I have dealt with a couple different situations where a users WordPress site has been hacked. I understand there are a number of factors that can play into this, but I am curious about what you do during your installation process to keep your WordPress install secure.
I subscribe to the Digging into WordPress way, where you install an a separate directory other than the root. What about you?
I can not say for sure that these sites were hacked because of something that I did, but I would like to make sure that I am doing what I can to protect each site I setup.
I had a situation recently where someone gained access to several critical files in the wp-includes directory through a thumbnail function (tinthumb) within a slider that was installed with a security hole. They didn't have any real lasting or good control over anything, but they were able to insert malicious code into a few of the files.
Never overlook the basics that aren't specific to Wordpress
Use SFTP over FTP where possible Never share passwords Don't use your root database account for your site (create a specific account for each application) Keep your applications and plugins up to date
If you're hosting yourself be sure to harden your web server and keep up to date with patches
Can you explain a little more what you mean about the root database account?
The last item is the main reason I decided hosting wasn't something we'll do. There are far more talented people than I who have a greater passion for web security :)
The root account is the default account for most SQL databases and would have full permissions, create individual SQL user accounts for each installation and give it the minimum rights it needs
Another plus 1 for "website defender". Also I lock down my admin root with a .htaccess that only allows me to log in from certain IP addresses. Also running a "stop" bad queries script in my plugins folder.
I subscribe to the Digging into WordPress way, where you install an a separate directory other than the root. What about you?
I can not say for sure that these sites were hacked because of something that I did, but I would like to make sure that I am doing what I can to protect each site I setup.
http://seanfisher.co/2011/01/lockdown-wp-admin/
http://www.websitedefender.com/secure-wordpress-plugin/
I had a situation recently where someone gained access to several critical files in the wp-includes directory through a thumbnail function (tinthumb) within a slider that was installed with a security hole. They didn't have any real lasting or good control over anything, but they were able to insert malicious code into a few of the files.
Use SFTP over FTP where possible
Never share passwords
Don't use your root database account for your site (create a specific account for each application)
Keep your applications and plugins up to date
If you're hosting yourself be sure to harden your web server and keep up to date with patches
The last item is the main reason I decided hosting wasn't something we'll do. There are far more talented people than I who have a greater passion for web security :)