wordpress vulnerability

Discussion in 'Suggest HOWTO' started by nbhadauria, Nov 14, 2011.

  1. nbhadauria

    nbhadauria New Member

    I am hosting multiple wordpress sites on centos..

    And would like to know best practice to secure a wordpress site.
     
  2. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    First make sure you keep Wordpress and all your WP modules up to date.

    Might also be a good thing to use suExec + FastCGI or suPHP instead of mod_php.
     
  3. nbhadauria

    nbhadauria New Member

    I found some use full tips to start...

    Security starts with your operating systems.

    Try:

    1. Make sure web server is run by non-root user such as www or apache.
    2. All wordpress files are owned by root:root (use chown command).
    3. Set all files permission to r--r--r-- (0444 using the chmod)
    4. Set directories permission to r-xr-xr-x (0555) using the chmod command)
    5. Only set read-write permission for upload directories and caching directories.
    6. Turn on SELinux (assuming that you are using Linux with SELinux patches).
    7. Only install limited number of wordpress plugins
    8. Update and apply patches to Wordpress, operating systems, apache,php,mysql as soon as they are available.
    9. Subscribe to security mailing lists.
    10. Use /etc/sysctl.conf for hardening.
    11. Harden other part of LAMP such as PHP and mysql too.


    can i have some tips on last point Harden other part of LAMP...
     
  4. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    I guess this refers to using the PHP Suhosin module.
     
  5. nbhadauria

    nbhadauria New Member

    Thanks Falko,

    can you please explain what are the posible ways used to inject encrypted code in to php site.

    And can we have some real time experience about kind of hacking been done on php site.
     

Share This Page