api.wordpress.org/secret-key/1.1/salt/
Secure high quality passwords
Updated malware scans on user devices
Gravity Forms used on all forms, with CAPTCHA
SFTP on FTP accounts

Occasionally check on Sucuri.net. If you want to be on top of it, subscribe to their scan service.

There are other hardening plugins out there.

- Steve



________________________________
From: wp-edu [wp-edu-bounces at lists.automattic.com<mailto:wp-edu-bounces at lists.automattic.com>] on behalf of Leslie Melvin [melvin at bard.edu<mailto:melvin at bard.edu>]
Sent: Monday, September 09, 2013 6:18 PM
To: wp-edu at lists.automattic.com<mailto:wp-edu at lists.automattic.com>
Subject: [wp-edu] WP - security concerns?

Hi Folks,

We have been hosting WP Multisite (for course blogs and as a blog supplement to our program websites) for a few years, with mixed results. Our community (users) love the flexibility of WP, but it has proven to be an unexpected support burden for IT...it seems that all of our website/network hacks have been introduced via WP.

I haven't seen the topic addressed by this group, so it appears our experience is isolated, which would lead me to suspect we are missing some simple safe-guards.  Have any of your institutions dealt with WP-related security issues?  Have you found any successful, secure configurations, and if so, would you be willing to share your experiences with us?  WP is proving to be such a valuable tool...

If so, I will bring our Networks and Systems folks into the conversation, as they could answer specific questions related to our configuration and protocols.

Many thanks in advance!

Best,
Leslie

---
Leslie A. Melvin  |  Manager, Academic Technology Services

BARD COLLEGE
PO Box 5000 | 204 Old Henderson |
Annandale-on-Hudson, NY 12504
office: 845.758.7496<tel:845.758.7496> | http://www.bard.edu


_______________________________________________
wp-edu mailing list
wp-edu at lists.automattic.com<mailto:wp-edu at lists.automattic.com>
http://lists.automattic.com/mailman/listinfo/wp-edu


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.automattic.com/pipermail/wp-edu/attachments/20130910/04419830/attachment.html>


More information about the wp-edu mailing list