Best Practice: Securing WordPress Installation

LasseTK

• September 14, 2014 03:09

We are seeing an increase in the number of "hacked" Wordpress installations. It seems that if the users are not able to keep their installations up to date at all times they will get hacked once in while. Most of the time the purpose seems to be to send out spam which is annoying for everyone. We have been trying to fix the issue by increasing security on our end where we use Config Server Security & Firewall, Mod Security, PHP open_basedir, Maldet, and ClamAV. This does however not protect us from whatever known bugs there might be in older versions of WordPress. Thus we were considering to do a daily scan for old WordPress installations and then either prompt the user to update, or perhaps somehow force update them. Is there anybody out there who has any good experience in this area? How are you securing your environment?

• 

  Infopro

  • September 14, 2014 10:20

  Lots of great tips here: Hardening WordPress - Wordpress Support CXS can scan for out of date scripts: ConfigServer eXploit Scanner Softaculous, if you use it, has many tools for helping here as well: Softaculous Auto Installer

  0
• 

  brianoz

  • September 15, 2014 05:31

  The Wordfence plugin is a big help as it filters quite a few attack attempts and can find and remove most hacked files. Auto update, even on plugins, is also a good idea for smaller sites. If you do that, you should setup some form of auto-backup as well, so you're covered if the site destroys itself. (The risk of self-destruction is many times smaller than the risk of being hacked!) There's a plugin called "Advanced Auto Updater" which helps with plugin auto-update. Also, the most important thing is to never install dodgy plugins and themes. Look for many reviews, high star rating (with a reasonable number of reviewers!! ie 100s), reasonable doco, reasonable update history etc. Most "WordPress" hacks are through poorly written and thus insecure plugins - there is little or no quality control. If people install cr*p on their sites, they shouldn't be shocked that they get hacked.

  0
• 

  LasseTK

  • September 15, 2014 08:55

  Thank you both for the excellent input. It is very much appreciated and definitely something that we will look into :-)

  0

Please sign in to leave a comment.