Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.Start your free trial
Diego Vogel12,876 Points
Am I creating a back door for hackers?
Here's the situation. I have a static portfolio site that I've built from scratch with HTML/CSS/JS. Nothing fancy, just a projects page, about page, contact page. All the files are stored in the root directory, and within that root directory I have a folder that contains a WordPress multisite installation. This is where I will host client sites.
My portfolio site doesn't have any input fields or anything, just a static site where people can view my projects. But I haven't done anything to secure it.
I'm not too worried about the portfolio site itself, but my concern is this: would someone be able to hack through my portfolio site to the root directory and from there get into my WordPress multisite network? Am I creating a "back door" to the WordPress sites by having an unsecured site at the root level and the WordPress sites in a subdirectory? Or is WordPress secure from "both sides", if that makes sense. Thanks in advance for any advice on this.
Kevin Korte28,148 Points
You should be fine, if you have no inputs, you really have no entry points. It's like having a house with no doors or windows, it's almost impossible to break in.
Just make sure the password to your hosting login is secure. Also, your wordpress site poses more of a threat then anything. Wordpress, being open source means would-be hackers are able to find holes in the source code, and use that exploit to act maliciously on your site. They also are able to know the exact database schema wordpress uses, so you must use a unique and ungessable database table prefix, and also make sure you set your salts in your wp_config, and keep your wordpress install update to date at all times, and you should be good to go.
Your simple portfolio site is the least of your problems.