Securing WordPress against hackers

  • I am helping a friend who has a small computer repair shop with his website, and in recent months his site has come under repeated attack by hackers who installed a webshell to launch attacks on others. If we cannot stop this recurring, his provider will cancel his account, and we have even received a warning from the cyber crime department of our local police department.

    I have set up the site again on a freshly installed CentOS 7.6 server with a clean install of the latest version (5.1.1) of WordPress, and have taken the following measures to prevent or at least promptly detect any hacking. I would appreciate comments and further suggestions.

    1. SSH access is limited via iptables to a couple of IP addresses of those who need to have this access.
    2. The entire site directory is owned by root rather than the webserver user. Since there is normally no need to upload files, even the upload directory does not need to be writeable by the webserver.
    3. I have stored several properties of all files that make up the site in a database, and check for changes every five minutes. After any legitimate changes the database is updated. If any discrepancies are discovered (new files, changes to size, md5sum or mtime of existing files) both myself and my friend are notified.
    4. Access to wp-admin and wp-includes, as well as to phpMyAdmin, is limited, via Apache config file, to the same limited set of IP addresses as SSH access.
    5. Access to *.php files in the uploads folder is denied via a .htaccess file.

    I realize that in theory at least some of these measures are redundant; I also realize that some of them duplicate functionality that is already present in the OS (i.e. I could let SELINUX take care of monitoring for file changes, but I have never wrapped my mind around SELINUX so the db solution was easier).

    The server currently runs PHP 5.4 because that’s what comes with CentOS 7.6 and because we have another application that we have yet to port to/verify with PHP 7, but upgrading to PHP 7 is definitely on the to-do list. Everything else is up-to-date.

    I am not posting the site URL, since I don’t want to let anyone make the connection between this site and these preventive measures. If someone needs the URL to make constructive suggestions please pm me.

    • This topic was modified 5 years, 8 months ago by wnpaul.
    • This topic was modified 5 years, 8 months ago by wnpaul.
    • This topic was modified 5 years, 8 months ago by wnpaul.
Viewing 2 replies - 1 through 2 (of 2 total)

  • You might want to install a plugin to lock an account for a specified period of time if it has more then 3 unsuccessful logins.

    Also, I think there are some plugins that will change the default login path from wp_login.php to something different. You might also want to change the database prefix on the database to something other then wp_.
    Also, I know some people make sure that admin users are not in the first indexed position of the user database and you might want to use nicknames for post rather then the users name or at least for the admin accounts. There are some security plugins that hide the version numbers of the current WP instillation which appears in the source code of the site. Don’t know if any of this helped but good luck.

    If we cannot stop this recurring, his provider will cancel his account, and we have even received a warning from the cyber crime department of our local police department.

    Your provider should be trying to help you with this unless you are trying to host this on your own box and they are your connectivity provider… then it’s on you. Web hosts are a dime a dozen. Move if you want to.

    Your cyber crime department? I’d use the sitecheck from Sucuri to create a paper trail of printed results that show you are either not hacked or else you have dealt with the problem quickly and thoroughly. I’d be calling my legal counsel in the morning also. You need to know your rights and obligations in your locality.

    Another suggestion is to run CloudFlare. There’s your protection from DDOS attacks right there and you’ve isolated your origin machine from the greater internet. If CloudFlare chokes on your site and starts throwing 500 errors then get a better server.

    If you need to then upgrade your CloudFlare account to a paid account. It’s a business expense. Business expenses are deductible and either produce measurable results or else the process needs to be changed.

    I’m running Debian from my host on one project and I’m pretty sure it has PHP 5.6. I wouldn’t want to run anything less. I’m trying to figure out why your provider of the server or distro hasn’t addressed this.

    https://www.turnkeylinux.org/wordpress This distro comes with webmin, adminer, MariaDB, and other features.

    Install WordFence and iThemesSecurity together. They behave well together. Read their documents and set that up properly.

    Hacked?

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    If it’s your server getting hacked then change the server itself.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Securing WordPress against hackers’ is closed to new replies.

Tags