Malicious attacks - your experience?


HD Moderator
Staff member
What I’ve seen so far as the most common types of attacks on WordPress websites are cross-site scripting, directory traversal, SQL injection and malicious file uploads. Trust me, once your site has been attacked, it’s a real pain cleaning it up. You’re far better off spending some time being proactive, implementing measures to protect your site from malware, rather than being reactive – attempting to clean up the mess afterwards.

What has your experience been guarding against malicious attacks?


HD Community Advisor
Staff member
What has your experience been guarding against malicious attacks?
Once the door has been opened, you're right, getting all of the areas cleaned up can take quite a bit of time. We've been involved in some extensive site hacks that required resolution - some of which took several days and upwards of 20 hours to resolve (it took several days as the client was OK with the site going offline rather than paying the expedited fees).

Guarding against them is going to depend on the type of attack. Restricting who has admin access to the site, where usernames/passwords are stored, 2-factor authentication, firewall restrictions, IP restrictions, and folder locations - and that's just the admin login :)

Plugins, code, backups, audits, regular security scans, firewalls, file permissions, email alerts - these are all part of the preemptive monitoring. One of the sites that we work with has a lock on all file permissions. It is 100% locked down - no editing of files. No plugins can update, no images can upload, nothing. Then when they do their testing on their test server, after everything is approved, they unlock the files, move the testing files, and then lock it all down again. It's a very security-focused, heavily modified WordPress site. Even if someone did gain WP admin access, they can't override the lock on the files, and logs, sessions, cookies, etc are stored outside of the normal WordPress folders.

The security you put in is the security you get out.
Most people lock their cars. Many people set an alarm. Fewer people have a kill switch on ignition. Fewer have a flow stop on fuel. Fewer let the air out of their tires. Fewer disconnect the battery.

Crazy enough, with my hummer, I had all of those options and used them (other than the disconnect battery). I had the kill switch, and I had to prime the fuel pump before start. The air "leaked" from my Central Tire Inflation System (CTIS), but when I start the truck, the CTIS kicks in and airs up the tires.