site closed due to malicious injection

This is a general question. I have several customers who manage their own wordpress installations. Recently a site that had not been updating their plugins or WP had a malicious code injection that affected one of my servers and resulted in the server ip address being blacklisted by spamhaus and others. I have 2 questions about this. How can you enforce users to maintain their installations? Can you penalize them if they don't? How do you protect your server?? I hope that this is within the scope of your support and I look forward to your knowledge and thoughts on this extremely important subject.
Thanks.

  • Michelle Shull
    • DEV MAN’s Apprentice

    Heya, Jim!

    There's no way to completely human-proof sites you don't have 100% control of, but you can make sure everyone gets automatic background updates: https://codex.wordpress.org/Configuring_Automatic_Background_Updates

    Updated software will help prevent bad things from happening, but it doesn't stop them. Neglected websites are targets for brute force attacks (where computers guess username/pw combos) or malicious injection, like you saw on your clients' sites. Good security can help, a lot, but nothing is going to match being diligent about checking in on the sites you're hosting frequently. If you're running a massive hosting company, that's going to be hard, but one server's worth of sites shouldn't be insurmountable to keep track of.

    What are you doing server-side to address security? Is it a machine you maintain, or are you sub-letting a server you rent from another hosting service?

    Thanks, and good luck!

  • Michelle Shull
    • DEV MAN’s Apprentice

    Hey Jim!

    Do you know if anything has been done at the server end to help protect your sites, or is it one of those "you're on your own" places? If you've got full control, your options are greater, if you're comfortable working with the server software itself.

    WordFence Security isn't cheap, but it provides a broad spectrum of protection to sites, without needing a lot of checking in. That and auto-updates should make things exponentially more secure than they are now.

    Hope this help!

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.