CMS & WordPress
It seems like maybe me and Wordpress are not a good match. It just gets hacked. I have one I put up for a customer maybe 1-2 years ago, no extra plugins, and hacked. Had the same thing with another site. It seems pretty obvious you have to put the customer on a maintenance plan if you are going to have wordpress. Our company's software, phpLD started getting installed all over the net in 2005 range, and many of those are still running today. There has not been a major I ever. Maybe it is because we are not as popular, but I'm really thinking about telling customers we only do wordpress if they pay for a maintenance plan, or else they will get hacked.
All you really need to do is to tell them to click on the link to update to the latest version whenever the control panel tells them that a new version has been released. It is very unlikely that a WordPress installation that is kept up to date will get hacked.
As pointed out, you need to update to the recent version of Wordpress and keep all the plugins up to date.
As with a custom CMS that you have mentioned as it might be used only on a few sites no one is interested in trying to find out loopholes and crash the site, but in case of wordpress as its a very popular CMS many bugs / security issues are found for core wordpress as well as plugins and from time to time they are fixed by respective developers.
I would recommend that you ask clients for a maintenance plan which wont involve you much work as most of the times the updates are automatic at the click of a button, but at times it may involve making changes to your template code etc to fix any display / front end issues
Most common reason Wordpress installs get hacked in when they're on shared hosting and you can't lock down the permissions correctly, so have wp-content folders set to 777 permissions.
I've had Wordpress as my CMS since 2005, running on 30+ sites and not once been hacked.
There are various other hardening measures and precautions (other than keeping up to date) that can reduce exposure and likelihood to being hacked for wordpress. I always carry these out for wordpress sites if there is no ongoing maintenance contract, as you point out, the chances are they will fall behind with updates.
- Always strip theme of wordpress meta data
- Never use default wp-admin directory
- Put an htaccess password on admin directory
- As Sean mentions, if possible lock down file permissions site wide, and also block extraneous filetypes in any upload directory.
1- Keep your wordpress updated at all times.
2- Do not use a hell lot of plugins. Keep you plugins usage to minimum. It is due to the fact that many WP plugins are not very well coded and results in a website being compromised.
Have you changed salt in wp-config.php if not go to https://api.wordpress.org/secret-key/1.1/salt/ and replace the original
Wow, what is that? Something new to me.
Most of my wordpress sites have been hacked before. I created a personal script to reset things to default. 1 of the most irritating problem is the template issue. I have to make sure I have a backup of the theme.
Do following to protect your Wordpress sites(s):
- Change default Wordpress database prefix wp_ to something random like a45w8_ .
- Change default admin username to something new and unpredictable.
- Chane the Admin URL www.sitename.com/wp-admin/ to www.sitename.com/SomethingRandom .
- Change author slug.
Points 1, 2, 3 can be done by a plugin Better Wordpress Security.
4 can be done by Edit Author Slug
i think all is said on this steps it's really too important to secure the wordpress CMS and in fact all other CMS have to be Up-To-Date... i own several wordpress blogs and i always do the same steps...
The key to running a hackless wordpress site is keeping it up to date at all times. Sometimes they will only release a .1 update but it may include a quick security feature or a loophole cut out to stop hackers. Problem is they can only learn from what people report, so someone has to be on the receiving end in order to report it for others to benefit.