I'm a front-end and WordPress developer. A week ago a number of my sites got hacked on shared hosting.
The sites were built to a high standard, from scratch, using Underscores. I only use a small number of reputable plugins (ACF, Gravity Forms and Yoast). WordPress was up to date in addition to all plugins. Security hardening had been enabled via the free Sucuri plugin and a number of other precautions had been put in place (brute force protection, changing the wp_ prefix etc).
I couldn't find any vulnerable plugins. By performing a reverse IP check, I can see that there are well over 600 sites on the same server. I suspect that the hack came from a vulnerability within the server. Unfortunately, I cannot confirm this as some of the logs were missing. Since my host has been taken over by GoDaddy, its support has dipped and issues have increased.
In the coming weeks, I'll be migrating each site to a Digital Ocean WordPress Droplet. When logging in via SSH, I can see that each droplet comes with UFW enabled in addition to Fail2Ban, like so:
The "ufw" firewall is enabled. All ports except for 22, 80, and 443 are BLOCKED.
To secure your WordPress installation, fail2ban has been configured and the
WordPress fail2ban plugin is a site enforce module in. If you do not want to use this
plugin, remove /var/www/html/wp-content/mu-plugins/fail2ban.
As UFW is enabled, is it recommended that an additional firewall be set up within the droplet?
To maximise security, I would also like to use one of the following WAF and scanner setups:
- Cloudflare Free Plan + Wordfence Premium or Sucuri Website Security Platform
- Cloudflare Pro + Wordfence Free or Sucuri Free
- Cloudflare Pro + Wordfence Premium or Sucuri Website Security
Would using multiple WAF's (like Cloudflare Pro and Wordfence Premium or Sucuri Website Security Platform) cause any conflicts and slow down the site?
