What is a Local Attack?
Local Attack is a very common method used to attack a particular website on the same server. The tool of this attack is to use exploit code written in several programming languages such as PHP, ASP.Net, Python …
That code is called Shell. When a server on the server is uploaded to this shell file, the attacker can use the exploit commands to penetrate the hosting account with the server to read the sensitive information such as: Email, Database information (username , password ..) easily. From there the attacker can do whatever they want.
How to limit Local Attack in WordPress?
Let’s take a look at 10 ways to limit Local Attack in WordPress.
1. Hide wp-config.php file
Usually the files of the website will be in the public_html directory and usually the path will be /home/username/public_html/wp-config.php.
Therefore, the best way to hide the config file is to put the wp-config.php file out of the public_html directory, you can log on to the host via FTP and create a directory of any name horizontally adjacent to public_html. (here we will create a folder named secowcof)
Then download the wp-config.php file in the public_html directory and upload it to the newly created directory. Finally edit the wp-config.php file in the public_html directory as follows, see the link below:
<php
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);
require_once(ABSPATH . ‘../secowcof/wp-config.php’);
You replace the secowcof into your directory name that you created it on the par with public_html.
Note: This method only applies to websites that have files installed in the public_html directory but not in another folder. You can apply to the www directory if available.
2. Change the database prefix
The default WordPress prefix database is wp_, which inadvertently causes the hackers to know the name of each of your site’s tables if you do not change the prefix.
3. Change the security key
Access the wp-config.php file
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
– Go to: https://api.wordpress.org/secret-key/1.1/salt/ to get the secret key
– Replace the entire code with the provided code
4. Do not edit files (plugins, themes) in wp-admin
Add to the bottom of the wp-config.php file the following code
define( ‘DISALLOW_FILE_EDIT’, true );
5. Do not install plugins, themes in wp-admin
Add to the bottom of the wp-config.php file the following code
define(‘DISALLOW_FILE_MODS’,true);
6. Chmod file wp-config.php
Chmod file into 400 or 404
7. Secure wp-config.php with .htaccess
Add the following code to the end of the
# protect wpconfig.php
order allow,deny
deny from all
8. Protect the wp-content directory
Create the .htaccess file and add the following code
Order deny,allow
Deny from all
Allow from all
Note: If the wp-content directory contains other files related to the wordpress source code, then you need to add the extension (woff example example) to the list above.
9. Lock the wp-admin path
The wp-admin and wp-login.php files are always the attackers if someone wants to visit your site. Therefore, it’s best to block all visits to these areas except you.
Create a .htaccess file in the wp-admin directory and insert the following.
<FilesMatch “.*”>
Order Deny,Allow
Deny from all
Allow from 123.456.789
123.456.789 is your IP, you can use any tools to know your real IP address.
10. Use the malware scan plugin
This step may be lucky enough to let you know what hosts your files contain so that you can delete them or download them. Here are the best plugins for you to scan the malicious code on the host completely free that you can use:
Wordfence Scan
Anti-Malware (Get Off Malicious Scripts)
6Scan Security
And if you have money, I encourage you to use Sucuri Premium
Here are 10 ways to restrict Local Attack in WordPress. Also, in the process of choosing hosting services for your website, you should also choose reputable hosting providers that support local attack limits to secure your website.
