Tighten Your WordPress Security on Dreamhost to Protect Your Blog
I've been cleaning alot of WordPress sites infected with malware on DreamHost lately. I am finding some common denominators that put users hosting accounts and WordPress sites at risk:
- Used One-Click Installs to install the WordPress “Deluxe” Install. (Be sure to “uncheck” Deluxe.)
- Enhanced Security has been disabled.
- Extra Web Security is turned off.
DreamHost One-Click Install Security Tip:
I'm not a fan of auto-installers, but if you don't want to learn the WordPress Famous 5-Minute Install and use the DreamHost One-Click Installer for WordPress, please uncheck “Deluxe Install” so you don't end up with 134 themes and 9 plugins. To find out why this is a security risk be sure to read my post here.
Important: To keep the auto-installer from installing multiple themes and plugins, before clicking the “Install it for me now!” button, uncheck “Deluxe Install.”
DreamHost Enhanced Security Tip:
The hacked WordPress sites I've been cleaning have this feature turned off. Yikes! If you're hosting with DreamHost please check all of your users individually and make sure that “Enhanced Security” is enabled.
Manage Users > click “Edit” next to the username > Enhanced Security – Check the box.
According to the DreamHost Wiki:
The Enhanced User Security setting prevents other users from accessing your home directory. It can be enabled independently for each user in the DreamHost control panel under Users / Manage Users. It is enabled by default.
It is strongly recommended that you only disable this option if you need your files to be accessible to other Dreamhost users (which you really probably don't).
Read more about DreamHost Enhanced Security.
DreamHost Extra Web Security Tip:
To help prevent common attacks, be sure each domain has “Extra Web Security” enabled.
Manage Domains > click “Edit” next to your domain name > Extra Web Security – make sure this is enabled (checked).
According to the DreamHost Wiki:
The Extra Web Security option (you see it when adding a new domain or editing the web settings for an existing domain) enables the use of a very special security module for your website. Many common attacks that can compromise your website will be blocked by this option. We cannot guarantee that all attacks will be blocked but we will do our best to ensure the most common known attacks will be prevented.
Read more about DreamHost Extra Web Security.
Leave Your Feedback
Are you hosting with DreamHost? Be sure to let me know if you found these tips helpful by leaving your comment below.
~ Regina Smola
WordPress Security Expert
Thank you for posting this, Regina. Just had someone contact me that had all their sites on Dreamhost infected with Base64. I referred them to you.
Regina,
I hate one-click installers too. First, it creates security problems. Second, it install tens of themes automatically which causes issues in pageload time. Installing WordPress manually is just a 3-minute process. I have no idea why people are so lazy.
I am right there with ya Frank!
Sometimes it’s laziness and other times it’s all they know to do cuz that big shiny button is just sitting there in the cPanel enticing them. All we can do is educate and hope they listen.