Juan Rozas
asked on
Securing Wordpress
Hello,
I've a website in an IIS server.
For securing Wordpress, is enough to write protect the “plugins” folder and write some rules to web.config file?
To what kind of attacks is still the site exposed?
Thanks.
I've a website in an IIS server.
For securing Wordpress, is enough to write protect the “plugins” folder and write some rules to web.config file?
To what kind of attacks is still the site exposed?
Thanks.
David Johnson, CD
always make sure that wordpress it up to date (don't forget to update your plugins), Wordpress is a complex beast and due to its popularity is a desirable target. You have to keep on top of it. all of the time.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The terminology generally used is Hardening you can read more about it on the Wordpress site here
https://codex.wordpress.org/Hardening_WordPress
Which covers the requirement quite comprehensively
Remember there are two components to Hardening your site
a) The WordPress environment
b) But equally important the hosting environment
You can tick all the boxes for WP but still get hacked because your hosting environment is not secure.
How to harden your hosting environment is entirely dependent on the hosting environment itself.
https://codex.wordpress.org/Hardening_WordPress
Which covers the requirement quite comprehensively
Remember there are two components to Hardening your site
a) The WordPress environment
b) But equally important the hosting environment
You can tick all the boxes for WP but still get hacked because your hosting environment is not secure.
How to harden your hosting environment is entirely dependent on the hosting environment itself.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to everyone for your answers.
@ Juan Rozas,
https://www.experts-exchange.com/questions/29039986/Securing-Wordpress.html?anchorAnswerId=42191169#a42191169 seems to be a confirmation of
https://www.experts-exchange.com/questions/29039986/Securing-Wordpress.html?anchorAnswerId=42191147#a42191147
Yet the latter was not included in the points?
https://www.experts-exchange.com/questions/29039986/Securing-Wordpress.html?anchorAnswerId=42191169#a42191169 seems to be a confirmation of
https://www.experts-exchange.com/questions/29039986/Securing-Wordpress.html?anchorAnswerId=42191147#a42191147
Yet the latter was not included in the points?
One point about WordFence.
Because this runs at the WordPress level every request has to flow through the entire LAMP Stack...
Kernel -> Apache -> PHP -> Database -> WordPress core + theme + plugins.
This is required for every request, so anytime anyone really want's to take your site down, all they have to do is flood your site with requests.
Because of the massive database burden WordFence + all other WordPress security plugins add to server resource usage...
It's way easier to take down a site running WordFence (or any other security plugin) than sites with out these plugins.
That said, running this suite of software allows bad IPs to be blocked at the Kernel, so once they're blocked there's no resource drain for any future request.
All my clients require this because of the level of traffic they run.
Here's the way to do low resource security, with no manual intervention required, like clearing IP blocks when they're no longer attacking...
1) https://www.fail2ban.org/w
Once fail2ban is running, then install a couple of zero config plugins to stop attacks.
2) https://wordpress.org/plug
3) https://wordpress.org/plug
4) Once these are installed + verified to work, you can strip out all security plugins + have near zero resource usage to block attacks.
Because this runs at the WordPress level every request has to flow through the entire LAMP Stack...
Kernel -> Apache -> PHP -> Database -> WordPress core + theme + plugins.
This is required for every request, so anytime anyone really want's to take your site down, all they have to do is flood your site with requests.
Because of the massive database burden WordFence + all other WordPress security plugins add to server resource usage...
It's way easier to take down a site running WordFence (or any other security plugin) than sites with out these plugins.
That said, running this suite of software allows bad IPs to be blocked at the Kernel, so once they're blocked there's no resource drain for any future request.
All my clients require this because of the level of traffic they run.
Here's the way to do low resource security, with no manual intervention required, like clearing IP blocks when they're no longer attacking...
1) https://www.fail2ban.org/w
Once fail2ban is running, then install a couple of zero config plugins to stop attacks.
2) https://wordpress.org/plug
3) https://wordpress.org/plug
4) Once these are installed + verified to work, you can strip out all security plugins + have near zero resource usage to block attacks.