wordpress vulnerability

[nbhadauria]

I am hosting multiple wordpress sites on centos..

And would like to know best practice to secure a wordpress site.

[falko]

First make sure you keep Wordpress and all your WP modules up to date.

Might also be a good thing to use suExec + FastCGI or suPHP instead of mod_php.

[nbhadauria]

I found some use full tips to start...

Security starts with your operating systems.

Try:

1. Make sure web server is run by non-root user such as www or apache.
2. All wordpress files are owned by root:root (use chown command).
3. Set all files permission to r--r--r-- (0444 using the chmod)
4. Set directories permission to r-xr-xr-x (0555) using the chmod command)
5. Only set read-write permission for upload directories and caching directories.
6. Turn on SELinux (assuming that you are using Linux with SELinux patches).
7. Only install limited number of wordpress plugins
8. Update and apply patches to Wordpress, operating systems, apache,php,mysql as soon as they are available.
9. Subscribe to security mailing lists.
10. Use /etc/sysctl.conf for hardening.
11. Harden other part of LAMP such as PHP and mysql too.

can i have some tips on last point Harden other part of LAMP...

[falko]

Quote:

Originally Posted by nbhadauria

1. Harden other part of LAMP such as PHP and mysql too.

can i have some tips on last point Harden other part of LAMP...

I guess this refers to using the PHP Suhosin module.

[nbhadauria]

Thanks Falko,

can you please explain what are the posible ways used to inject encrypted code in to php site.

And can we have some real time experience about kind of hacking been done on php site.