Securing Wordpress

Hello,

I've a website in an IIS server.
For securing Wordpress, is enough to write protect the “plugins” folder and write some rules to web.config file?
To what kind of attacks is still the site exposed?

Thanks.
Juan RozasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPRetiredCommented:
always make sure that wordpress it up to date (don't forget to update your plugins), Wordpress is a complex beast and due to its popularity is a desirable target.  You have to keep on top of it. all of the time.
Shaun VermaakTechnical SpecialistCommented:
You need to secure the server and the network it is on too.

For WordPress, use and application firewall such as WordFence

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Julian HansenCommented:
The terminology generally used is Hardening you can read more about it on the Wordpress site here

https://codex.wordpress.org/Hardening_WordPress

Which covers the requirement quite comprehensively

Remember there are two components to Hardening your site

a) The WordPress environment
b) But equally important the hosting environment

You can tick all the boxes for WP but still get hacked because your hosting environment is not secure.

How to harden your hosting environment is entirely dependent on the hosting environment itself.
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Julian's right on.

I run a private hosting company + many new clients come to me because... as Julian said, "they've ticked all the WordPress security boxes" + still get continually hacked.

This relates to hosting environment.

Unfortunately with IIS you never really know who's on your machine doing what.

With Linux, hosting lockdown is straight forward.

With IIS (shudder), your best bet is to keep all your software up to date + if you get hacked even with your software up to date, consider switching to locked down Linux.
Juan RozasAuthor Commented:
Thanks to everyone for your answers.
Julian HansenCommented:
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
One point about WordFence.

Because this runs at the WordPress level every request has to flow through the entire LAMP Stack...

Kernel -> Apache -> PHP -> Database -> WordPress core + theme + plugins.

This is required for every request, so anytime anyone really want's to take your site down, all they have to do is flood your site with requests.

Because of the massive database burden WordFence + all other WordPress security plugins add to server resource usage...

It's way easier to take down a site running WordFence (or any other security plugin) than sites with out these plugins.

That said, running this suite of software allows bad IPs to be blocked at the Kernel, so once they're blocked there's no resource drain for any future request.

All my clients require this because of the level of traffic they run.

Here's the way to do low resource security, with no manual intervention required, like clearing IP blocks when they're no longer attacking...

1) https://www.fail2ban.org/wiki/index.php/Main_Page which any sensible hosting company should be running. If they can't/won't enable this for you, switch hosting companies.

Once fail2ban is running, then install a couple of zero config plugins to stop attacks.

2) https://wordpress.org/plugins/stop-user-enumeration/

3) https://wordpress.org/plugins/wp-fail2ban/

4) Once these are installed + verified to work, you can strip out all security plugins + have near zero resource usage to block attacks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Content Management

From novice to tech pro — start learning today.