Hello, when someone use security holes in wordpress plugins/themes to insert some malicious file or modify some file to my hosting account, i assume not all wordpress directories can be used to store first/initial malicious file. My question is which folders are those that i need to set to read only? i want to enable automatic updates of plugins, core, but interested if i can prevent the hacker inserting file and at same time keep update tied folders writable.
You will definitely need to be more specific, which security holes, which files were modified and so on.
I find that sort of thing in lots of places. Your first order of business should be ninja firewall. Its stops that stuff before wordpress is even fired and it has no footprint at all. Its also quite helpful for finding the actual shell scripts that fetch that crap in the first place. Nigel
@Nigel thx, https://wordpress.org/plugins/ninjafirewall/ seems to have good features, but in this case i prefer simple tweaks over installing new plugin. @wisdomtool this is general question
That is not a plugin in that sense. Its a firewall. There are no simple tweaks. If you start trying to change all your perms you are going to cripple stuff. N.
with wordpress modification and use of security plugins, you also use Stop Spammers plugin if your site enables free user registration. Sometimes hackers register on the wordpress website and execute malicious script exploiting any vulnerability in theme or any plugin as well...