You need to stop listening to people who says PHP and WordPress is not secure. Its how you do it. You can do it in WordPress, without using BuddyPress. In fact you don’t even need it for anything. All you need to make default users contributors, and a small plugin which takes care of their … Read more
…is there any other plugin out there that will do EXACTLY this Not a plugin, but yes – this is the standard behavior of the comment moderation system in WordPress. BUT if ANY user visits bob.com and posts a comment containing the blocked email, website url or any other blocked material, then the IP of … Read more
You got hacked. Use http://sitecheck.sucuri.net/ to check to see sucuri detects the signature. Tell your host; if they don’t want to help, consider changing hosts to someone more secure, like Recommended WordPress Web Hosting See FAQ: My site was hacked « WordPress Codex and How to completely clean your hacked wordpress installation and How to … Read more
Only benefit… It is easy to remember, I suppose…
There are pro’s and con’s for either pw or key-based authentication. In some cases, for example, key-based authentication is less secure than password authentication. In other cases, its pw-based that’s less secure. In some cases, one is more convenient, in others, less. It all boils down to this: When you do key-based authentication, you must … Read more
Your config file shouldn’t be public at all. It includes your database credentials in addition to the 8 SALTs WordPress. (The secret keys alone make it possible to brute force your log-in in a bout a week: http://codeseekah.com/2012/04/09/why-wordpress-authentication-unique-keys-and-salts-are-important/)
It doesn’t provide any serious defense against a targetted attack. If your server is being targetted then, as you say, they will port scan you and find out where your doors are. However, moving SSH off the default port of 22 will deter some of the non-targetted and amateur script kiddie type attacks. These are … Read more
You can move the wp-config file one level up. You can also create a .htaccess file and upload it to your uploads folder with this code: <Files ~ “.*..*”> Order Allow,Deny Deny from all </Files> <FilesMatch “.(jpg|jpeg|jpe|gif|png)$”> Order Deny,Allow Allow from all </FilesMatch> Or install a plugin for security which also scans your installation so … Read more
You do it the same way you protect the company from head of Sales running off with your client list, or the head of Accounting embezzling funds, or the Stock manager from running off with half the inventory, largely: Trust, but verify. At the very least, I would require that all passwords for all Administrator … Read more
It may be coming from theme or plugin you are using. Sometimes developers forget to remove any echo statement (or any other debugging approach) which they use while developing. You can first disable all plugins. If this still comes up, then it is somewhere there in the active theme. If this goes away after you … Read more