• You MUST read the Babiato Rules before making your first post otherwise you may get permanent warning points or a permanent Ban.

    Our resources on Babiato Forum are CLEAN and SAFE. So you can use them for development and testing purposes. If your are on Windows and have an antivirus that alerts you about a possible infection: Know it's a false positive because all scripts are double checked by our experts. We advise you to add Babiato to trusted sites/sources or disable your antivirus momentarily while downloading a resource. "Enjoy your presence on Babiato"

How to protect own site & server? Basic Steps

Supratec

Member
Banned User
Jan 8, 2020
69
55
18
Hi beautiful people of Babiato! 🥰

I'm not pro or semi-skilled in backgrounds of this topic and wonder what you do to protect your site/server? What are most basic steps to take and improve security of installed plugins/addons/themes from sources like this Community?

I based my project on bundle of paid few Plugins but some of my stuff comes from Babiato and I'm not sure if I should worry. Do I get any troubles in future after launching site live from dev mode?
 
There are 2 kinds of security you should be concerned about, first one is your app security in this case wordpress that can be handled with few plugins (WAF) to keep it relatively safer, but the second type of security (DAF) is very important, which is your server security (you can get cloudflare to do the heavy lifting), also some open source solutions could be installed, but they are not always most effective against DDoS atacks, and other forms of attacks, to handle this you will need to pay premium prices, some hosting companies include it in their plans, but be aware it may be limited resources, you will still get charged heavily if they need to deflate. Needless to say your site will be down for unknown amount of time. Short answer yes you should be definitely get worried, and even become paranoid.
 
  • Like
Reactions: Supratec
Basically, in my opinion, everything should start from choice of hosting ... Of course I'm talking as a owner of hosting/servers services and getting to know many of the problems that many websites face.

Of course, a server (shared hosting) can not in no way protect an account/site, if the him site does not maintain a moderate to good level of security.

For us, and because it is a very basic priority for our company, a very large part of the critical vulnerabilities, but more specifically on platforms such as wp, joomla etc, we have some custom systems that protect a site from virus (via real time scan), waf, bruteforce, ddos etc. Every day we need to have more than 100K+ attack blocks via WAF & BruteForce... so, we have calmed down to a great extent and from several issues.

From there on, let's not forget that a shared hosting server should also contain settings that will be running to the general public. But as I said and I will say again, in no case should you feel 100% safe, you definitely need actions and from the site.

But for me, everything starts from hosting.
 
  • Like
Reactions: Supratec
To echo @ckeeper
Make sure you have top class security plugin installed on WordPress, use Disable REST API (if needed) and add to your site to cloudflare. You can use your server traffic visitor's log, or a WP security plugin, to see those accessing your website and the type of requests they are making, then use cloudflare to block IP addresses, ASN or countries before reaching your server.
 
@ckeeper , @darkmesaia and @empromax thanks for replies :geek:

By this topic I would like manage to get some valuable knowledge which probably gonna be implemented straight away. I'll adapt my replies to yours if you will require some extra info details etc.

My server details:
  • VPS Cloud Server
  • Ubuntu 18.04
  • CPU: 6 vCore
  • RAM: 12 GB
  • SSD: 240 GB
  • WAF - ModSecurity from Comodo (free) default configuration
  • DAF - by Variti (free) default configuration
  • Disable REST API - ? this can break my site installation? (as default is Enabled)
  • ImunifyAV (free) default configuration
  • Plesk
  • Firewall for Ubuntu & Plesk
  • Free SSL
  • Only installation of WP on server gets daily backups - Server itself doesn't have optional daily backup or something like that.
  • I get notify when someone is trying to log in to site with wrong passwords, system sends notifications to my email after 10 times wrong login attempts by anyone, after 3 wrong attempts by admin logins.

So far, I'm real potato in security & protection of own server/site against vulnerabilities and by now I only now that if I'll not meet criteria, the minimum of this my project will be at risk after site gets open.
 
Most attacks on WP sites are made on rest API. If you don't use remote scripts, phone apps or so that call the api then you don't need it so you can disable it without any issues.
If you do use mobile apps or remote scripts for your wordpress site then Wordfence have the option to monitor and whitelist or blacklist remote calls.
I personally use Wordfence with a bit more tighten security (autoblock login for [login] or admin users, up to 5 tries failed tries until blocked for 1 month, small number of 404 hits before being blocked also for 1 month).
For server security I use fail2ban and you find comprehensive tutorials on that all over the internet including different config files from which you can build your own config as you see it fitted for your server.
 
@slvrsteele yea I heard about Wordfence earlier, time to give a try then :D

Google Maps and Paypal API's are in use, so I'll be able to white-list those API's and disable rest?
 
Gmaps and Paypal are calls made FROM your website to their api. You have no incoming call to yours. Rest API refers strictly to all api calls TO your website for remote authentication and retrieving specific data. That's how most of wordpress/woocommerce mobile apps are working.

There is how to bypass wordfence premium check and unlock wordfence premium:

 
  • Wow
Reactions: Supratec
Thanks everyone for help!
Loads of researches behind me, more to do, but at least you gave a glimpse of "what's going on" on this backgrounds :giggle:
 
AdBlock Detected

We get it, advertisements are annoying!

However in order to keep our huge array of resources free of charge we need to generate income from ads so to use the site you will need to turn off your adblocker.

If you'd like to have an ad free experience you can become a Babiato Lover by donating as little as $5 per month. Click on the Donate menu tab for more info.

I've Disabled AdBlock