This post is related to the server side installation of WordPress, not the one hosted at WordPress.org
Quite a few of us ran into situation when one day, after trying to reach your blog, you get a warning message about malware ahead. Let's say you put some major effort to clean entire blog (database), removed all injections that you could find, disabled all plugins that looked not very reliable and changed all password. Can you feel save at that moment? I would rather say "No!" because you can not guarantee that hacker didn't leave any hidden back door entry into your WordPress.
Most common way to enter your blog is through corrupted plugins or themes. To prevent them from doing any damage the best way to secure yourself is configure your WordPress to not allow any updates and disable that option only for the intended updates period. You can do it in wp-config.php file that is located in the root directory of your blog.
Go ahead and comment out this line:
define('WP_TEMP_DIR', ABSPATH . 'wp-content/');
WordPress is using temporary directory to download any sort of updates. By commenting out this line you're leaving WordPress without a path to this directory, meaning that it won't perform any unintended updates from potentially dangerous theme or plugin automatically. I recommend to put a comment above this line so you don't forget what need to be un-commented for the scheduled updates.
// UNCOMMENT LINE BELOW TO ENABLE UPDATES
//define('WP_TEMP_DIR', ABSPATH . 'wp-content/');
After doing that you can relax and research on which part of your WordPress could possibly cause a harm, and remove it to avoid future problems.
That's rather thin layer of defense considering that your blog can be harmed at the moment when you enable this path again to run scheduled updates; however it prevents your blog from being down/blocked for a long time without you noticing that, and helps hunting down the guilty plugin/theme by eliminating "time dimension" - you don't need to check the extended logs of updates and determine date when your blog been harmed.
Quite a few of us ran into situation when one day, after trying to reach your blog, you get a warning message about malware ahead. Let's say you put some major effort to clean entire blog (database), removed all injections that you could find, disabled all plugins that looked not very reliable and changed all password. Can you feel save at that moment? I would rather say "No!" because you can not guarantee that hacker didn't leave any hidden back door entry into your WordPress.
Most common way to enter your blog is through corrupted plugins or themes. To prevent them from doing any damage the best way to secure yourself is configure your WordPress to not allow any updates and disable that option only for the intended updates period. You can do it in wp-config.php file that is located in the root directory of your blog.
Go ahead and comment out this line:
define('WP_TEMP_DIR', ABSPATH . 'wp-content/');
WordPress is using temporary directory to download any sort of updates. By commenting out this line you're leaving WordPress without a path to this directory, meaning that it won't perform any unintended updates from potentially dangerous theme or plugin automatically. I recommend to put a comment above this line so you don't forget what need to be un-commented for the scheduled updates.
// UNCOMMENT LINE BELOW TO ENABLE UPDATES
//define('WP_TEMP_DIR', ABSPATH . 'wp-content/');
After doing that you can relax and research on which part of your WordPress could possibly cause a harm, and remove it to avoid future problems.
That's rather thin layer of defense considering that your blog can be harmed at the moment when you enable this path again to run scheduled updates; however it prevents your blog from being down/blocked for a long time without you noticing that, and helps hunting down the guilty plugin/theme by eliminating "time dimension" - you don't need to check the extended logs of updates and determine date when your blog been harmed.
No comments:
Post a Comment