Treehouse: Grow your CSS skills. Land your dream job.

How do you secure your WordPress installation?

  • # February 22, 2012 at 9:00 pm

    I have dealt with a couple different situations where a users WordPress site has been hacked. I understand there are a number of factors that can play into this, but I am curious about what you do during your installation process to keep your WordPress install secure.

    I subscribe to the Digging into WordPress way, where you install an a separate directory other than the root. What about you?

    I can not say for sure that these sites were hacked because of something that I did, but I would like to make sure that I am doing what I can to protect each site I setup.

    # March 1, 2012 at 6:45 pm

    One plugin I now use is:

    I had a situation recently where someone gained access to several critical files in the wp-includes directory through a thumbnail function (tinthumb) within a slider that was installed with a security hole. They didn’t have any real lasting or good control over anything, but they were able to insert malicious code into a few of the files.

    # March 1, 2012 at 6:50 pm

    Never overlook the basics that aren’t specific to WordPress

    Use SFTP over FTP where possible
    Never share passwords
    Don’t use your root database account for your site (create a specific account for each application)
    Keep your applications and plugins up to date

    If you’re hosting yourself be sure to harden your web server and keep up to date with patches

    # March 2, 2012 at 2:07 am

    Can you explain a little more what you mean about the root database account?

    The last item is the main reason I decided hosting wasn’t something we’ll do. There are far more talented people than I who have a greater passion for web security :)

    # March 2, 2012 at 2:32 am

    @JoshWhite Put WordPress in its own folder, rather than the root.

    # March 2, 2012 at 4:15 am

    The root account is the default account for most SQL databases and would have full permissions, create individual SQL user accounts for each installation and give it the minimum rights it needs

    # March 2, 2012 at 5:30 am

    I use Vaultpress. Sure, it’s $15 a month, but for secure and reliable backups of absolutely everything it’s a small price to pay.

    # March 2, 2012 at 10:05 am

    Another plus 1 for “website defender”. Also I lock down my admin root with a .htaccess that only allows me to log in from certain IP addresses. Also running a “stop” bad queries script in my plugins folder.

    # March 4, 2012 at 3:37 pm

    Thank you for the feedback everyone, there are a lot of good options here!

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.