Correct setup to block file modifications from hackers
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
If you have SSH access and WP-CLI is installed you can try running wp core verify-checksums to see if any Core files have been modified.
The web installer writes configuration data into that file. It needs write access for that. I don’t think this was your backdoor. There was probably a plugin or an old theme with timthumb that had a vulnerability.
Check permissions on all WP folders. Check the htaccess file. Delete any unknown files throughout your hosting area. (Carefully.) Change all of your hosting passwords (including FTP accounts; delete any you don’t know). Strong passwords! Reinstall WP (from your admin – Dashboard, Updates). Reinstall all themes (deactivate, uninstall, reinstall, reactivate). Same for plugins (although header.php … Read more
There is no “WordPress Firewall”. A firewall acts either on the network or on the host, never on a later stage such as a specific software running on a server. Everything that claims to be a firewall specific for WordPress is a scam. See the linked Wikipedia article for the details.
I recommend these basic things: Never touch core files! Always update core and plugins Use strong passwords Don’t use abondoned plugins or themes Use a well maintained security plugin (like wordfence?) Of course you can use more security tools and settings for server e.g., but this should be the basic.Maybe there are more things to … Read more
Figured this out after finding this page: http://www.0to5blog.com/tips/protecting-wordpress-media-uploads-unless-user-is-logged-in/ That page contains the instructions I was looking for, exactly! I tweaked the dl-file.php code slightly to meet my needs: if ( !current_user_can( ‘read_private_posts’ ) || !is_user_logged_in() ) {
WordpPress “out of the box” is not GDPR complaint. Even putting aside the integration with non complaint services like akismet and gravatar, just storing comments will probably require to give users the ability to delete them, but there is no real way to identify which users created which comment as comment authors are never verified. … Read more
You have to sanitize or escape the data based on type and application of the data. Like below- $title = sanitize_text_field( $_POST[‘title’] ); update_post_meta( $post->ID, ‘title’, $title ); It’s a quite huge topic. You better read this Validating Sanitizing and Escaping User Data.
My original comment: Is chmod 777 a good idea? if it’s not absolutely necessary (which if your server’s users and groups are properly configured it’s usually not) then avoid it. is it as terrible and the omg you’re gonna get hacked any second now disaster everyone makes it out to be? not quite, but again … Read more
It turns out that the shared server I have at Network Solutions is forcing HSTS through their service. And since it’s a shared hosting server, they refuse to change it. The solution: I purchased a Wildcard certificate, and installed it on multiple servers for each subdomain.