@yokowasis said:
What's the common entry point for wordpress hack ? is it compromised administrator user ?
I see wordcamp user on most of my clients websites. I still don't know how they get in. I am pretty sure it's not ssh. Because I am using docker and ssh keys.
as of right now, i am doing regular scan, and preventing new account to be created. But I still have no idea how they get in the first place.
While we are at it, sometimes my customer asked me, if I can create some kind of admin panel (something like adminlte, and such). Well, it's easy for Wordpress, but it looks outdated for an admin panel. I still haven't figured out on how to make wp-admin, as beautiful as current-gen admin panel (adminlite, coreui, etc).
As far as I know, sorted from the most, to the less common:
1) Theme/plugin problem (security issue). Either for not updating, or for using poorly written ones.
2) Poor user security habits/awareness. Clicking on an email and giving data away, or using admin/admin123 username/password combos.
3) Hosting provider problem, poor server security.
Back to this example.
I make sure all of the websites only installing well known plugin / themes from wordpress.org and keep it updated.
It's a strong password. Is it possible the bot, bruteforcing, using past breached username / password ?
If, it's regarding https, I am sure almos nobody use plain http anymore these days.
If it's not 3, i think it's number 2. I mean even if the password is complex, doesn't really matter if it's on some hacker's username / password database. Is there any such a case happened in the past ?
Not really sure what the questions are (if they are questions). There are several ways to make good security (at any level, including the hosting server), and countless ways of making poor security. Some hosting providers get it right, others don't.
Same goes for stuff that webmaster/customer does. This includes passwords used, usernames, plugins and themes...
@yokowasis said:
What's the common entry point for wordpress hack ? is it compromised administrator user ?
I see wordcamp user on most of my clients websites. I still don't know how they get in. I am pretty sure it's not ssh. Because I am using docker and ssh keys.
as of right now, i am doing regular scan, and preventing new account to be created. But I still have no idea how they get in the first place.
While we are at it, sometimes my customer asked me, if I can create some kind of admin panel (something like adminlte, and such). Well, it's easy for Wordpress, but it looks outdated for an admin panel. I still haven't figured out on how to make wp-admin, as beautiful as current-gen admin panel (adminlite, coreui, etc).
You can uninstall it after again, but may help hardening it. Their pro version has a cloud firewall included. You could allow admin login only from whitelisted IP Address. This could help, too.
I use WP Security Ninja and it is good. But adding to @bikegremlin post (even repeating some points)
Some are common sense, others may raise different issues.
Check for any changes in the logs. There is a script or a plugin that logs last 100 entries or changes (free) or higher (paid). Set up rules to flag any suspicious files or activities.
All in all, there is only so much one can do. Since the WP site is a sum of many moving parts, there still might be gaping holes. Some more critical than others.
@vyas said:
I use WP Security Ninja and it is good. But adding to @bikegremlin post (even repeating some points)
Some are common sense, others may raise different issues.
Check for any changes in the logs. There is a script or a plugin that logs last 100 entries or changes (free) or higher (paid). Set up rules to flag any suspicious files or activities.
All in all, there is only so much one can do. Since the WP site is a sum of many moving parts, there still might be gaping holes. Some more critical than others.
@Ympker said:
Staging/cloning. Doesnt softaculous in cpanel have that alread?
Yep. Everything I can see in the WP Toolkit is already included in Softaculous. As most hosting providers are already use it can’t see this toolkit taking off.
@Ympker said:
Staging/cloning. Doesnt softaculous in cpanel have that alread?
Yep. Everything I can see in the WP Toolkit is already included in Softaculous. As most hosting providers are already use it can’t see this toolkit taking off.
This is a lot more expensive per server (charging at least 1 $ per account if I got it right).
And it is offered by a company "adored" in the hosting business.
Sort of reminds me of an offer I got from a mechanic, decades ago:
"Do you want the original factory exhaust, or the cheaper knock-off that lasts a lot longer? ...I have to ask, you know..."
It's not too bad. Included in the price of most shared/reseller hosting providers (whether you like it, or not), and seems to be more convenient than doing it manually, or using a plugin (since most decent ones cost, plus pose a possible security problem - the fewer, the merrier).
