Most WordPress sites are not compromised by some exotic zero-day. They are compromised through weak passwords, outdated plugins, and file permissions that are far more generous than they need to be. The good news is that the same handful of basic measures stops the overwhelming majority of real-world attacks.
Start with accounts. Every administrator should use a long, unique password and two-factor authentication. Delete the default “admin” username if it still exists, and limit the number of accounts that hold the administrator role to the few people who genuinely need it. An editor cannot install a malicious plugin; an administrator can.
Lock Down Accounts First
Next, keep everything updated. The vast majority of hacked sites were running a plugin with a known, already-patched vulnerability. Enable automatic updates for minor core releases and for plugins you trust, and make a habit of removing plugins you no longer use rather than leaving them deactivated but present on disk.
Finally, tighten the filesystem. Files should be 644, directories 755, and wp-config.php can be locked down further still. Disabling file editing from the dashboard with DISALLOW_FILE_EDIT means that even if an account is taken over, the attacker cannot paste PHP straight into your theme. None of this is glamorous, but security rarely is.
Leave a Reply