All is not lost, it’s never too late to be what you might have been
– Neil Peart
Once a hacker gains server access, they target your database and configuration files. This article covers how to lock down your site’s “internal organs”.
1. The 755/644 Permission Standard
File permissions govern who can access, read, and edit your files. The recommended permissions are 755 for directories and 644 for files.
The Tweak: Use an FTP tool like FileZilla to set these permissions; never use “777,” which gives every user full write and execution permissions.
2. Disabling PHP Execution in Uploads
Hackers often abuse writable directories like /uploads/ to upload malicious scripts disquised as core files. Blocking PHP execution in these folders prevents these scripts from running.
The Tweak: Create a .htaccess file in the /uploads/ directory containing code to deny access to all .php files.
3. Protecting wp-config.php
This file includes critical information about your website and database. It should be set to a highly restrictive permission level like 400 or 440 to prevent unauthorized modifications.
The Tweak: You can also disable the built-in file editor by adding define('DISALLOW_FILE_EDIT', true); to the wp-config.php file to prevent dashboard-level code tampering.
A secure website is only as strong as its most sensitive configuration files. By hardening your file permissions and disabling execution in high-risk directories, you create an environment where even a successful “entry” by a hacker results in a dead end. Protecting the “internal organs” of your site ensures your data remains private and your configuration stays unchangeable.
Leave a Reply