Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialNathan Newell
7,634 PointsWordPress security. Am I doing enough?
Hi :)
I have a WordPress install, fully up to date (themes+plugins).
I have WordFence Free installed. Brute force protection enable. Also I've removed the admin username and enabled various features they offer.
I have BackUpBuddy allowing for scheduled backups to remote server (not going to help preventing a compromise obviously).
I'm well aware that prevention is key and that you can never eliminate being hacked, only minimise the possibility, but do you think I'm taking enough steps to reduce the risk of being compromised? or should I be installing other plugins to work in with WordFence?
Thoughts please.
thanks, Nathan
1 Answer
Team dxw
Courses Plus Student 7,277 PointsHaving backups is worth more than you think: everything eventually gets hacked, but the impact can be minimised if you're able to quickly re-deploy a recent copy of your site to a new machine.
Of course, that requires having a backup of all your code and uploads as well as the database. Having the code in version control (Git, or SVN) is a good way to achieve that.
There's a great guide on the codex to hardening your WordPress site: https://codex.wordpress.org/Hardening_WordPress
One step which can make it a lot harder to exploit your site is to lock down the permissions on your server so that the process running WordPress can only write to the Uploads directory and nowhere else. This means removing the ability to install plugins through the admin interface (you'd need to add them to the /plugins folder manually and upload them) but it knocks out a whole load of serious potential exploits.
Finally, we've built a plugin security notification service called MongooseWP which will email you if vulnerabilities are found in any of the plugins you're using: https://mongoosewp.com/
Cheers
Duncan