Top 10 WordPress Security Mistakes

By | June 3, 2018

Top 10 WordPress Security Mistakes

A quick video about basic Linux security. We’ll be covering basic web hosting security: the most common misconfigurations and security holes (from a System Administrator’s perspective) in WordPress sites.

These security tips apply to Joomla, Magento, and other content management systems as well. I’ll show you how to fix the most glaring issues, which prevent a huge percentage of the security compromises I see every day.

# Core Application
incorrect file/dir permissions
-777 — should be 775 for dirs, 644 for files except in SPECIAL cases

running sites as root
-dave:www-data instead — group (web server) has read, OWNER IS THE ONLY ONE WHO CAN WRITE

shared PHP/user between sites
-most hosting companies use shared hosting
-if you have one site or 23 sites, they’re all running under ONE user and ONE PHP process.
-one infected site means that everything is at risk, since that site can write to other sites (and thereby cross-infect them)

web user has a shell (instead of /bin/false)
-grep www /etc/passwd — /sbin/nologin good, /bin/bash == BAAAD

ssh with passwd login, root login enabled
-no root login from iNet.
-no password based logins. Period.

weak FTP/hosting/DNS passwords
-hosting companies that expose FTP — scary

# Administration
people don’t update their CMS installations and plugins
people run huge amounts of plugins

# 3rd-party
badly engineered plugins/themes/etc.
vulnerable ‘custom’ code — uploaders with no authentication, etc.

Full Linux Sysadmin Basics Playlist:

Check out my project-based Linux System Administration course (free sample videos):

free website traffic


Official Site:

Leave your comments and questions below:

how to use wordpress


Leave a Reply

Your email address will not be published. Required fields are marked *