How to protect own site & server? Basic Steps

Supratec

Supratec

Member
Banned User
Jan 8, 2020
69
53
18
Hi beautiful people of Babiato! 🥰

I'm not pro or semi-skilled in backgrounds of this topic and wonder what you do to protect your site/server? What are most basic steps to take and improve security of installed plugins/addons/themes from sources like this Community?

I based my project on bundle of paid few Plugins but some of my stuff comes from Babiato and I'm not sure if I should worry. Do I get any troubles in future after launching site live from dev mode?
 
ckeeper

ckeeper

Well-known member
Nov 8, 2019
623
376
63
There are 2 kinds of security you should be concerned about, first one is your app security in this case wordpress that can be handled with few plugins (WAF) to keep it relatively safer, but the second type of security (DAF) is very important, which is your server security (you can get cloudflare to do the heavy lifting), also some open source solutions could be installed, but they are not always most effective against DDoS atacks, and other forms of attacks, to handle this you will need to pay premium prices, some hosting companies include it in their plans, but be aware it may be limited resources, you will still get charged heavily if they need to deflate. Needless to say your site will be down for unknown amount of time. Short answer yes you should be definitely get worried, and even become paranoid.
 
  • Like
Reactions: Supratec
D

darkmesaia

Member
Nov 13, 2019
50
17
8
Everywhere!
Basically, in my opinion, everything should start from choice of hosting ... Of course I'm talking as a owner of hosting/servers services and getting to know many of the problems that many websites face.

Of course, a server (shared hosting) can not in no way protect an account/site, if the him site does not maintain a moderate to good level of security.

For us, and because it is a very basic priority for our company, a very large part of the critical vulnerabilities, but more specifically on platforms such as wp, joomla etc, we have some custom systems that protect a site from virus (via real time scan), waf, bruteforce, ddos etc. Every day we need to have more than 100K+ attack blocks via WAF & BruteForce... so, we have calmed down to a great extent and from several issues.

From there on, let's not forget that a shared hosting server should also contain settings that will be running to the general public. But as I said and I will say again, in no case should you feel 100% safe, you definitely need actions and from the site.

But for me, everything starts from hosting.
 
  • Like
Reactions: Supratec
E

empromax

Active member
May 15, 2020
122
73
28
To echo @ckeeper
Make sure you have top class security plugin installed on WordPress, use Disable REST API (if needed) and add to your site to cloudflare. You can use your server traffic visitor's log, or a WP security plugin, to see those accessing your website and the type of requests they are making, then use cloudflare to block IP addresses, ASN or countries before reaching your server.
 
  • Like
Reactions: shezzy101 and Supratec
Supratec

Supratec

Member
Banned User
Jan 8, 2020
69
53
18
@ckeeper , @darkmesaia and @empromax thanks for replies :geek:

By this topic I would like manage to get some valuable knowledge which probably gonna be implemented straight away. I'll adapt my replies to yours if you will require some extra info details etc.

My server details:
  • VPS Cloud Server
  • Ubuntu 18.04
  • CPU: 6 vCore
  • RAM: 12 GB
  • SSD: 240 GB
  • WAF - ModSecurity from Comodo (free) default configuration
  • DAF - by Variti (free) default configuration
  • Disable REST API - ? this can break my site installation? (as default is Enabled)
  • ImunifyAV (free) default configuration
  • Plesk
  • Firewall for Ubuntu & Plesk
  • Free SSL
  • Only installation of WP on server gets daily backups - Server itself doesn't have optional daily backup or something like that.
  • I get notify when someone is trying to log in to site with wrong passwords, system sends notifications to my email after 10 times wrong login attempts by anyone, after 3 wrong attempts by admin logins.

So far, I'm real potato in security & protection of own server/site against vulnerabilities and by now I only now that if I'll not meet criteria, the minimum of this my project will be at risk after site gets open.
 
MrSam_1

MrSam_1

Well-known member
Administrative
Trusted Seller
Dec 1, 2018
23,637
26,969
120
Most attacks on WP sites are made on rest API. If you don't use remote scripts, phone apps or so that call the api then you don't need it so you can disable it without any issues.
If you do use mobile apps or remote scripts for your wordpress site then Wordfence have the option to monitor and whitelist or blacklist remote calls.
I personally use Wordfence with a bit more tighten security (autoblock login for [login] or admin users, up to 5 tries failed tries until blocked for 1 month, small number of 404 hits before being blocked also for 1 month).
For server security I use fail2ban and you find comprehensive tutorials on that all over the internet including different config files from which you can build your own config as you see it fitted for your server.
 
  • Like
Reactions: shezzy101 and Supratec
Supratec

Supratec

Member
Banned User
Jan 8, 2020
69
53
18
@slvrsteele yea I heard about Wordfence earlier, time to give a try then :D

Google Maps and Paypal API's are in use, so I'll be able to white-list those API's and disable rest?
 
MrSam_1

MrSam_1

Well-known member
Administrative
Trusted Seller
Dec 1, 2018
23,637
26,969
120
Gmaps and Paypal are calls made FROM your website to their api. You have no incoming call to yours. Rest API refers strictly to all api calls TO your website for remote authentication and retrieving specific data. That's how most of wordpress/woocommerce mobile apps are working.

There is how to bypass wordfence premium check and unlock wordfence premium:

 
  • Wow
Reactions: Supratec
Supratec

Supratec

Member
Banned User
Jan 8, 2020
69
53
18
Thanks everyone for help!
Loads of researches behind me, more to do, but at least you gave a glimpse of "what's going on" on this backgrounds :giggle:
 
You must log in or register to reply here.

Similar threads

freenulled
  • Poll
Vote | What is the best way to protect babiato resources
Replies
10
Views
760
General Discussion
Chass
Chass
oisiaoeh
How will you protect your script if one day you become a content creator ?
Replies
5
Views
568
General Discussion
kamberi
K
yokina.dev
want to create own video host site | PHP
Replies
1
Views
336
General Discussion
ukgamer
U
rika_angelica
🌻How to autoembed movies using my own movie database🌻
Replies
21
Views
2K
General Discussion
rika_angelica
rika_angelica
thegirlwonder
I'm moving my site from its crappy wordpress.com site to its very own and so here I am!
Replies
5
Views
844
General Discussion
ckeeper
ckeeper

Latest posts

Forum statistics

Threads
69,225
Messages
908,427
Members
237,006
Latest member
choky10

Share this page

Share this page

About us

  • Our community has been around for many years and pride ourselves on offering unbiased, critical discussion among people of all different backgrounds. We are working every day to make sure our community is one of the best.

Quick Navigation

Forums Contact us

User Menu

Login
Community platform by XenForo © 2010-2022 XenForo Ltd.
Top Bottom