Basic guide for securing wordpress on dreamhost

wordpress

#1

In an effort to help the many users who are having webmaster/mistress issues with wordpress on dreamhost, I’ve written a pdf on with a checklist of step by step how to make sure your website is secure. I’m not an expert in cleaning up an attack (thanks sXi, Bobocat and others) and I’m not trying to tell experienced web administrators what to do. This is targetted at the casual user who wants a secure wordpress website on dreamhost and wants to know how to do it. The doc is here

The checklist is as follows:

  1. Tools
    a. Have an FTP tool
    b. Have an SSH tool
  2. Setup your dreamhost panel
    a. Individual users per application
    b. Enable enhanced security
    c. Disable FTP, enable SFTP
  3. Understand your own website
    a. know the user root directory
    b. explore the log directory
    c. understand the web root directory and how wordpress is a set of files on your website
  4. Wordpress Issues
    a. Add yourself and delete ‘admin’
    b. Removing old themes
    c. Removing old plugins
    d. Installing secure plugins
    e. Evaluating all plugins and themes for risk
  5. Securing your site from nastiness
    a. Editing .htaccess
    b. Permission check on important files
    c. Looking at log files
    d. Tracking down ip addresses

let me know if I’m missing something or screwed something up. I’m planning on adding a wiki after this is vetted.

-Bill


#2

umm…

As most people don’t host their sites over SSL, their passwords will be transmitted in cleartext. I’d recommend adding yourself twice - once as an admin account (yourselfAdmin), with a very strong password that you rarely use, and a contributor account which can only create content and could be used on a daily basis.

Ideally, admin tasks, and ideally content creation, should be done locally by using a ssh tunnel to your DB (which can be slow), thus avoiding sending passwords over the wire in cleartext, or using a local copy of the DB and syncing (which I’ve never figured out how to do).

Thanks for your efforts. Might I suggest adding them to the wiki so that others can add their ideas and correct any bad advice if it’s found?


#3

Cool, I will update the doc and start on the wiki.

-Bill[hr]

bobocat,

went to start the wiki and I realize I’ve editted wiki’s but never started a real page. Suggestions?

-Bill


#4

Search the Wiki :stuck_out_tongue:


#5

Ok, now I’m showing my skills as a MORON, I’ve been searching the DREAMHOST WIKI, I’ve been searching wikapedia, and what wkiapedia says will happen on how to add a new page doesn’t show up on dream host’s wiki. Dreamhost wiki tells me to contact a sysop. Argh. I contacted a sysop and maybe in this lifetime he will get back to me.

:slight_smile:


#6

Ahh! They probably lock down Page Creation to hinder the spammers.


#7

Just search and if it can’t find that page, you click the link to create it. You need to be logged into the wiki though. I’ve created pages with no problem.:

[quote]There were no results matching the query.

Create the page “Harden wordpress” on this wiki![/quote]

I’d link to it from this page and add it to the Security portal.


#8

You must have more permissions bobocat. I can’t create pages either, I just tried.


#9

You’re logged into the wiki? You have to create an account. It’s not the same as the forum / panel / whatever.

I can’t imagine I have any extra permissions considering I’ve never done anything to earn them!


#10

Here is what I see when I search for a page that doesn’t exist:


#11

Try this address: http://wiki.dreamhost.com/Lakerat

You don’t get a link offering to create the page?

[quote]Lakerat
There is currently no text in this page. You can search for this page title in other pages, search the related logs, or edit this page.[/quote]

I had two edits before I made my first page. Maybe you have to edit a few pages first?


#12

I see:

Sorry, kelly7552, for taking your thread off topic :wink:


#13

I received a trojan alert after following that image link :S


#14

Interesting… It didn’t trigger one for me, but I’ve not used that upload site before but was trying it out… I deleted the link from the prior post here is a replacement: http://tinypic.com/r/jqgiet/5


#15

I see it as a bit ironic that dream host is making creating pages explaining how to secure wordpress on dream host very difficult. :slight_smile:


#16

i created the Harden Wordpress topic already. it’s ready for editing.


#17

I have added the text, but I can’t seem to include jpgs. Any special incantation to the Gods of dreamhost to add pictures?


#18

This document is now available as a wiki article on dreamhost. See Harden WordPress

-Bill