It's not too bad. Included in the price of most shared/reseller hosting providers (whether you like it, or not), and seems to be more convenient than doing it manually, or using a plugin (since most decent ones cost, plus pose a possible security problem - the fewer, the merrier).
Below are BF deals but most are WP specific.
Some if the WP hosting offers are also mentioned. Posting them here as a screenshot, no links.
I have not used any of these services, except generate press, but Keep reading about them in WP group on FB. More importantly, out of consideration for web hosts in LES who have been posting hosting offers for BF.
Thanks so much for sharing and compiling the thread. I have been looking for a good theme or page generator for WP... the 6 part blog post was helpful.
With so many options, what would be your first choice... I am looking at a mix of single page sites and maybe couple of online store fronts... maybe even a domain listing market place...
Divi seems good. Elementor also... so confused... any pointers? If you are ok we can discuss via DM.
Thnx in advance
Thanks @localhost and gald that you found it useful... also the post series!
Theme and pagebuidler are two different beasts. OceanWP or GeneratePress are the former. Divi and Elementor are the latter. Themes do not need a pagebuilders, but pagebuilders do need a theme. Pagebuilders extend the features/ functions of the theme significantly.
I would suggest you get a fast, clean theme (will less bloat) that supports Gutenburg. KadenceWP is another one.. All have BF deals going on for another day or two (atleast). I am more and more impressed with Blocksy WordPress theme these days.
I bought GeneratePress btw.
Spend a few months tinkering around with the theme- layouts, optimization for speed, security and most imp - content for your sites.
The deals for pagebuilders keep coming. At worst, you can get a deal for pagebuilder next BF.
I would suggest our resident WP experts @bikegremlin and @Ympker can chime in..
My 2c on how to choose a good WP theme. More in terms of criteria and what to look for (though I did offer two recommendations - ones which I've tested thoroughly, and often choose for my use).
As for the page builders. Briefly: Elementor can work nicely, seems to have a future (continued maintenance), and has loads of on-line tutorials.
One I plan looking more into is Brizy. Experienced devs I've talked with say it's fast and well written. But haven't given it a test, and not sure how well sold it is (if it isn't, maintenance could just stop after a while).
And a note: use page builders if you must get some exotic look and layout - and don't have the knowledge, or won't spend the time needed to write a custom theme. Page builders do add another plugin - with all the cons of that (another potential security hole). Elementor doesn't seem to slow down the pages where it isn't used - at least from what I've tested. So you could use Elementor to make a "super-cool" landing page, and create the rest of the website using a theme of your choice and have those pages look a bit less flashy (but load faster). Elementor can also be optimized - but it does load a lot of stuff. Fast, good theme beats it (if used properly - you can always use super large, unoptimized images and load hundreds of elements to a single page, hampering performance).
My 2c on how to choose a good WP theme. More in terms of criteria and what to look for (though I did offer two recommendations - ones which I've tested thoroughly, and often choose for my use).
As for the page builders. Briefly: Elementor can work nicely, seems to have a future (continued maintenance), and has loads of on-line tutorials.
One I plan looking more into is Brizy. Experienced devs I've talked with say it's fast and well written. But haven't given it a test, and not sure how well sold it is (if it isn't, maintenance could just stop after a while).
And a note: use page builders if you must get some exotic look and layout - and don't have the knowledge, or won't spend the time needed to write a custom theme. Page builders do add another plugin - with all the cons of that (another potential security hole). Elementor doesn't seem to slow down the pages where it isn't used - at least from what I've tested. So you could use Elementor to make a "super-cool" landing page, and create the rest of the website using a theme of your choice and have those pages look a bit less flashy (but load faster). Elementor can also be optimized - but it does load a lot of stuff. Fast, good theme beats it (if used properly - you can always use super large, unoptimized images and load hundreds of elements to a single page, hampering performance).
I second bikegremlin's thoughts, with two points (and there is no right or wrong approach here- depends on what you aim to do with the site).
a. brizy has had a share of blackouts, and issues during updates. So has elementor. So Caveat Emptor (almost sounds rhyming)
b. A slight twist on bikegermlin's suggestion:
use elementor (or any other page builder) to create the homepage/landing page, contact, about, etc.
blog ideally set up on a subdomain. With only the theme, no pagebuilder.
