Hello, I've got a question about securing my Wordpress site. The first is the appropriate way to change directory & file permissions. I'm on a Windows 2008 - IIS 7.0 distribution. And I must admit I'm used to working in *NIX enviroments via a command line, but I'm working w/ a client who is an existing customer... I've been observing some suspicious activity on my WP install and noticed the all the files and directories are set to 777. Its unclear how to set permissions correctly via the Control Panel. I have a created an additional user along w/ my CP user, there is also an Anonymous ASP.net User account that does not seem to affect permissions. So how to proceed? Also, Its unclear how to set permissions on individual files. From the DiscountASP.net Permissions control panel, I cannot see how to set permissions on files themselves...
Just to add more clarity, my ultimate goal is to set permissions very explicitly, So on a directory like wp-content I'd want set it to 755. Where as on a file like wp-config I'd want something like 644 I tried setting permissions from both my FTP client (Transmit / Mac OS) and from my code editor (Coda 2) both allow me to open a small dialog to change permissions, but as soon as I hit apply, they revert back to their original state... Is there command line available or way to SSH into my server? Any help in this matter is greatly appreciated!
Hi Ricardo. These are Windows servers, so the unix file permissions do not apply (that's why your FTP program lets you change them but no change takes place). Your file security should be fine, but if you have specific security concerns you can contact support and they can help you troubleshoot.
Thanks for your help MJP, So, the basic WP site hardening guidelines (I'm thinking file system here) arent relevant or dont apply? The reason why I'm concerned is, on our WP installation, we're suddenly unable to upload images or make plugin updates. This same thing happened a couple weeks ago when I noticed a plugin that I didnt install show up in the directory. I deleted it and all went back to normal. I'm thinking the same is going on again, though its more difficult to trouble shoot this one... If you dont think I need to follow the standard WP guide (https://codex.wordpress.org/Hardening_WordPress) for the file system any other guidance / tips you can think of will be greatly appreciated.
If there's access to your WordPress installation that you didn't authorize or don't recognize, the odds are it isn't happening on the server level. There are too many other, much easier, ways to exploit a WordPress installation. So the file permissions are unlikely to be the source of your problem. We have an intrusion detection system on the network that blocks common WordPress exploit attempts (brute force password attacks, SQL injection, etc.), so what we're left with are mostly password exploits, and those can happen at a lot of levels - like on your computer, for example. As that WordPress codex page says, it's important to make sure no one has access to your passwords - and that means your FTP password as well - so you might want to look at your local computer security (and the local computer security of any other users that have access). And speaking of other users, Make sure you don't keep "unused" user accounts active in the WP installation. Make yourself an admin and delete the default admin user (that's the target for almost all password hack attempts) and any other users that don't need access. You might also want to use FTP over SSL for your connections to the site. Start with those things and your WordPress installation will be more secure than most.
