IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Regular security checks – what steps should be included?

    • IT Nursery
    • May 4, 2022
    • 0

    There are heaps of tutorials explaining how to secure a WordPress installation, but I couldn’t find any that listed out steps for weekly or monthly security checks. What are some steps that you recommend I perform on a regular basis to keep WordPress secure (besides updating core and plugins)?

    Here are some things I’ve implemented already:

    • Forced all other users to only run as Editor
    • Deleted unused themes and plugins
    • My theme is custom written, so I know that there aren’t any scripts like timthumb.php in it. It’s also powered by Genesis which features automatic theme updates.
    • Change my admin password every few months
    • Automatic backups with VaultPress

    The main reason why I’m concerned is because my client’s hosting provider is not very WordPress friendly and I have to run with 777 permissions. However my client is the only site on the box.

    Anything else I should be doing regularly to make sure the site is locked down? Thanks

    3 s
    3

    First: Remove those 777 permissions. You need this only in cases with conflicting ownership. Try to run PHP as FastCGI – for example per .htaccess:

    AddHandler php-cgi .php
# or
AddHandler php-fastcgi .php

    Set up a notification mail for every 404 request. You will be surprised how many attacks the average blog gets each day. Wait … I just published my 404 notifier on GitHub:

    Plugin T5 404 Tools repository · Download latest version

    Also, install a plugin to prevent password guessing. I use Login LockDown with a lockout length of 45000 minutes.

    Read your log files regularly. There is no better way to get all critical information.

    There are also plugins which check all files for changes. I had just problems with those: slow, a lot of misleading information, just too much noise. But if your site hasn’t that many files it may be an option. Test it.

    Update

    One note about file permissions: Usually you don’t want anybody to send DELETE or PUT requests to your site, especially when something is set to 777. 😉
    To restrict the allowed request methods to HEAD, GET and POST, add this to your .htaccess:

    <LimitExcept HEAD GET POST>
order deny,allow
deny from all
</LimitExcept>

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *