Wordpress lockdown

Last updated: November 2nd 2020

Once you've installed WP-CLI and made Webdock aware of your Wordpress installation, you can use our Wordpress Lockdown functionality to secure your Wordpress site. What the lockdown script does is set restrictive permissions on your Wordpress files, and prevents execution of PHP files in certain folders using htaccess rules (or nginx webserver config rules)

Webdock can harden your Wordpress installation by setting prohibitive permissions on all files. This can mitigate exploits and hacking of files in your installation. This does not protect against database injection attacks.
Once hardened you will not be able to write to files using FTP. Any custom plugins which use non-standard upload paths or which need write access to the filesystem will fail. In which case, update the allowed paths in Wordpress Lockdown settings as required by your configuration.

What Wordpress Lockdown can do is:

  1. Prevent malicious users from modifying any of your source files. Many hacks drop malicious code and "infect" lots and lots of PHP files in order to make it hard to get rid of the hack once it has happened. WP lockdown prevents this.
  2. WP lockdown can, in most cases, prevent malicious users who have somehow gotten access to upload files to your site from executing said malicious scripts.

What Wordpress Lockdown CANNOT do is:

  1. Stop database injection attacks.
  2. Stop any eval() type code which may already be present in a badly written or malicious plugin from doing nasty things
  3. Stop any exploits of your front-end javascript code

On a default Wordpress install, just running lockdown with the default options will be fine. However, some plugins may want to write files to locations which are non-standard and may fail. If you get permissions errors in your webserver log, you should consider changing that plugin or adding the path the plugin is trying to write to, to the permissable directories in the WP Lockdown interface.

In our practical experience, keeping your Wordpress site locked decreases the frequency of automated hacks by 90% or more.

WP Lockdown does not "disinfect" or "clean" an already hacked Wordpress site.

If you want to see how the lockdown script works, take a look in /root/hardenwp.sh and /root/dehardenwp.sh once you have locked and unlocked your site the first time.

If you need any help with WP Lockdown, feel free to contact Webdock Support. We have extensive knowledge when it comes to securing websites, so we can surely help you out.


Related articles