I have been using vps hosting for a while now, where my own and my friends' self-written websites are hosted, without any CMS.
The story begins with my desire to have a blog, so I quickly chose Wordpress as it seemed familiar and some friends had recommended it.
I set up Wordpress right away, adding only a flipping pictures plugin, a Yandex linking plugin, and a caching plugin. To combat spam, I also installed a plugin called akismet or something similar, which was included with Wordpress.
Unfortunately, a terrible incident occurred when my website was hacked. A modx file called it.php was inserted into the site, acting as a shell that allowed access to the server's directories, including neighboring sites and the etc folder.
My first instinct was to find an alternative to Wordpress, especially since it had always seemed unsafe to me, and this incident further confirmed my concerns.
Now, I have a couple of questions:
1. How can I secure all the files within the site folder to prevent any potential infections from spreading to neighboring sites and the system?
2. How do people successfully use Wordpress without encountering issues? I've heard that most vulnerabilities lie within plugins, but is it possible to use Wordpress without relying on them?
1. To secure the files within your site folder and prevent potential infections from spreading, here are a few steps you can take:
- Keep your server software, CMS (like WordPress), themes, and plugins up-to-date. Regularly check for updates and apply them promptly as they often contain security patches.
- Use strong and unique passwords for all your accounts, including your hosting account, FTP, and database.
- Restrict file permissions appropriately. Only give necessary read, write, and execute permissions to files and directories. Be cautious about giving overly permissive permissions.
- Implement a web application firewall (WAF) to help detect and block malicious traffic.
- Consider using secure hosting and isolating your websites from each other through techniques like virtual private servers (VPS) or containers.
- Regularly scan your website for malware and vulnerabilities using security tools or services.
- Backup your website regularly so that you can recover quickly if something goes wrong.
2. While no system is entirely immune to vulnerabilities, many people successfully use WordPress without encountering issues by following these best practices:
- Choose reliable and reputable plugins and themes from trusted sources. Prioritize those with regular updates and good reviews.
- Install only necessary plugins, removing any unused ones.
- Regularly update all installed themes and plugins to benefit from security fixes.
- Be aware of known vulnerabilities in plugins and promptly update or replace them if necessary.
- Utilize security plugins specific to WordPress, such as Sucuri, Wordfence, or iThemes Security, to add additional layers of protection.
- Enable two-factor authentication (2FA) to enhance access security.
- Leverage strong security practices at the server level, including firewalls, secure configurations, and intrusion detection systems.
3. Use a secure hosting provider: Choose a reputable hosting provider that prioritizes security measures. Look for providers that offer features like firewalls, SSL certificates, regular backups, and active monitoring.
4. Employ strong login credentials: Use strong, unique passwords for all your user accounts, including the admin account. Consider using a password manager to generate and store complex passwords securely.
5. Limit login attempts: Implement a plugin or security solution that limits the number of failed login attempts. This helps protect against brute-force attacks.
6. Disable file editing: By disabling file editing in the WordPress dashboard, you can prevent unauthorized access to critical files. This can be done by adding the following line to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
7. Secure database access: Ensure your WordPress database is secure by changing the database table prefix during installation, using a different username than "admin" for database access, and regularly backing up the database.
8. Regularly backup your website: Back up your site's files and databases on a regular basis to ensure you can restore your website in case of any compromise or data loss.
9. Monitor for suspicious activities: Set up alerts or monitoring systems to notify you of any unusual or suspicious activities on your website, such as unauthorized logins or file modifications.
10. Educate yourself about security: Stay updated on the latest security practices, vulnerabilities, and threats related to WordPress. Follow security blogs, forums, and resources to stay informed and take necessary precautions.
11. Use a reputable and secure theme: When selecting a theme for your WordPress website, choose one from a trusted source with a good reputation for security. Avoid using pirated or nulled themes, as they may contain malicious code.
12. Regularly review and remove unused plugins: Periodically review your installed plugins and remove any that are no longer needed. Unused plugins can become potential vulnerabilities if not kept up to date.
13. Enable automatic updates: Enable automatic updates for WordPress core, themes, and plugins whenever possible. This ensures you receive the latest security patches and bug fixes promptly.
14. Implement SSL/TLS encryption: Secure your website with an SSL/TLS certificate to encrypt the data transmitted between your server and users' browsers. This is especially important if you handle sensitive information like user logins or payment details.
15. Harden your wp-config.php file: Protect your wp-config.php file by moving it to a higher-level directory outside of the public_html folder. You can then update the WordPress installation to reflect this change.
16. Implement strong website access controls: Restrict access to sensitive directories and files through proper permission settings and the use of .htaccess files. Allow access only to necessary files and directories.
17. Monitor for file changes: Regularly monitor your website's files for any unauthorized modifications. Many security plugins offer file integrity monitoring features that can help detect unusual file changes.
18. Regularly scan for vulnerabilities: Use security scanning tools or plugins to regularly scan your website for known vulnerabilities and malware. This helps identify and address potential security risks.
19. Employ a content delivery network (CDN): A CDN can improve website speed and protect against certain types of attacks such as DDoS (Distributed Denial of Service) by distributing traffic across multiple servers.
20. Stay informed about security best practices: Continuously educate yourself about evolving security best practices and keep up to date with the latest news and developments in WordPress security.
Non-professionals should consider installing a free shared hosting control panel, which will allow them to manage their websites similar to professional hosting clients.
This panel not only configures the server but also ensures that clients are isolated from each other. Additionally, it is important to install the latest version of WordPress and regularly update it, taking advantage of the platform's user-friendly automation features.
1. Ensure that you can access the server only from the IP address associated with your work.
2. Configure the permissions for files and folders accurately to ensure proper access control.
3. Implement plugins designed to scan and safeguard your website. Some popular free options include Bulletproof security, Ithemes security, and Wordfence Security. For additional features and capabilities, consider the paid Swift Security Bundle. These plugins will identify vulnerabilities on your site and provide guidance on patching them. Knowledge of the Bourgeois language is encouraged to fully utilize their functionalities.
4. Regularly monitor and install updates for both the server software and the website's engine and plugins. Staying up-to-date with these updates will help maintain optimal performance and security.