We’ve been building and hosting WordPress websites for clients since the year 2000. So far, the only “hacks” we’ve experienced is the introduction of malware into WordPress web sites. This may be a bit of code entered into an existing file that either creates a pop-up advertisement or sends spam from the web servers smtp server. We’ve also found new php files that have been uploaded to WordPress sites that send spam. It is a major pain to find and fix the damage these hacks cause.
Over the years we have found ways to prevent these WordPress sites being “hacked”. Here is a list of things we do to prevent hack attempts from ruining our week. All of our servers are Linux CentOS. Not all these suggestions will be applicable for Microsoft IIS servers.
Install Only Reputable Plugins
Be sure to only install plugins that have high ratings and a large install base. It is possible for an installed plugin to open your site to security risks. For instance, a couple years ago we had a hacker use a vulnerability in an installed plugin to introduce a root kit on our server. From then on we’ve been very careful about the plugins installed on our clients WordPress websites.
Keep WordPress and Plugins Updated
As hackers find vulnerabilities, WordPress and plugin developers are plugging the holes in their software. Keeping your software updated prevents hackers from using these vulnerabilities for their nastiness.
Install Wordfence Plugin
The Wordfence plugin is essential for WordPress security. It serves several important purposes. Here are a list of features we rely on to keep our WordPress sites secure.
- It scans the WordPress site every day looking for malware, either in the form of new or modified files and sends a notification if something if malware is found.
- It prevents hackers from attempting to figure out the admin user login.
- It adds an .htaccess file in the /wp-content/uploads directory to prevent files from being executable.
- It immediately notifies us of new versions of WordPress and installed plugins.
.htaccess File in the Uploads Directory
Wordfence is configured it adds an .htaccess file to the /wp-content/uploads directory. We add some extra code to the .htaccess file, just in case. This extra code may be redundant, but it makes us feel better.
# Make sure mod_rewrite is running <Files ^(*.php|*.phps)> order deny,allow deny from all </Files>
# Make sure mod_rewrite is running RewriteEngine On
# Disable scripts RewriteRule !^(?:[^.]+\.(?:jpe?g|png|gif)|php\.ini)$ - [H=cgi-script,NC,L]
All of our WordPress installations are entirely owned by different “client” users and a corresponding client group. For instance, if our client is ACME Enterprises, then we’d CHOWN acme:acme for the entire document root directory, except the /wp-content/uploads directory. This /wp-content/uploads directory is owned by the apache user. In addition, the entire document root is CHMOD -R 755(drwxr-xr-x for directories and -rwxr-xr-x for files). This prevents unauthorized users from modifying php files anywhere except the uploads directory. Having PHP files uploaded to the uploads directory is a problem that we handle with the .htaccess file.
Scan the server with MalDetect and ClamAV
We have MalDetect and ClamAV run every night looking for malware files. When a file is found, it is quarantined. Once a week, quarantined files are automatically deleted from the server.
WordPress security is a serious issue. Wordpress powers about 25% of all websites on the internet. It makes it a popular target for hackers. If your WordPress site is not protected from hackers, it can cause serious problems to your business.