Reply To: Securing and Backing up WordPress

[__]

There is no such thing as a “one click” solution. You need to learn about PHP security (and security in general). You’re certainly not going to find what you need in a plugin: a lot of critical things need to be done at the server level, not from inside WP. This post might interest you.

• brute force attacks:

“brute-force” what? I assume you’re worried about logins.

simply rate-limiting your forms will make “live” brute force attacks impractical. Use nonce tokens with your forms and ignore submissions that took less than a second to return to you.

most brute force attacks are offline attacks anyway, however. So make sure your database is secure. For example, the MySQL user that WP runs under shouldn’t be able to do anything critical—create, read, update records; and that’s it.

• JS injection:

JS injection is the same thing as HTML injection, and so has the same solution: make sure you know what you are outputting to the browser, and how it will be treated. If something should be text-only, then use htmlspecialchars before you print it. If something is allowed to contain HTML, then make a whitelist of allowed HTML tags/attributes and use a script like HTMLpurifier.

• defacing:

is not an attack. It is something done after the attack.