Comments on: WordPress Security Lockdown

By: Scott

Scott — Sun, 08 Aug 2010 00:26:33 +0000

Hey, great article. I really appreciate all the work and effort everyone is putting into helping to make WP more secure and viable as a total web platform.

I’m learning much more about web security than I ever really wanted to. But it’s all good.

Thanks again!

By: (mt) Travis

(mt) Travis — Mon, 19 Jul 2010 14:51:24 +0000

Hey folks! Just wanted to drop in here and share the following (mt) Wiki article: Recovering from a site compromise. It's quite thorough and should provide you with all of the tools you might need.

By: Johnny

Johnny — Sun, 18 Jul 2010 19:26:05 +0000

@Andrew: I think I see. Interesting.

@Jeff: That answers my question to Andrew’s response. Thanks.

Johnny

By: Jeff Starr

Jeff Starr — Sun, 18 Jul 2010 19:05:31 +0000

Moving the wp-config.php may not protect against a determined hacker, but it will certainly deter a majority of scripted attacks that target the file in its default location.

By: Andrew Nacin

Andrew Nacin — Sun, 18 Jul 2010 18:49:22 +0000

Yes, you can move the wp-config.php file up one level, but that was not designed as a security measure. Indeed it provides no real protection. (Its purpose is for SVN externals.)

By: Johnny

Johnny — Sun, 18 Jul 2010 16:47:13 +0000

Hey Jeff,

Great post! I’ve been really driving hard to lock down all my installations since you published this. And I seem to have figured out a lot, well everything is still running, and faster, too (is that even possible?).

Anyway I installed Wp Security Scan, I believe, last week, and I did pretty good (53/56). It gave me a “B” for the location of my wp-config.php. First off I assume it saw my .htaccess file, where it is locked down, hence the “B,” but is there a safer place to put it? Like above the root, say? Is it even possible to move it elsewhere, in relation to where WordPress is installed?

Just wondering.

Thanks,

Johnny

By: John Hoff

John Hoff — Thu, 15 Jul 2010 16:22:47 +0000

I’ve been searching through all my bookmarks. I thought I saved the Google search to find those. For some reason, I seem to recall seeing this on Perishable Press where Jeff called them “sitting ducks”, but I couldn’t find the post.

Nonetheless, if that code was in their .htaccess files, it should of given a secondary backup as security (or may of).

Plus, heck why not. Who knows what new hacks will be coming and if this adds even a little more security, you might as well be ready just in case.

By: jason

jason — Thu, 15 Jul 2010 01:36:50 +0000

John,
Your right. Quality assurance would be a good thing.

By: greg

greg — Wed, 14 Jul 2010 16:42:33 +0000

@matt
Trivial? Please explain.

By: greg

greg — Wed, 14 Jul 2010 16:39:09 +0000

I would much rather pay a little for a good, well maintained plug that was free from hacking, then deal with a uncontrolled broken site.

That being said, I agree there should be a method, maybe with wordpress.org, to assure quality within the plugins.