Title: Securing WordPress against hackers
Last modified: March 17, 2019

---

# Securing WordPress against hackers

 *  [wnpaul](https://wordpress.org/support/users/wnpaul/)
 * (@wnpaul)
 * [7 years, 2 months ago](https://wordpress.org/support/topic/securing-wordpress-against-hackers/)
 * I am helping a friend who has a small computer repair shop with his website, 
   and in recent months his site has come under repeated attack by hackers who installed
   a webshell to launch attacks on others. If we cannot stop this recurring, his
   provider will cancel his account, and we have even received a warning from the
   cyber crime department of our local police department.
 * I have set up the site again on a freshly installed CentOS 7.6 server with a 
   clean install of the latest version (5.1.1) of WordPress, and have taken the 
   following measures to prevent or at least promptly detect any hacking. **I would
   appreciate comments and further suggestions.**
    1. SSH access is limited via _iptables_ to a couple of IP addresses of those who
       need to have this access.
    2. The entire site directory is owned by root rather than the webserver user. Since
       there is normally no need to upload files, even the _upload_ directory does 
       not need to be writeable by the webserver.
    3. I have stored several properties of all files that make up the site in a database,
       and check for changes every five minutes. After any legitimate changes the database
       is updated. If any discrepancies are discovered (new files, changes to size,
       md5sum or mtime of existing files) both myself and my friend are notified.
    4. Access to _wp-admin_ and _wp-includes_, as well as to _phpMyAdmin_, is limited,
       via Apache config file, to the same limited set of IP addresses as SSH access.
    5. Access to _*.php_ files in the _uploads_ folder is denied via a .htaccess file.
 * I realize that in theory at least some of these measures are redundant; I also
   realize that some of them duplicate functionality that is already present in 
   the OS (i.e. I could let SELINUX take care of monitoring for file changes, but
   I have never wrapped my mind around SELINUX so the db solution was easier).
 * The server currently runs **PHP 5.4** because that’s what comes with CentOS 7.6
   and because we have another application that we have yet to port to/verify with
   PHP 7, but upgrading to PHP 7 is definitely on the to-do list. Everything else
   is up-to-date.
 * I am not posting the site URL, since I don’t want to let anyone make the connection
   between this site and these preventive measures. If someone needs the URL to 
   make constructive suggestions please pm me.
    -  This topic was modified 7 years, 2 months ago by [wnpaul](https://wordpress.org/support/users/wnpaul/).
    -  This topic was modified 7 years, 2 months ago by [wnpaul](https://wordpress.org/support/users/wnpaul/).
    -  This topic was modified 7 years, 2 months ago by [wnpaul](https://wordpress.org/support/users/wnpaul/).

Viewing 2 replies - 1 through 2 (of 2 total)

 *  [mrtom414](https://wordpress.org/support/users/mrtom414/)
 * (@mrtom414)
 * [7 years, 2 months ago](https://wordpress.org/support/topic/securing-wordpress-against-hackers/#post-11322512)
 * You might want to install a plugin to lock an account for a specified period 
   of time if it has more then 3 unsuccessful logins.
 * Also, I think there are some plugins that will change the default login path 
   from wp_login.php to something different. You might also want to change the database
   prefix on the database to something other then wp_.
    Also, I know some people
   make sure that admin users are not in the first indexed position of the user 
   database and you might want to use nicknames for post rather then the users name
   or at least for the admin accounts. There are some security plugins that hide
   the version numbers of the current WP instillation which appears in the source
   code of the site. Don’t know if any of this helped but good luck.
 *  [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/)
 * (@jnashhawkins)
 * [7 years, 2 months ago](https://wordpress.org/support/topic/securing-wordpress-against-hackers/#post-11323990)
 * > If we cannot stop this recurring, his provider will cancel his account, and
   > we have even received a warning from the cyber crime department of our local
   > police department.
 * Your provider should be trying to help you with this unless you are trying to
   host this on your own box and they are your connectivity provider… then it’s 
   on you. Web hosts are a dime a dozen. Move if you want to.
 * Your cyber crime department? I’d use the sitecheck from Sucuri to create a paper
   trail of printed results that show you are either not hacked or else you have
   dealt with the problem quickly and thoroughly. I’d be calling my legal counsel
   in the morning also. You need to know your rights and obligations in your locality.
 * Another suggestion is to run CloudFlare. There’s your protection from DDOS attacks
   right there and you’ve isolated your origin machine from the greater internet.
   If CloudFlare chokes on your site and starts throwing 500 errors then get a better
   server.
 * If you need to then upgrade your CloudFlare account to a paid account. It’s a
   business expense. Business expenses are deductible and either produce measurable
   results or else the process needs to be changed.
 * I’m running Debian from my host on one project and I’m pretty sure it has PHP
   5.6. I wouldn’t want to run anything less. I’m trying to figure out why your 
   provider of the server or distro hasn’t addressed this.
 * [https://www.turnkeylinux.org/wordpress](https://www.turnkeylinux.org/wordpress)
   This distro comes with webmin, adminer, MariaDB, and other features.
 * Install WordFence and iThemesSecurity together. They behave well together. Read
   their documents and set that up properly.
 * > Hacked?
   > Carefully follow [this guide](https://wordpress.org/support/article/faq-my-site-was-hacked/).
   > When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://wordpress.org/support/article/hardening-wordpress/)
   > and [start backing up your site](https://wordpress.org/support/article/wordpress-backups/).
 * If it’s your server getting hacked then change the server itself.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Securing WordPress against hackers’ is closed to new replies.

## Tags

 * [hacking](https://wordpress.org/support/topic-tag/hacking/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 2 replies
 * 3 participants
 * Last reply from: [JNashHawkins](https://wordpress.org/support/users/jnashhawkins/)
 * Last activity: [7 years, 2 months ago](https://wordpress.org/support/topic/securing-wordpress-against-hackers/#post-11323990)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics