WP Whoosh performs a secure WordPress install. We carry out all the basic security tasks that ought to take place during installation – the ones that most WordPress sites owners don’t do!
Most WordPress installations are left wide open to hackers by simple installation scripts. WP Whoosh takes care of all the basic security issues that tend to be forgotten by locking down your site from the outset. As long as you have a standard cPanel host, you’ll be able to use WP Whoosh!
Secure Username and Passwords
WP Whoosh chooses strong usernames and passwords for your database name, username and password, and your WordPress admin login and password making it much difficult more difficult for a hacker to break in your site by brute force. This is a million miles away from the predictable user_wrdp1 names chosen by Fantastico.
Secret WordPress Administrator
WP Whoosh keeps your WordPress administrator user name private and hence this makes it more difficult for a hacker to break in to your admin account as they have to guess both the username and the password.
.htaccess Is Set Up For Security
We include a fully fledged .htaccess file in your installation. This means that common routes into your site are closed down forcing hackers to work harder to find a way in.
- No web access to WordPress and PHP config files
- Block theft of cookies using HTTP TRACE
- Blocking of script injection
- No browsing of directories like for example, the plugins directory, and the the content directory.
- No exposure of the version of WordPress runs your site
- No exposure of the version of the web server that runs your site
- No exposure of the version of PHP your site is running
- Certain files are designed only to be run from other files on the web server, and not by external methods. We prevent direct external access to these.
- Prevents robot spammers
You need a XML sitemap file so the search engines can locate all your web pages. There are great WordPress plugins available that make generating a sitemap really easy to do. But did you know that many people will end up leaving a security hole when using sitemap plugins? We configure either your sitemap_index.xml or sitemap.xml and make sure there are not security issues with it too.
Minimum File Access Settings
Many WordPress installations leave large areas of your site writeable by the web server. This can cause a problem if you are ever hacked – and many people are – so you need to think defensively. If your host allows it, we lock down all the plugins and themes so that their folders are not writeable. This means that when you upgrade a plugin or theme you will have to supply your FTP password. We believe this is a small price to pay for the extra security it gives.
We also deny access to anyone trying to surf your site and reading the contents of your wp-config.php and php.ini files.
WP Whoosh has set up your site securely but how can you keep it safe? WP Whoosh installs and configures the Wordfence plugin to protect your site, monitor suspicious activity and provide early detection if you site has been hacked.
Whoosh uses an “API secret” to encrypt your host details using Triple DES. When transmitted your cPanel details are individually encrypted using your API secret, then the entire installation request is encrypted using your API secret and then it is further encrypted by dint of being sent over HTTPS to the Whoosh Server. So we have triple encryption and Triple DES. It’s what we call the Whoosh Triple Lock. This keeps your host details really secure when being transmitted between the Whoosh plugin on your site and our Whoosh Server.
Even if your WordPress site is hacked and the hacker downloads your WordPress database he or she will unable to decrypt your host details as they do not have your API secret. The secret must be typed in whenever your host details are accessed: during an addition or editing of the host information, the checking of a site prior to installation, during a site installation, or during a site deletion.
Choosing AN API Secret
You can set you API Secret using numbers, letter, spaces and some characters, and it can be between 4 and 32 characters in length.
Test the strength of your API Secret at How Secure Is My Password.
For example, a weak secret would be “1234”, and a strong secret would be “Mary had a $50 lamb, its fleece was white as snow!”. The former could be cracked instantly, whereas the latter would take 10 sesvigintillion years on a desktop PC. This number is 10 to the power 81 so even if the hacking attempt used all computing resources on Earth it would still take longer than the universe has existed.
Interesting enough something simple like “1234…………” would still take a million years to crack so choosing a length of around 16 characters seems prudent.
Not Secure Enough?
Well, if you are fundamentally against the principle of holding your cPanel details in a WordPress database on the internet, then you don’t have to.
Simply set up a WordPress installation on your PC or MAC. And as long as your desktop is secure then so will your cPanel details.
Auto Delete Host After Installation
And finally, there is always the option to simply remove the username and password from the host details after you make the installation. If it is requested to me I can add an option on Whoosh so that it automatically redacts the host username and password after each site installation.
This is something we plan to add for LastPass users in Whoosh 1.6. Rather than use the API secret approach to protect a saved username and password, the username and password will not be saved at all but be pre-filled each time by LastPass. This passes the responsibility of keeping stored cPanel details secure from Whoosh to LastPass.
When operating in this mode we would recommend that you run your WordPress admin securely by setting the following line in wp-config.php
This means that all information passed between the browser and the Whoosh plugin goes over HTTPS and hence cannot be sniffed.