Harden the server itself.
really, the practice of giving it its own directory is another security-thru-obscurity which will slow someone down by maybe five minutes.
There’s already extra features built in the multisite to stop non-super-admins from wrecking things. the best thing you can do is to stop people from lifting your FTP password, because that’s a bajillion times easier to get.
Use sftp or ssh to do work on your server instead, or via a web control panel and pick super-complex passwords. 😉
Got it. Thank you once again, Andrea 😉
Also don’t use the same password for WordPress as your FTP/SSH server.
The one and only time my server was infected was when I used a Windows PC with no virus scanning, got a weird popup, AND was FTPing. Yeah, I knew it was screwey right then and there. Ended up with Darkmailer on my box!
Oh, this one time? I got hacked and it was my own darn fault.
Somehow, permissions on my wp-config were set so someone could snag it and read it. the db user’s password was the same as my cpanel/ftp password.
DOH. Yeah, bonehead all the way. (In my own defense, this was, like, 4-5 years ago…)
Now, the hacker was not able to get into WordPress. they were able to get into my files though, and lucky for me all they did was put a index.html on the server, which overrode all the WordPress stuff.
Lesson learned, never forgot it.
Yeah, a learned it the same way. All my 7 WordPress blogs (some of which where institutional) got hacked too. That’s why I got obsessive with security 🙁
