How to use v-lock-wordpress to prevent spreading or being infected by PHP malware

Post Reply
shahidirfan
Posts: 12
Joined: Sat Sep 05, 2020 11:28 am

Hi,

for security reasons I want to use this command.

How can I use it to lock a specific domain?
Tags:
security
wordpress
Top
User avatar
isscbta
Posts: 91
Joined: Mon Jul 19, 2021 1:41 am
Has thanked: 7 times
Been thanked: 3 times

This command has the following syntax:

Code: Select all

v-lock-wordpress DOMAIN
In this case, you should simply write the URL of your website instead of the DOMAIN - for example:

Code: Select all

v-lock-wordpress yourdomain.com
For updating purposes, you will have to first unlock your website by running the following command:

Code: Select all

v-unlock-wordpress yourdomain.com
The following is a further explanation of the code inside:

This script does the following to prevent PHP-FPM from editing/adding any files:

Code: Select all

chmod -R 0755 public_html/
chown -R www-data:www-data public_html/
This way, PHP-FPM that is running as local user, can not edit/add any files.

Additionally, for those folders :
  • wp-content/uploads/
  • wp-content/cache/
It will execute:

Code: Select all

chmod -R 0755
chown -R currentUser:currentUser
That will allow editing/adding there, but... then
  • it will add .htaccess file to prevent execution of .php files inside those folders.
So, since PHP files cannot be executed from those folders, it is safe to allow uploading and modifying files there, so user can upload images.

Additionally, the script checks and corrects file and folder permissions:

Code: Select all

find public_html/ -type d -exec chmod 755 {} +
find public_html/ -type f -exec chmod 644 {} +
IMPORTANT:
As mentioned before, you will have to use v-unlock-wordpress in order to be able to update your WordPress site - since the process involves changing PHP files.
Top
mau.sav
Posts: 2
Joined: Tue May 24, 2022 5:08 pm

Hello, this feature seems really amazing, but i have a concern: can i use it safely on a woocommerce based site? I mean locking WP still keep the site working as usual (except for the update process indeed)?

Thank you
Top
User avatar
myVesta
Site Admin
Posts: 800
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 4 times
Been thanked: 5 times

Try.
The solution is not perfect for every scenario, for example, if some plugin put custom .php script inside /wp-content/uploads/ - that .php script will definitely fail execution.
However, we successfully locked few WordPress sites that have WooCommerce, without any problem.
Top
Post Reply

Return to “WordPress”