Correct setup to block file modifications from hackers
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
security
Default installation permissions for wp-config.php
The web installer writes configuration data into that file. It needs write access for that. I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.
How to stop repeated hack on header.php of custom theme? [closed]
Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords! Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php … Read more
What are the different types of firewall protections available for a WordPress website?
There is no “WordPress Firewall”. A firewall acts either on the network or on the host, never on a later stage such as a specific software running on a server. Everything that claims to be a firewall specific for WordPress is a scam. See the linked Wikipedia article for the details.
Secure a WordPress website in 2019: one plugin or a combinations of them?
I recommend these basic things: Never touch core files! Always update core and plugins Use strong passwords Don’t use abondoned plugins or themes Use a well maintained security plugin (like wordfence?) Of course you can use more security tools and settings for server e.g., but this should be the basic.Maybe there are more things to … Read more
Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
Figured this out after finding this page: http://www.0to5blog.com/tips/protecting-wordpress-media-uploads-unless-user-is-logged-in/ That page contains the instructions I was looking for, exactly! I tweaked the dl-file.php code slightly to meet my needs: if ( !current_user_can( ‘read_private_posts’ ) || !is_user_logged_in() ) {
Is WordPress ready for GDPR compliance? [closed]
WordpPress “out of the box” is not GDPR complaint. Even putting aside the integration with non complaint services like akismet and gravatar, just storing comments will probably require to give users the ability to delete them, but there is no real way to identify which users created which comment as comment authors are never verified. … Read more
What is the best security $_POST method?
You have to sanitize or escape the data based on type and application of the data. Like below- $title = sanitize_text_field( $_POST[‘title’] ); update_post_meta( $post->ID, ‘title’, $title ); It’s a quite huge topic. You better read this Validating Sanitizing and Escaping User Data.
Is it a bad idea to CHMOD 777 all the files on your site?
My original comment: Is chmod 777 a good idea? if it’s not absolutely necessary (which if your server’s users and groups are properly configured it’s usually not) then avoid it. is it as terrible and the omg you’re gonna get hacked any second now disaster everyone makes it out to be? not quite, but again … Read more
FORCE_SSL_ADMIN affecting subdomains
It turns out that the shared server I have at Network Solutions is forcing HSTS through their service. And since it’s a shared hosting server, they refuse to change it. The solution: I purchased a Wildcard certificate, and installed it on multiple servers for each subdomain.