WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] About to install - hardening WP (10 posts)

  1. christian-s
    Member
    Posted 7 years ago #

    hi all,

    I'm about to make my first install of WP.
    Is there any special actions I should take to prevent hackers in attacking my site?
    The install of was at my host with cPanel/Fantastico and is version 2.0.5. WP was installed more or less automatically I only had to create the DB and user accounts.

    I've tried Joomla earlier and with that CMS several lines are added to .htaccess in order to make hacking via scripts more difficult.

    Is anything like that needed with WP?

    Of course I will need to stay current with the WP versions and backup my site on a regular basis and have a rollback plan if my site would get hacked.

    I'm just wondering if there are preventive measures I should take.

  2. bestfoot
    Member
    Posted 7 years ago #

    The biggest measure I take is to add spam karma to avoid spam comments. If a hack is found, then they usually roll out a fixed version. Meanwhile make regular backups.

  3. christian-s
    Member
    Posted 7 years ago #

    thanks bestfoot - good point on implementing spam filter. I will make a search for karma.

  4. moshu
    Member
    Posted 7 years ago #

    Spam is not "hacking" but it is annoying.
    For me the BadBehavior and SpamKarma2 work well (those are plugins: http://codex.wordpress.org/Plugins/Spam_Tools

    One of the biggest "open door" for hackers is if you use the online theme editor (=leaving your theme files chmod 666) and the online upload (folders 777)... World writable files and folders are a sure way to attract bad guys :)

    Also good read: http://codex.wordpress.org/Hardening_Wordpress

  5. whooami
    Member
    Posted 7 years ago #

    hardening?

    begin with deleting the install.php, upgrade.php, import.php (import directory).. etc.. off the server when done.

    More hardening?

    If you have mod_security available, use it.

  6. Bodhipaksa
    Member
    Posted 7 years ago #

    That's interesting advice, Whoo. Do you have an exhaustive list of files to delete for security purposes?

    It sounds like there should be some kind of option after installing WP to have those files deleted automatically. Or a plugin? Or perhaps there could just be a suggestion in the installation instructions to delete these file manually.

  7. whooami
    Member
    Posted 7 years ago #

    no, I dont, but anythign related to installing or upgrading would be safe candidates.

    And yes, you are correct. Or atleast a friendly reminder such as what exists in phpBB.

  8. christian-s
    Member
    Posted 7 years ago #

    Thanks mushu & whooami,

    I will read up on mod_security as well. Good point.
    I'll also check the install files and move them off the server.

    Excellent forum here and good advices. Thanks all.

    Actions so far
    * read http://codex.wordpress.org/Hardening_Wordpress for inspiration on what to do
    * remove install file; install.php, upgrade.php, import.php (import directory)
    * implement mod_security if supported by webhost
    * install comment spam filter, for example BadBehavior and SpamKarma2, ref: http://codex.wordpress.org/Plugins/Spam_Tools
    * do not use online theme editor (=leaving your theme files chmod 666) and the online upload (folders 777).
    Starting to look like a pretty good list :-)
    Anything else I should consider?

    Are there any commonly known hacks or attempts that try to inject code with weird urls that I can put to redirect in .htaccess so that if someone attempts to run a script against the site they are just taken to a "403 error" page?

  9. whooami
    Member
    Posted 7 years ago #

    Are there any commonly known hacks or attempts that try to inject code with weird urls that I can put to redirect in .htaccess so that if someone attempts to run a script against the site they are just taken to a "403 error" page ...

    thats what mod_security is good for, and while you could theoretically do that without m_s, it would be difficult.

    So no, not really.

  10. christian-s
    Member
    Posted 7 years ago #

    thats what mod_security is good for, and while you could theoretically do that without m_s, it would be difficult.

    ok thanks for the clarification whooami.

    I'm all set then.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.