Some day we can have a conversion on the pros and cons creating static pages from pagebuilders to improve speeds, reduce security issues, etc. (duh! Why not use a html template instead?)
on a separate note: @bikegremlin do you have the brizy - WP Plan? or the cloud version?
Have you tried brizy + blocksy?
Thanks so much for sharing and compiling the thread. I have been looking for a good theme or page generator for WP... the 6 part blog post was helpful.
With so many options, what would be your first choice... I am looking at a mix of single page sites and maybe couple of online store fronts... maybe even a domain listing market place...
Divi seems good. Elementor also... so confused... any pointers? If you are ok we can discuss via DM.
Thnx in advance
Thanks @localhost and gald that you found it useful... also the post series!
Theme and pagebuidler are two different beasts. OceanWP or GeneratePress are the former. Divi and Elementor are the latter. Themes do not need a pagebuilders, but pagebuilders do need a theme. Pagebuilders extend the features/ functions of the theme significantly.
I would suggest you get a fast, clean theme (will less bloat) that supports Gutenburg. KadenceWP is another one.. All have BF deals going on for another day or two (atleast). I am more and more impressed with Blocksy WordPress theme these days.
I bought GeneratePress btw.
Spend a few months tinkering around with the theme- layouts, optimization for speed, security and most imp - content for your sites.
The deals for pagebuilders keep coming. At worst, you can get a deal for pagebuilder next BF.
I would suggest our resident WP experts @bikegremlin and @Ympker can chime in..
Thanks for the mention. So let me chime in and recommend Divi here. Let's get it right off the bet, keeping Divi under 2-3 seconds load time is not always achievable easily but for all I know it is one of the most wholesome Themes/Pagebuilders fit to fill almost any place. The lifetime unlimited sites sub is unbeatable and if you don't like Divi as a theme you can still opt to use another and only use the Divi Builder Plugin. The freedom to choose whether you want to use the Divi Theme (AIO pack of premium Theme and Page Builder basically) , or another theme with the Divi (Page) Builder plugin leaves you lots of flexibility. Talking online shops, Divi has some nice Woocommerce module, too. Is there a feature in Divi you are missing? Chances are one of the MANY Divi third party extensions already offer this. There's also an official Divi marketplace now hosted on ElegantThemes to shop with confidence. Unfortunately, plugins there only get 1 year of Updates, so I recommend you check the website of the third party plugin and see if they offer any different plans like lifetime (they often do)
One thing I can't stress enough - that many people forget - is Divi really shines with its' thorough Documentation on ElegantThemes, tons of community tutorials and stellar/fast Community Support. The Web literally is crowded by Divi installs and help is only a Divi FB group away. The market share and presence of Divi users and devs is just something else: https://trends.builtwith.com/framework/Divi
@vyas and @bikegremlin also have valid points, so not saying this is the only way. Just mine
I have to add, though, that the Blocksy theme @vyas mentioned is really dope and I hope the core will stay free.
This is lots of helpful information... I am going to bite Divi, I feel its a no-brainer.
I am still trying to see if I should get GeneratePress/ Blocksy/ Kadence/ Brizy/ Elementor... May be I need to slow down and take a breath.....
Some drama going on in WP forums about Kadence versus Blocksy.
Founder of Blocksy claims Kadence stole their design. And an influencer called Adam P is promiting Kadence for a huge commission (not just aff)...
GeneratePress is good. You might want to start with that
Comments
Not really sure what the questions are (if they are questions). There are several ways to make good security (at any level, including the hosting server), and countless ways of making poor security. Some hosting providers get it right, others don't.
Same goes for stuff that webmaster/customer does. This includes passwords used, usernames, plugins and themes...
At the cost of repeating myself, if it's of any use - my 2c on WordPress security, and on domain/website security in general.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
You could install the plugin wpsecurityninja (the free version) and scan your wp install against many vulnerabilities: https://de.wordpress.org/plugins/security-ninja/
You can uninstall it after again, but may help hardening it. Their pro version has a cloud firewall included. You could allow admin login only from whitelisted IP Address. This could help, too.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
I use WP Security Ninja and it is good. But adding to @bikegremlin post (even repeating some points)
Some are common sense, others may raise different issues.
