(08-27-2019, 07:44 PM)thdreamer Wrote: Good thread.
The first thing I do once I have installed WP is to deactivate all plugins and then remove them :)
Most of them are really unnecessary. Besides I like to keep my house clean and simple!
Having said that, however, I do need to install ONE plugin before I start customizing my site and that is " WP Maintenance mode"
This is a simply free plugin that do the following:
It displays a notice to all visitors of mysite.com that this site is currently under maintenance.
I've just gone through a panic scare situation. I don't think it was my Website content, but there is currently a planned attack on older WordPress themes and plugins where the perpetrators infiltrate through a hole in the plugin, then get the site IP to be connected with "dudd" external domains that attack other sites. As soon as all of the anti-spam blacklisting authorities pick up on this and the warning comes to your datacenter that the IP on which your Website is built has been responsible for attacking other sites, your account gets suspended, the rogue domains get emptied and they vanish. By the time this gets investigated they're already long gone and busy on the next victim.
So moral of the story is, check your favourite themes and plugins you've used for many years are still a going concern. Not only that they are updated, but that the authors of the themes and plugins are still actively involved and interested. I have WordFence loaded, and still maintain that it wasn't the WordPress site that was the problem - as when I questioned it, and the Datacenter looked at my account, there was nothing on it - no evidence of an exploit. They thought I had something loaded on my WordPress site that had taken care of it, which is a load of rubbish, as there were no warnings from WordFence. Unfortunately at the time when I was advised I was in such a state of shock I genuinely believed the blog had been hacked and reloaded the OS of the VPS to make sure all of the content was gone. So only afterwards when I read the Datacenter report about the fact they couldn't find an exploit, realized that possibly my Website had not been the source of the problem. Something else must have happened.
So now of course technically since the VPS had been empty for a couple of days, there should be no Website linked to it. I then did an IP Website search, and there were four domains that came up with the DNS inspect as though they were on that IP. And one of them was the offending domain that was listed in the complaint.
My argument had been since the VPS I had been allocated had been very new, possibly these hackers had had domains on that IP before. Anyway, I have no evidence for that. All I can say, one can be as security focused as one wants to be, but these guys have become so super sophisticated and "fast" in their operations so the only way one can be "safe" is to make sure one has as few WordPress plugins loaded as is reasonable as one can and they're very VERY current and up to date.
And now WP Website owners have a further problem, as all of that anti-spam police network is so closely knitted electronically, that they will respond to almost any spam notice and instantly blacklist IPs, automatically. I was lucky my IP was not blacklisted, as my Datacenter responded fast. But when I checked after, some of these anti-spam organisations - particularly the one - had blacklisted my VPS IP AFTER the situation had been solved. When I tried to get them to remove the blacklisting they offered to do it for a fee!
So I asked the VPS host to replace my IP instead. I still haven't put a Website up however, as I'm planning to start a new installation from scratch. I've also been researching static blogs with Jekyll or Hugo, but probably will go back to WordPress and be even more cautious than I've been before. It has taken a few years for me to at least be a specialist (by not such high standards), I'd hate to give up on WordPress. Starting with Jekyll and Hugo is a huge learning curve. Maybe I'm a bit lazy too and comfortable with WordPress. Darn hackers!
I get the feeling that your policy would also be very conservative in using themes and plugins so in this instance would be very interested which plugins you're using for your WP sites.