The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Best Practice: Securing WordPress Installation

Discussion in 'Security' started by LasseTK, Sep 14, 2014.

  1. LasseTK

    LasseTK Active Member

    Joined:
    Apr 15, 2005
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    We are seeing an increase in the number of "hacked" Wordpress installations. It seems that if the users are not able to keep their installations up to date at all times they will get hacked once in while. Most of the time the purpose seems to be to send out spam which is annoying for everyone.

    We have been trying to fix the issue by increasing security on our end where we use Config Server Security & Firewall, Mod Security, PHP open_basedir, Maldet, and ClamAV. This does however not protect us from whatever known bugs there might be in older versions of WordPress. Thus we were considering to do a daily scan for old WordPress installations and then either prompt the user to update, or perhaps somehow force update them.

    Is there anybody out there who has any good experience in this area? How are you securing your environment?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,470
    Likes Received:
    198
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    The Wordfence plugin is a big help as it filters quite a few attack attempts and can find and remove most hacked files.

    Auto update, even on plugins, is also a good idea for smaller sites. If you do that, you should setup some form of auto-backup as well, so you're covered if the site destroys itself. (The risk of self-destruction is many times smaller than the risk of being hacked!) There's a plugin called "Advanced Auto Updater" which helps with plugin auto-update.

    Also, the most important thing is to never install dodgy plugins and themes. Look for many reviews, high star rating (with a reasonable number of reviewers!! ie 100s), reasonable doco, reasonable update history etc. Most "WordPress" hacks are through poorly written and thus insecure plugins - there is little or no quality control. If people install cr*p on their sites, they shouldn't be shocked that they get hacked.
     
    triantech likes this.
  4. LasseTK

    LasseTK Active Member

    Joined:
    Apr 15, 2005
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    Thank you both for the excellent input. It is very much appreciated and definitely something that we will look into :)
     
Loading...

Share This Page