Understanding security plugins

Hello.
I was looking for a new CMS to replace Wordpress, and I ended up discovering ClassicPress which on paper seemed to suit me until I discovered the “Security” tab of the admin panel.

Indeed, I’m not quite sure I understand; I quote:

As ClassicPress continues to evolve, the Security page will become the hub for all security features for ClassicPress core and 3rd party plugins that choose to support it.

Does this mean that ClassicPress is not currently secure and that we have to wait for updates before we can use it on a daily basis?

Also, I noticed the mention :

No registered security settings yet!

Does this mean that my ClassicPress blog is currently vulnerable?

And finally :

Install plugins that add their own security settings according to the ClassicPress guidelines, and their settings pages will be listed here and in the Security menu on the left.

From what I understand, I have to install the security plugins by myself but :
1 - Where are they? (I did not find the guideline in question)
2 - Why not install them by default?

Thanking you in advance for taking the time to answer me
and I apologize for my ignorance #noob team

Sincerely

WhiteBear

2 Likes

You don’t need to concern yourself with the Security tab. That page is for security plugins to use, to place their settings there, if their developers choose to do so. So far, the few security plugins that support ClassicPress don’t use that page, and there have been talks about removing it in future versions.

Security plugins are plugins. You need to install them yourself after installing the ClassicPress core. CP has its own (small) plugins directory, although it’s still being developed and in the early beta stage. Of course, you can also choose from the many WP plugins available (those compatible with WP 4.9 and below).

For your security plugin, I suggest Shield Security. It actively supports ClassicPress, and its Pro version has all the features you need. If you choose the Free version, which has no malware scanner, you can complement it with GOTMLS.

If available, I also suggest that you follow your webhost’s advice on further securing your WP/CP installation.

Because the plugins directory is still in the works, and because CP uses WP plugins that might stop supporting CP, the one area that you should be careful about is monitoring the update status of your plugins. (I don’t know much about this issue, but there have been discussions about this in this forum, so you could probably start there.)

For starters though, you can try out CPCompatibility and Check Plugin Status.

3 Likes

Thanks for asking.

You can ignore this screen, it was a feature that was started but unfortunately never finished. I think the best thing for us to do will be to remove it entirely in a future version. Some previous discussion: Security page feedback and improvements

Security plugins are not strictly necessary: I do not use them on my sites, instead I prefer other measures like making sure all users have strong passwords. Many people do find security plugins helpful though, and it if gives you peace of mind then that’s not a bad thing. As Arjay says, Shield Security is a good option for ClassicPress, and they can help with any issues you might have with their plugin.

2 Likes

Thank you a lot for your quick answer.
Its self hosted and i prefer dont use plugin if is not necessary.

4 Likes

ClassicPress and WordPress basically work the same:

  • The core is secure, it has no known vulnerabilities.
  • Security issues stem from plugin and theme vulnerabilities.

It’s near impossible to have a ClassicPress (or WordPress) website without any plugins. Plus, you can’t have a website without a theme. Having a security plugin is usually a good idea.

Not only does it add protection to reduce the chances of being hacked, but it also may add features like anti-spam protection for comments and forms, brute force protection for login form, etc.

The one I use and recommend for both ClassicPress and WordPress is Shield Security.

2 Likes

One thing you can do to improve the security of your site is to configure both wp-login.php and the entire /wp-admin/ directory to be protected with a separate password at the web server level. This is done by editing the .htaccess file for the site. This is a hardening measure rather than something that patches around an existing vulnerability, but it will immediately and perfectly block all bots that might be trying your login form or trying to see if any plugins are putting insecure code into the admin area. If you are interested in this let me know, and I can try to find a good guide.

Another more advanced but very effective measure you can take is to not allow the site to write to its own files. This would mean that you have to do plugin/theme/core upgrades via FTP or some other method so it is a bit more difficult to manage.

2 Likes

Thank you for your advise about security and plugins.
I will think about deploying the necessary plugins and further securing my ClassicPress on the server side as well.

Regards

3 Likes

Hi, I would like to see a guide on this please.

Yes, I would like to see a guide too.

This one is ok: Protect WordPress login (wp-admin): .htaccess password/directory protection - IONOS

However, the steps there do not protect wp-login.php as claimed, only the wp-admin directory! This is still the best guide I was able to find, though.

Protecting wp-login.php would need to be done later as a separate step, by adding a section like the following to your site’s main .htaccess file (change the path to the AuthUserFile after following the guide and getting it working for the wp-admin directory):

<FilesMatch "wp-login.php">
AuthName "Members and Admin only"
AuthUserFile "/home/account/.htpasswds/folder/.htpasswd"
AuthType Basic
require valid-user
</FilesMatch>
2 Likes