About Keeping WordPress Secure

What are the permissions on the server?

Is it shared hosting?

Have you noticed any users with high authority?

Is your password secure and the passwords of anybody else with high authority– administrator, editor, etc?

My folders are 755 and files are 644. Yes, it’s shared hosting but I keep hearing it’s something I’m doing or not doing that’s causing the problem. I’ve been dealing with the same host for several years and for the most part, it’s been uneventful. This hacking started in April this year and has been driving me crazy since then. There is only one user and that’s me. Also, I’ve changed my passwords over and over again. It’s started to get confusing.

I maintain it’s from their end – perhaps an insecure domain on the same server. Be damned if I know. Trouble is, I’ve just renewed for two years. If I’m going to change I’ll have to wait, won’t I?

You need to figure out the hacker is getting in. This could be tough. On shared hosting a vulnerability on any of the hosted sites can, under the right circumstances, give the hacker access to some or all of the other sites.

Have you completely re-installed since this started?

What are the symptoms of a ‘hack’ at your site? What happens?

Meanwhile… FAQ: My Site Was Hacked

A bunch of times. I’m getting pretty good at this.

You have re-installed from a clean WordPress download, clean plugins, and clean theme?

What are the symptoms of a ‘hack’ at your site? What happens?

Do you have access to something like PhpMyAdmin? If so, have you looked in the database directly for users that might be hidden?

Meanwhile… FAQ: My Site Was Hacked

All of the above.

I’ve had a number of ways that I know it’s hacked. First of all, when I type in my website they tell me. You’ve been hacked, instead of my home page. Of course, that also affects my sub-domains and my add-on domains. The last couple of times, that did not happen. I just had my main site affected. But, my main site is the most important one.

There was an instance when I checked phpmyadmin and I saw a foreign email address and password and username. I quickly fixed that.

It’s just that it’s annoying beyond belief.

I don’t think I can help you anymore remotely like this. Have you thought about hiring someone to do a thorough audit of your site? Look to the bottom of the page for “WP Jobs”. Either your site has a big hole in it or your host does, and I don’t think I am going to be able to tell you which, but you really do need to find out.

I know. Thanks anyway.

I maintain it’s from their end – perhaps an insecure domain on the same server. Be damned if I know. Trouble is, I’ve just renewed for two years. If I’m going to change I’ll have to wait, won’t I?

You have renewed the domain name. You can change the name servers at any time (i.e. the web host). You need not have to wait for 2 years. Understand the thing : domain name and server are separate things. You can use from same or different provider.

For example, you opted for Rackspace Cloud, if you change the name server set, typing your domain name will point towards Rackspace Cloud’s specific folder. Its called DNS propagation. I am not sure if you are asking about whether it will take time.

@abhishek Ghosh, If it is on their end, she needs to change hosts. When she said that she had renewed I assumed that she meant she had renewed a hosting contract, not her domain name.

@erikacon, while I can’t make any promises, this hacking problem should give you some leverage with your host. Also, you might be able to get out of this the same way I got out of the dorms in college– annoy the powers that be so much they let you go. ??

You are right s_ha_dum, I forgot the fact that Shared usually charges for one year or more.

What I meant was, I have paid for another 2 years of hosting. I don’t want to lose that money. Besides, how do I know the next one will be any better?

You have done something wrong with .htaccess. The posts, categories, tags and pages are throwing 404 –

https://www.webpagetest.org/result/120703_FT_X1Q/

The Rackspace Cloud, MediaTemplate or Amazon will not keep a security flaw. This is very frank answer.

I should have checked it. It’s true, I read on this site about bullet proofing wordpress. One of the things suggested was moving .htaccess one directory above to wp-includes.

I’ll move it back into the root right now.

Create one .htaccess for each folder and make the permissions accordingly.

There are among quite vulnerable files :

./wp-admin/install.php
./wp-config.php
./readme.html

These are risky as if the server is updating their softwares (or rather PHP is not running), these files can be read on browser like text files.

Protect with these at .htaccess of the root :

# prevent browsing of readme file
<files readme.html>
order allow,deny
deny from all
</files>

# prevent editing htacess itself
<Files .htaccess>
order allow,deny
deny from all
</Files>

# prevent viewing of install file
<files install.php>
order allow,deny
deny from all
</files>

In wp-admin, the .htaccess must have these :

<FilesMatch “^(install\.php|example\.php|example2\.php|example3\.php)”>
Order allow,deny
Deny from all
#Allow from 88.77.66.55
</FilesMatch>

There is a naughty trick to prevent login – simply rename wp-login.php from FTP when you need not to login. After login, again rename it (unless you are logging out, this file is not needed). You can read the article of perishablepress.com for more tricks.

# is used for commenting out (the code will not work) in .htaccess.