This is a WordPress blogging website with more than 2000 blogs. The website has very high traffic and is extremely profitable. However, the site was quite prone to hacking and the client could lose money if the site was down for a couple of hours.
The website had been hacked several times. It encountered issues like unauthorized account creation, unauthorized placement of ad codes, repetitive requests to admin, login and other files from several IP addresses across the world.
We cleaned up the site off any files that may compromise its security. We also installed a few security plugins, changed some passwords, disallowed file editing, setting directory permissions etc.
The site has been clean since and hasn’t been hacked anymore.
WHAT WE DID
We implemented the following security measures:
Searching and removing unused files like Readme which can create security hole. Before we started working on the website, anyone could have guessed that it was a wordpress site.
Disabling directory listing with .htaccess
Removing the WordPress version number
Disallowing file editing. If a user has admin access to the WordPress dashboard, they can edit any file that is a part of the WordPress installation. This includes all plugins and themes. However, if file editing is disallowed, hackers will be unable to modify any file or restrict access to the dashboard even if they gain access to the Wordpress dashboard. When a hacker accesses the WordPress login page and tries to guess the username and password for the administrator account, it’s called a brute force attack. Limiting the users that are allowed to see the log-in page and access the admin dashboard can reduce some of those attacks.
Using Email as login ID instead of a User Name. This is a more secure approach.
Setting up website lockdown and banning users
iThemes Security (formerly Better WP Security) set up
Setting directory permissions
BulletProof Security installation
Changing the password for PHP, MySQL, CMS login, FTP login etc. after the cleanup process