Preventing a WordPress Site Getting Hacked

[Aminka Ozmun]

There's someone I know who works as a six-figure sysadmin for a major university that's verbally threatened to hack into my WordPress sites. (I know this person, how shall I say it, most personally and he's definitely got some level of hacking skills. He's also a bully and the kind of person who used to get kicked out of school for fighting -- so I know this is serious.)

After talking with my webhost, Bluehost, it seems like the most damage that a hacker can do is cause a momentary nuisance, as timely backups exist and can have a site restored within mere minutes.

Is this true?

What would you do with your WordPress sites (all on one shared account, if that matters) if you knew you were going to get hacking attempts??

[dogstar]

I've had my charity Wordpress site hacked before. Make sure that your directories are all set to read only as one of the hacks was uploaded to one of my directories.

Also be sure to back up your WP database as recommended by your hosting provider. It's pretty easy to rebuild your site from that if it does get hacked.

Good luck!

[apsinvo]

Quote:

Originally Posted by Aminka Ozmun

There's someone I know who works as a six-figure sysadmin for a major university that's verbally threatened to hack into my WordPress sites. (I know this person, how shall I say it, most personally and he's definitely got some level of hacking skills. He's also a bully and the kind of person who used to get kicked out of school for fighting -- so I know this is serious.)

After talking with my webhost, Bluehost, it seems like the most damage that a hacker can do is cause a momentary nuisance, as timely backups exist and can have a site restored within mere minutes.

Is this true?

What would you do with your WordPress sites (all on one shared account, if that matters) if you knew you were going to get hacking attempts??

I am a sysadmin of 10 years by professional and have the following advice;

1. Make sure all your passwords for access are strong. example: vKf8D%c!
2. Make sure all your passwords are different between wordpress, hosting account, email, etc.
3. Make sure permissions are set correctly on your files/installation.
4. Make sure wordpress, all themes, and modules are totally up to date.
5. Remove any unnecessary modules that you don't need or want.
6. Don't get hacked yourself! i.e. clicking on fake links in bogus emails sent, or being tricked into entering your details anywhere.
7. Make sure your own PC is up to date with patches and antivirus, run a virus scan, remove any and all junk you don't need.
8. Scan your own PC with a separate virus scan - I usually use the free TRENDMICRO online one.

Hope this helps and good luck. Don't worry. People talk a lot of BS online

EDIT: Also take full backups of your hosting account(s).

[Aminka Ozmun]

Thanks, dogstar -- but for at least one of my sites I'd like to have a forum and other interactive aspects. Sound like write-protecting my directories would prohibit that, right? I guess I just have to render read-only specific folders, correct??

Thanks as well, apsinvo, for your tips. Sounds like there's really nothing to be done except adopt all the standard precautions (I'll need to look into setting up permissions)....

[dogstar]

Quote:

Originally Posted by Aminka Ozmun

Thanks, dogstar -- but for at least one of my sites I'd like to have a forum and other interactive aspects. Sound like write-protecting my directories would prohibit that, right? I guess I just have to render read-only specific folders, correct??

That would depend on how your forum solution is implemented. If it writes to a database and not a file system, modifying the permissions of your file systems under your Wordpress directory shouldn't have any impact. How familiar are you with the implementation of your forums and other interactive components?

I would certainly test the site after you modify any permissions as well to make sure that it still works correctly. You can always change them back.

[Lil Chris]

Also, you could install a plug-in called WordPress File Monitor to monitor any changes that happen on your site. This can be a pain if you are always making changes, but it'll help keep an eye on things actively. You can always turn it on when you are not making changes and turn it off when you are.

I wouldn't worry too much, you can always restore from a back up like your host mentioned.

[Peter T]

Always install latest versions plugins and if you don't update plugin then you are exposing yourself to vulnerabilities. well, if you know some one who has hacked your site then you can report him to authorities.

[Justin Mazza]

There is a free WordPress plugin called Login Lockdown. Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range.

[aussieNickuss]

If you to set all directories in your wordpress install to read-only, then you're not going to be able to automatically install or update plugins through the wp-admin interface as that requires write access to at least the wp-content folder. You're also not going to be able to auto-update your wordpress installation either. That's not stopping you from locking down your install though, because if you're up for it, you can install/update plugins and update wordpress manually.

If you really want to lock things down, but don't want to lose too much flexibility... my suggestion would be to set read-only to the wp-admin, wp-includes and all the files that sit within the root directory (including files such as wp-config.php, wp-settings.php and index.php). Leave the wp-content folder writable only by the system (on a unix server, that would be 755). When it comes time to update wordpress itself (which will be very soon with the 3.3 release), follow the instructions to manually update it (or temporarily allow write access to the files/folders mentioned above).

I've had one Wordpress site "hacked" and it actually came about by my clients PC being infected by a virus. While they were FTP'ing into the server (to bulk upload images) the virus that had infected their PC wrote to the wp-settings.php file and inserted a small bit of javascript to output to the wordpress pages. That's why you have to ensure your own PC is just as secure as your web server.

[Aminka Ozmun]

Hey, Everyone,

Been away a few weeks to deal with school and work and life offline...just a quick note to say thanks so much for the suggestions! I don't want to detail the measures I've taken but I do want to note that all your feedback has been really helpful!!