I’ve been a small-time user of WordPress for… probably 12 years or so. I’ve had friends and colleagues go “full-on” in to the WordPress world, but it’s never quite felt like my cup of tea. A bit too much magic, or hard-to-determine steps, etc. Not horrible, but not my favorite tool. That said, for blogging directly, it’s great.
However, I’ve had friend and clients that use it as the basis for everything. And… they get hacked. Often. I see a dozen or more ‘hacked’ WordPress installs a year, and by ‘see’ I mean someone’s asked me to help take a look and fix it. *ALMOST* always, the final culprit was a malicious file was written to the server’s drive, or an existing file was overwritten with malicious code, and the WordPress install was spewing out bad stuff (SEO spam, redirects to porn/gambling, web shells to trigger spam emails, etc).
There have been numerous attempts to prevent these attacks, or, in some cases, to make “cleanup” easier. But in no case I can think of does any service focus on locking down the actual files first, making them unwritable. This is, in my view, the biggest bang for the buck – prevent writing in the first place, and the majority of exploits will be averted. You may still have other exploits (XSS, SQL injection, etc) – of course. But stopping people writing to your drive *before* it happens should be a bigger priority, and it seems to be overlooked.
Welcome LockDownWP This is a plugin I’ve put together to help make this easier for people who aren’t server admins. The focus is pretty simple – make all files unwriteable, until you need to write to them. Press a button, make your files writeable for, say, 10 minutes, get your file changes done, then lock things down again.
Is this foolproof? Of course not – you’ll still need to keep the system up to date to prevent other exploits, but I can say that since I’ve been using this technique, I’ve not had any malicious code injected on any servers I manage (and, before I took this approach, it was a … not-uncommon thing I was dealing with).
There’s more on the way for this – it’s still a beta version at this point, but I’d love any feedback you have on the plugin, or ideas you’d like to see.
Take a look at LockDownWP