Check for any changes in the logs. There is a script or a plugin that logs last 100 entries or changes (free) or higher (paid). Set up rules to flag any suspicious files or activities.
All in all, there is only so much one can do. Since the WP site is a sum of many moving parts, there still might be gaping holes. Some more critical than others.
A couple of good reads
https://support.cloudways.com/what-can-i-do-with-an-htaccess-file/
https://www.wpbeginner.com/wordpress-security/
VPS reviews and benchmarks |
Pro ir free version?
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Pro...5 site
VPS reviews and benchmarks |
Lifetime/yearly? If yearly, do you get a discount on renewal?
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
3 years (officially, 'lifetime')
VPS reviews and benchmarks |
Might get a lifetime, too. If I like the trial. Gonna see :P
They have been around for 7 years, at least.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
5 for 59.
VPS reviews and benchmarks |
That's a good deal. Was that on an appsumo (or similar) sale?
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Lol yes
VPS reviews and benchmarks |
cPanel says: "milk it!"
"Example: You purchase WordPress Toolkit Deluxe license at $1 USD per account and
your customer pays you a suggested amount of $5 USD."
https://cpanel.net/wp-content/themes/cPbase/assets/downloads/wpt/cp-wpt-partner-guide.pdf
One click cloning/staging look like cool options that can be both helpful, and nicely marketed.
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Staging/cloning. Doesnt softaculous in cpanel have that alread?
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Yep. Everything I can see in the WP Toolkit is already included in Softaculous. As most hosting providers are already use it can’t see this toolkit taking off.
This is a lot more expensive per server (charging at least 1 $ per account if I got it right).
And it is offered by a company "adored" in the hosting business.
Sort of reminds me of an offer I got from a mechanic, decades ago:
"Do you want the original factory exhaust, or the cheaper knock-off that lasts a lot longer? ...I have to ask, you know..."
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Softaculous - for WordPress website cloning, migration, staging...
It's not too bad. Included in the price of most shared/reseller hosting providers (whether you like it, or not), and seems to be more convenient than doing it manually, or using a plugin (since most decent ones cost, plus pose a possible security problem - the fewer, the merrier).
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
I used staging/cloning a lot. Pretty useful.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Below are BF deals but most are WP specific.
Some if the WP hosting offers are also mentioned. Posting them here as a screenshot, no links.
I have not used any of these services, except generate press, but Keep reading about them in WP group on FB. More importantly, out of consideration for web hosts in LES who have been posting hosting offers for BF.
VPS reviews and benchmarks |
Unlimited websites (with up to 5000 subscribers) for 50 dolla's one-time payment?
https://appsumo.com/mailpoet-black-friday-2020/
Not sure how good their delivery is, though. Anyone tried MailPoet's SMTP service?
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
along similar lines
Edit: Following Bikegremlin's post below, I checekd the WP Themes directory:
Sorry folks, taking this one out.
https://wordpress.org/plugins/wp-email-delivery/
(My miss, had this bookmarked a long time ago)
VPS reviews and benchmarks |
Not even their front page links work properly. For crying out loud!
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Posting the link to Rankmath SEO Plugin
https://rankmath.com/pricing/
VPS reviews and benchmarks |
I know it's reddit, but I think it's worth looking into:
https://www.reddit.com/r/Wordpress/comments/cyj8gr/yoast_seo_vs_rank_math_do_we_have_a_new_winner/
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
Neve theme has been updated.
https://themeisle.com/blog/neve-2-9/
We use it on a couple of sites. Pretty interesting and easy to configure and use!
VPS reviews and benchmarks |
In the BF offer deal, @localhost asked the question:
Thanks @localhost and gald that you found it useful... also the post series!
Theme and pagebuidler are two different beasts. OceanWP or GeneratePress are the former. Divi and Elementor are the latter. Themes do not need a pagebuilders, but pagebuilders do need a theme. Pagebuilders extend the features/ functions of the theme significantly.
I would suggest you get a fast, clean theme (will less bloat) that supports Gutenburg. KadenceWP is another one.. All have BF deals going on for another day or two (atleast). I am more and more impressed with Blocksy WordPress theme these days.
I bought GeneratePress btw.
