Wordpress lockdown
Last updated: November 2nd 2020
Once you've installed WP-CLI and made Webdock aware of your Wordpress installation, you can use our Wordpress Lockdown functionality to secure your Wordpress site. What the lockdown script does is set restrictive permissions on your Wordpress files, and prevents execution of PHP files in certain folders using htaccess rules (or nginx webserver config rules)
Webdock can harden your Wordpress installation by setting prohibitive permissions on all files. This can mitigate exploits and hacking of files in your installation. This does not protect against database injection attacks.
Once hardened you will not be able to write to files using FTP. Any custom plugins which use non-standard upload paths or which need write access to the filesystem will fail. In which case, update the allowed paths in Wordpress Lockdown settings as required by your configuration.
What Wordpress Lockdown can do is:
- Prevent malicious users from modifying any of your source files. Many hacks drop malicious code and "infect" lots and lots of PHP files in order to make it hard to get rid of the hack once it has happened. WP lockdown prevents this.
- WP lockdown can, in most cases, prevent malicious users who have somehow gotten access to upload files to your site from executing said malicious scripts.
What Wordpress Lockdown CANNOT do is:
- Stop database injection attacks.
- Stop any eval() type code which may already be present in a badly written or malicious plugin from doing nasty things
- Stop any exploits of your front-end javascript code
On a default Wordpress install, just running lockdown with the default options will be fine. However, some plugins may want to write files to locations which are non-standard and may fail. If you get permissions errors in your webserver log, you should consider changing that plugin or adding the path the plugin is trying to write to, to the permissable directories in the WP Lockdown interface.
In our practical experience, keeping your Wordpress site locked decreases the frequency of automated hacks by 90% or more.
WP Lockdown does not "disinfect" or "clean" an already hacked Wordpress site.
If you want to see how the lockdown script works, take a look in /root/hardenwp.sh and /root/dehardenwp.sh once you have locked and unlocked your site the first time.
If you need any help with WP Lockdown, feel free to contact Webdock Support. We have extensive knowledge when it comes to securing websites, so we can surely help you out.
Related articles
-
Migrate your WordPress website to Webdock for free, without downtime using plugins
This guide shows how to migrate a Wordpress website without downtime to your Webdock server using a Wordpress plugin.
Last updated: July 19th 2022
-
Migrating a Wordpress site to Webdock
Our friend Erik Hanchett shows in this video how you can move a Wordpress site from any server to Webdock.
Last updated: July 19th 2022
-
Fixing Wordpress Redirect Issues
Wordpress really likes to redirect to the website address where it thinks it is installed. This may cause infinite redirect loops where you get a browser error, or your site is redirecting you to an old or unexpected address. Learn how to fix these issues.
Last updated: July 19th 2022
-
Unhackable Wordpress
In this article we show how we secured a Wordpress site and made it nearly unhackable by generating a static copy of the entire website on the fly, using shell scripting and HTTrack
Last updated: January 26th 2021
-
How to speed up your Wordpress using just plugins
This article shows how to speed up your Wordpress site without having to touch any code whatsoever and just install some plugins to do the job for you.
Last updated: January 21st 2022
-
How To Secure Your WordPress Website: A beginners guide
In this guide we outline the most basic and rudimentary steps you can take as a beginner in order to better secure your Wordpress website
Last updated: August 12th 2022