Correct setup to block file modifications from hackers
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
Codex recommends adding HTTP authentication as additional layer of protection. Strictly speaking it doesn’t rely on WP and keeping things independent is not a bad idea in context of security.
Read here about _moz_dirty (Using Google would have given you the same answer – 2nd Result for “_moz_dirty”). Regarding html-stuff: You’re offering the ability to add links…
The web installer writes configuration data into that file. It needs write access for that. I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.
The best way to understand wordpress is to work with it and then use the WordPress CODEX to understand core functions. That said there are a few tools that many WordPress Developers use: A code editor with search and find functionality that will traverse all the files in your installation. I use Coda. Almost any … Read more
Well to say that these custom fields are insecure in the wp core tables is to say that the usernames and passwords are also insecure, along with any private or password protected posts. As long as you are not outputting these custom fields anywhere but a secure page for logged in, paid up users, no … Read more
Nice job recovering your password, however, the exploit probably still exists so you might get hacked again. Your next step is to find and seal up the security hole. It could be a plugin. It could be a theme. Download and run the Sucuri plugin to help you figure it out.
Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords! Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php … Read more
I like the WPScan Vulnerability Database. Only the security updates are shown. If you check that page every day with the Update Scanner addon in firefox, when you open the browser you get the updates, if any. You have also an email alert subscription option (I’ve not used it)
There is no “WordPress Firewall”. A firewall acts either on the network or on the host, never on a later stage such as a specific software running on a server. Everything that claims to be a firewall specific for WordPress is a scam. See the linked Wikipedia article for the details.