How to Secure a wordpress site on InterServer shared hosting

Quags

Administrator
Staff member
PHPmmdrop is interserver's new intershield feature that can protect your website, with no coding changes, from malware, hacking and even protect against an insecure theme or plugin.

PHPmmdrop reduces php permissions to further secure and lock down websites. This has been optimized and tested most for wordpress. Similar methods can work with drupal, magento, moodle and joomla.

First, it is recommended to contact InterServer support to check if your package supports PHPmmdrop.

1)
To begin, edit the main .htaccess file in your wordpress install. This is the same location the wp-config.php is in. Open .htaccess and add

Code:
## BEGIN INTERSHIELD PHPMMDROP
<IfModule LiteSpeed>
AddType application/x-httpd-fastphp .php .php5 .phtml
Options -Indexes
</IfModule>
## END INTERSHIELD PHPMMDROP

Save this file. Reload your site, to ensure it is working. If you get a 403 forbidden error your account does not have mmdrop enabled yet, and support can assist you.

2) Disable wp-cron in wp-config.php. Open wp-config.php and add
Code:
define('DISABLE_WP_CRON', true);
Save this file.

3) Enable a cron job to manually run cron. Typically every hour is fine.

In cpanel open the cron job section and add
Code:
0 * * * * cd /home/YOURUSERNAME/public_html; php -q wp-cron.php
You may have ssh access and can add this using crontab -e

Note: /home/YOURUSERNAME/public_html – YOURUSERNAME should be replaced with your cpanel username. The wordpress install location may be different for an addon domain.

4) Enable normal php in the wp-admin folder.
Move to the wp-admin folder and create or edit the .htaccess file.
Code:
## BEGIN INTERSHIELD PHPMMDROP
<IfModule LiteSpeed>
AddType application/x-httpd-php71 .php .php5 .phtml
Options -Indexes
</IfModule>
## END INTERSHIELD PHPMMDROP
PHPmmdrop runs as php 7.1 so using the same in wp-admin is recommended.

Once done wordpress runs normally with reduced permissions, except files in the wp-admin folder. Additional security is on php-mmdrop servers that removes the ability to runs scripts in the wp-uploads folder, or directly call files in wp-includes – with some exceptions.

If a plugin needs higher permissions, step 4 can be used to enable it in the .htaccess file of the plugin folder.
 

kumkum

New Member
I have checked all the above steps and i am posting some more steps to secure your Wordpress website.
You can check below steps:
1). Keep your wordpress account upto date
2). Protect access of your Wordpress admin section
3). Don't use "admin" username and use strong password
4). Use two-factor authentication
5). Check your PC is fully secured with antivirus and not compromised
6). Securing wp-config.php file
7). Disable File Editing
8). Delete readme and unnecessary files.
9). Limit Login attempts
10). Do not allow search engine to browse your directories
11). Prevent directory listing of your account
12). Prevent PHP Files from executing

If you want detailed steps then you can check below link:
 

Pistle

New Member
Keeping WordPress secure is necessary in order to keep websites from being compromised. The are that attackers will attempt to access is the wp-admin page. If a malicious user can login as admin, they can cause issues for the site owner. Hackers will also try to log in using “Brute force attack”, by creating up automatic logins using multiple computers. A series of multiple computers used to conduct malicious activities are known as botnets. They use different combinations of username and password. In order to prevent hackers from compromising the wp-admin interface, the following steps need to be made.

1) Using Unique, Secure Username and Password
Always avoid using the default ‘admin’ username. Also try to avoid common names like your website’s name, your name, etc. In addition, use complex passwords with combinations of alphabets, numbers, special characters, yet still easy to remember. Phonetic password generators are always a great idea.

2) Two-factor Authentication
Two-factor Authentication also called ‘2FA’ or 2-step verification requires the user to not only enter the username and password but also a unique code sent to linked device, usually a mobile phone. This feature increases the security of our website.

3) Verify the user is ‘Human’
reCAPTCHA modes can be used to check whether a user is human or not. This means that botnets cannot automate the reCAPTCHA and the hence the attacker cannot login to our account.

4) Keep WordPress updated.
To automatically install WordPress releases, add the following to the website’s wp-config.php file:

define( ‘WP_AUTO_UPDATE_CORE’, true);. However, this can bring incompatibility between newly installed WordPress version and existing themes/plugins. To resolve this issue, iThemes Sync and ManageWP third party tools help you with all the installations and updates for WordPress on your websites.

5) Using Security plugins
Some of the most popular security plugins are:

Wordfence security

AntiVirus

Acunetix WP Security

BulletProof Security

6) Protection from brute force attacks
A website can be attacked in two ways namely,

Surgical attack – Here the attacker looks for vulnerability and then exploit it with shear precision.

Brute force attack – As mentioned above, is a trail and error way using programs to crack passwords.

The best method of protection of wp sites from brute force attacks is a plugin called BruteProtect and you can also enable any CDN services.

7) WordPress Plugin and Themes
Security holes in themes and plugins represent more than half of all successful WordPress hacks. Careful attention to the plugins you activate on your website is warranted. It is important that your WordPress theme is up to date and well-coded. You can check the quality of the code in your theme by using a plugin.



8) Using Correct File Permissions
It is important to configure file permission correctly in WordPress.

All directories should be 755 or 750

All files should be 644 or 640

wp-config.php should be 600

9) Protecting WordPress using .htaccess
The .htaccess file is a powerful configuration file that changes the way your server operates. It is used to redirect URLs and configure permalinks. The file can also be used to harden WordPress security.

10) Limit Login Attempts

Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords. One of the best ways to protect your website against this kind of attack is to install Login LockDown or Login Security Solution. The plugins limits the number of login attempts from a given IP range.
 
Top