guy labs guy labs

How to harden WordPress

  Last week my Wordpress instances were hacked. I first got an email that a new user registered on my site (on which I disabled the user registration). Then I checked it and the user had admin right, which was very suspicious. Two days later I got an email from my provider which said that my websites were hacked. I needed to revert all the backups and invest a lot of time to fix everything. (All the password changes etc.) And that is why I write this article now to help others to harden their Wordpress instance such that they don't have to go through this like I did. Ok first we need to set the correct file and folder permissions. To do that connect to your server via SSH and execute the following commands in the root of your Wordpress installation folder: These two commands set the permissions such that folders are readable and executable by all and that the owner can modify it. The same is applied to files, except that no file is set to executable. If you don't have SSH access you can surely set the permissions with your FTP software. (My favorite is FileZilla.) Next thing to do is to secure the wp-admin folder. First of all you can add SSL encryption to this specific folder if your host supports this. My host supports it but I don't want to pay that much just for SSL :wink: . Here is the official page about the Wordpress SSL encryption: What...