Secure WordPress

Ideal place for discussions related to Linux/Windows server security, Apache, MySQL, MS SQL and PHP, including tutorials and questions.
hr-ethadmin
Site Admin
Posts: 67
Joined: Fri May 31, 2013 1:04 pm

Secure WordPress

Postby hr-ethadmin » Sat Jun 01, 2013 11:03 am

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren't taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.

This article is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts, you should discuss them with people whom you trust to have sufficient knowledge of computer security and WordPress.

1. Take Backup:

This is the first step and the most important. Before you plan on making any changes, make sure you backup your entire DB. You can do this manually or use an available plugin. I recommend backup buddy which backs up your entire wordpress blog. Unlike free plugins which only backup your database, backup buddy exports your entire database with images, files and whatever you have in your blog’s content folder- Pretty sweet.

2. Update WP version:

Second crucial step after backing up your blog is to update it to the latest version. You should always make sure that your blog’s version is up to date. WordPress team creates patches to help fix security holes. Follow wordpress feed to find out about the latest updates or you could simply login to your admin.

3. Set secure passwords:

The default wordpress login is “admin” and most hackers know that. We should change this to something else that would be difficult to guess. Something like “@#gdf^%^%” or “4&hH^&” is good examples. The best thing to do is delete the default admin and create a new custom login.

4. Keys in wp-config.php
These keys work as salts for WordPress cookies thus, ensuring better encryption of user data.

Use the WordPress Key Generator to generate these keys. Now open up your wp-config.php, find the lines that look like below and simply replace with the generated ones:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

5. Security Scan

Install security plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good.

6. Table Prefix:

The default table prefix for wordpress is wp_ . I know that, you know it and I am sure the hacker does too. SQL Injection attacks are easier with the default table prefix because it is easier to guess. A good prefix would be “mashjg23_” or “sasdoe265_”. Changing your database table prefix is highly recommended and you can do this in two ways. The manual way requires some work and is not suitable for newbie; here’s when WP Security Scan Plugin makes your work much easier. It has a tab called “Database”. Once you are in it, you have the option to rename your entire table prefix to something that is tough to guess. Do this and you will be a step closer to strengthening your blog’s security.

7. Prevent search Engine spiders from indexing the admin section.

Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

8. Htaccess:

.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below

9. Protect .htaccess

After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.

10. Directory Browsing:

Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.

In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.

# disable directory browsing
Options All -Indexes

11. wp-config.php secure it.

Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

12. Limit Access to the WP-content Directory

Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.

Add following .htaccess file within the wp-content folder

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

13. Secure WP admin files

Wp-admin should be accessed only by you and your fellow bloggers (if any). You may use .htaccess to restrict access and allow only specific IP addresses to this directory.

If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.

Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

14. Script Injection:

I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.

Simple copy and paste the code below to your .htaccess in the root

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Return to “System Security”

Who is online

Users browsing this forum: No registered users and 1 guest