I’ve noticed a good percentage of WordPress sites are brochure ware, and rarely have any updated content.
Site owners struggle over an extended period to keep their site secure. Keeping WordPress updated, plugins updated, theme updated. Auto updates have helped a lot with this recently. Keeping everything updated doesn’t guarantee you won’t get hacked either.
Plugins like WordFence are popular also. And whilst WordFence is very powerful – it’s not infallible.
A good backup seems to be the best defence long term against hacks.
How useful/popular do you think a WordPress lockdown plugin would be – that put’s WordPress into … lockdown. No changes are allowed.
For sites with no changes, or infrequent changes, we could put them into ‘lockdown mode’.
My idea is a plugin that prevents changes to disk, and certain database tables (users/posts/pages).
To allow changes, use something simple, like when an admin that logs in and passes a captcha check – and we ask if they want to disable the lockdown for 1 hr, 8 hrs or 24 hrs.
I’ll think about auto updates. I have some ideas to allow autoupdates – and compare any new files to wordpress.org offical downloads.
Some hacks would be stopped by denying writes to disk.
If other hack occurs – I’ll automatically clean up the worst of it.
Some code to override some core WordPress ‘save to disk’ functionality, so new saves are rejected.
Some code to checksum all files, so the plugin can detect changed files. Just deleting new files is a real good defence against a lot of hacks.
I was inspired by Apple IOS recent change, where you can offload unused apps to the cloud. IOS just deletes all files that match the existing code in the app store – as it can be easily replaced when needed. So I’ll do the same, anything that matches wodrpress.org app store, I’ll just store the version and checksum. If the file gets hacked, I’ll know where to replace it from.
Any files that can’t be found on wordpress.org, I can store in a zip file or similar – for quick restore. I don’t think we need to backup images – as they don’t tend to get caught up in hacks.
Some code that watches major tables. Added rows can be easily deleted. I’ve seen a few hacks that add users – simply deleting them is the best result. I guess all the content from pages/posts will need to be backed up in the zip file.