About to install – hardening WP

Resolved christian-s
(@christian-s)

17 years, 5 months ago

hi all,

I’m about to make my first install of WP.
Is there any special actions I should take to prevent hackers in attacking my site?
The install of was at my host with cPanel/Fantastico and is version 2.0.5. WP was installed more or less automatically I only had to create the DB and user accounts.

I’ve tried Joomla earlier and with that CMS several lines are added to .htaccess in order to make hacking via scripts more difficult.

Is anything like that needed with WP?

Of course I will need to stay current with the WP versions and backup my site on a regular basis and have a rollback plan if my site would get hacked.

I’m just wondering if there are preventive measures I should take.

Viewing 9 replies - 1 through 9 (of 9 total)

bestfoot
(@bestfoot)

17 years, 5 months ago

The biggest measure I take is to add spam karma to avoid spam comments. If a hack is found, then they usually roll out a fixed version. Meanwhile make regular backups.

Thread Starter christian-s
(@christian-s)

17 years, 5 months ago

thanks bestfoot – good point on implementing spam filter. I will make a search for karma.

moshu
(@moshu)

17 years, 5 months ago

Spam is not “hacking” but it is annoying.
For me the BadBehavior and SpamKarma2 work well (those are plugins: http://codex.wordpress.org/Plugins/Spam_Tools

One of the biggest “open door” for hackers is if you use the online theme editor (=leaving your theme files chmod 666) and the online upload (folders 777)… World writable files and folders are a sure way to attract bad guys 🙂

Also good read: http://codex.wordpress.org/Hardening_Wordpress

whooami
(@whooami)

17 years, 5 months ago

hardening?

begin with deleting the install.php, upgrade.php, import.php (import directory).. etc.. off the server when done.

More hardening?

If you have mod_security available, use it.

Bodhipaksa
(@haecceity)

17 years, 5 months ago

That’s interesting advice, Whoo. Do you have an exhaustive list of files to delete for security purposes?

It sounds like there should be some kind of option after installing WP to have those files deleted automatically. Or a plugin? Or perhaps there could just be a suggestion in the installation instructions to delete these file manually.

whooami
(@whooami)

17 years, 5 months ago

no, I dont, but anythign related to installing or upgrading would be safe candidates.

And yes, you are correct. Or atleast a friendly reminder such as what exists in phpBB.

Thread Starter christian-s
(@christian-s)

17 years, 5 months ago

Thanks mushu & whooami,

I will read up on mod_security as well. Good point.
I’ll also check the install files and move them off the server.

Excellent forum here and good advices. Thanks all.

Actions so far
* read http://codex.wordpress.org/Hardening_Wordpress for inspiration on what to do
* remove install file; install.php, upgrade.php, import.php (import directory)
* implement mod_security if supported by webhost
* install comment spam filter, for example BadBehavior and SpamKarma2, ref: http://codex.wordpress.org/Plugins/Spam_Tools
* do not use online theme editor (=leaving your theme files chmod 666) and the online upload (folders 777).
Starting to look like a pretty good list 🙂
Anything else I should consider?

Are there any commonly known hacks or attempts that try to inject code with weird urls that I can put to redirect in .htaccess so that if someone attempts to run a script against the site they are just taken to a “403 error” page?

whooami
(@whooami)

17 years, 5 months ago

Are there any commonly known hacks or attempts that try to inject code with weird urls that I can put to redirect in .htaccess so that if someone attempts to run a script against the site they are just taken to a “403 error” page …

thats what mod_security is good for, and while you could theoretically do that without m_s, it would be difficult.

So no, not really.

Thread Starter christian-s
(@christian-s)

17 years, 5 months ago

thats what mod_security is good for, and while you could theoretically do that without m_s, it would be difficult.

ok thanks for the clarification whooami.

I’m all set then.