WordPress and some security

I was recently listening to Paul’s Security Weekly episode 366: How Security Weekly got defaced, and started thinking about my own security posture around my WordPress sites. When I first created The Rats and Rogues Podcast site, I read everything I could find and on WordPress security. There wasn’t much. Later when I created this site, I still wasn’t impressed.

Most of what I did was classic style Linux hardening. Iptables, changing ownership, etc. The problem is, changing ownership of the WordPress directory, while helpful and suggested by WordPress, breaks things. It disables the ability to easily update the site, from within the site and breaks some plugins.

Two plugins I highly recommend are Duo Security’s two factor authentication for WordPress and Attack Scanner.

Through trial and error, here is a script I have, called wp_maintenance. It’ll need some minor cleanup for it to work on other systems. When it comes to the plugins, you’ll have to trial and error your own to see what needs what ownership, I found while some have to be owned by the webserver user, not all the files need to be.

Leave a Reply

Your email address will not be published. Required fields are marked *