Spend a few months tinkering around with the theme- layouts, optimization for speed, security and most imp - content for your sites.
The deals for pagebuilders keep coming. At worst, you can get a deal for pagebuilder next BF.
I would suggest our resident WP experts @bikegremlin and @Ympker can chime in..
VPS reviews and benchmarks |
My 2c on how to choose a good WP theme. More in terms of criteria and what to look for (though I did offer two recommendations - ones which I've tested thoroughly, and often choose for my use).
As for the page builders. Briefly: Elementor can work nicely, seems to have a future (continued maintenance), and has loads of on-line tutorials.
One I plan looking more into is Brizy. Experienced devs I've talked with say it's fast and well written. But haven't given it a test, and not sure how well sold it is (if it isn't, maintenance could just stop after a while).
And a note: use page builders if you must get some exotic look and layout - and don't have the knowledge, or won't spend the time needed to write a custom theme. Page builders do add another plugin - with all the cons of that (another potential security hole). Elementor doesn't seem to slow down the pages where it isn't used - at least from what I've tested. So you could use Elementor to make a "super-cool" landing page, and create the rest of the website using a theme of your choice and have those pages look a bit less flashy (but load faster). Elementor can also be optimized - but it does load a lot of stuff. Fast, good theme beats it (if used properly - you can always use super large, unoptimized images and load hundreds of elements to a single page, hampering performance).
Detailed info about providers whose services I've used:
BikeGremlin web-hosting reviews
I second bikegremlin's thoughts, with two points (and there is no right or wrong approach here- depends on what you aim to do with the site).
a. brizy has had a share of blackouts, and issues during updates. So has elementor. So Caveat Emptor (almost sounds rhyming)
b. A slight twist on bikegermlin's suggestion:
use elementor (or any other page builder) to create the homepage/landing page, contact, about, etc.
blog ideally set up on a subdomain. With only the theme, no pagebuilder.
Some day we can have a conversion on the pros and cons creating static pages from pagebuilders to improve speeds, reduce security issues, etc. (duh! Why not use a html template instead?)
on a separate note:
@bikegremlin do you have the brizy - WP Plan? or the cloud version?
Have you tried brizy + blocksy?
VPS reviews and benchmarks |
Thanks for the mention. So let me chime in and recommend Divi here. Let's get it right off the bet, keeping Divi under 2-3 seconds load time is not always achievable easily but for all I know it is one of the most wholesome Themes/Pagebuilders fit to fill almost any place. The lifetime unlimited sites sub is unbeatable and if you don't like Divi as a theme you can still opt to use another and only use the Divi Builder Plugin. The freedom to choose whether you want to use the Divi Theme (AIO pack of premium Theme and Page Builder basically) , or another theme with the Divi (Page) Builder plugin leaves you lots of flexibility. Talking online shops, Divi has some nice Woocommerce module, too. Is there a feature in Divi you are missing? Chances are one of the MANY Divi third party extensions already offer this. There's also an official Divi marketplace now hosted on ElegantThemes to shop with confidence. Unfortunately, plugins there only get 1 year of Updates, so I recommend you check the website of the third party plugin and see if they offer any different plans like lifetime (they often do)
One thing I can't stress enough - that many people forget - is Divi really shines with its' thorough Documentation on ElegantThemes, tons of community tutorials and stellar/fast Community Support. The Web literally is crowded by Divi installs and help is only a Divi FB group away. The market share and presence of Divi users and devs is just something else: https://trends.builtwith.com/framework/Divi
@vyas and @bikegremlin also have valid points, so not saying this is the only way. Just mine
I have to add, though, that the Blocksy theme @vyas mentioned is really dope and I hope the core will stay free.
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
Thank you so much @vyas @bikegremlin and @Ympker
This is lots of helpful information... I am going to bite Divi, I feel its a no-brainer.
I am still trying to see if I should get GeneratePress/ Blocksy/ Kadence/ Brizy/ Elementor... May be I need to slow down and take a breath.....
Some drama going on in WP forums about Kadence versus Blocksy.
Founder of Blocksy claims Kadence stole their design. And an influencer called Adam P is promiting Kadence for a huge commission (not just aff)...
GeneratePress is good. You might want to start with that
VPS reviews and benchmarks |