WordPress Security Tutorial

I have been revisiting the various security settings of my WordPress blog after the sudden database table corruption of this blog for unknown reason last week. In this post I have highlighted some of the security tips that can help protect your blog from possible outside attacks.

blog_security_128_2

 

Protect your WordPress Admin Area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a nice little plugin called Limit login attempts.

Don’t use the “admin” username

Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process. If you already have a WordPress site, you can follow the instructions in our tutorial on how to change your WordPress username.

Use strong passwords

You will be surprised to know that there are thousands of people that use phrases like “password” or “123456” for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.

Consider two-factor authentication

Enabling two-factor authentication for your WordPress website will significantly improve the security of your website. One of the easiest ways to do this is to use Google 2 factor authentication or Clef to authenticate using your mobile phone. For all SiteGround users, Clef authors have created an ad-free version of their plugin. Check out our Clef tutorial for more information on that matter.

Make sure you’re site is on a secured WordPress hosting

Your WordPress site is as secured as your hosting account. If someone can exploit a vulnerability in an old PHP version for example or other service on your hosting platform it won’t matter that you have the latest WordPress version. This is why it is important to be hosted with a company that has security as a priority. Some of the features that you should look for are:

  • Support for the latest PHP and MySQL versions
  • Account isolation
  • Web Application Firewall
  • Intrusion detecting system

Ensure your computer is free of viruses and malware

If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.

Use Strong Passwords for all Entry Points

I was surprised to find out how many of my friends use the WordPress admin password generated by WordPress during install time and thinks that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. I was mainly shocked to find out that their ftp/cPanel password for that domain is not that strong. It gets even better… one of them were using his partners name as the password (Did I mention that his partner’s name was mentioned on his blog’s ‘About’ page?)! The ftp/cPanel password for your domain is equally important. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->Databases->MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.

Add a CAPTCHA on your WordPress Login page

Adding a simple captcha to your WordPress login page is another great way to minimize the chance of a bot/script gaining access to your site via a brute force attack. Its recommended to add Googles Recaptcha for WP https://www.google.com/recaptcha/intro/index.html

Protect the ‘wp-admin’ Directory

Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). The WordPress htaccess tips post has more htaccess related tips and tricks. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy

If you don’t have static IP addresses then the above method can be a bit hard to implement. In that case you could the use of AskApache Password ProtectWordPress plugin. The ‘AskApache Password Protect’ plugin adds good password protection to your WordPress Blog. Use the Login Lockdown feature of the all in one WP Security Plugin to protect your blog against brute force attack (a brute force attack is a method of defeating a cryptographic scheme by systematically trying a large number of possibilities)

Deny access to your Plugins and other directories

A lot of bloggers don’t protect access to their WordPress plugins directory. What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser it shows all the plugins that you are using. Many wordpress plugins can have vulnerabilities which the attacker can use to harm your blog. So, its a good idea to block access to these directories. You can use a .htaccess file or just upload a blank ‘index.html’ file to that directory to block access to these directories. (download a blank index.html)

Update WordPress to the Latest Release

As new WrodPress versions are released the security bugs for previous release becomes public information. WordPress could have vulnerabilities as a result of how the program is written that allow an attacker to pass HTTP arguments, bad URI strings, form input, etc, that could cause Bad Things to happen. So always upate your WordPress to the latest version to make sure that you are protected against any known security bugs.

Don’t Show WordPress Version on Your Blog

You should not make the WordPress version that you are using visible to others for the same reason explained above. The specific WordPress version that you are using can give the attacker an upper hand in finding a way to break in.

Backup Your Data

I can’t stress this enough… always keep backups of all the important files. I always backup my WordPress Database and WordPress files in case of emergency. Read my what would you do if you lost all your blog’s content article to find out how backups can help you sleep better at night :)

Be careful when you upload something to your site

When you upload a script (example: a plugin, a theme or just a normal script) to your site you need to be extra careful as it can harm your site if it was designed to do so. Only upload authentic content to your site. Never download a plugin or a theme from a warez or torrent or file sharing sites. The content on these sites can be disguised as a plugin or a theme but it will harm your site when uploaded to your server. You can read more on these types of attack from the free premium plugin and theme downloaders beware article.

 

Advanced WordPress Security Tips

However, if you are in the mood for some advanced tweaking then the following security tips should come in handy ;)

NOTE and DISCLAIMER

Most of these techniques require you to understand what you are doing.

It is strongly recommended that you first test these techniques on a test or development site before applying them to your live site. Doing some of the tips suggested here can break your site if not performed correctly.

We take no responsibility for any mishaps as a result of your efforts in applying the techniques discussed in this article.

Also note that these techniques assume that your WordPress installation is running Apache and you have mod_alias and mod_rewrite installed.

1. Disable HTTP Trace Method

There is a security attack technique called Cross Site Tracing (XST) which can be used together with another attack mechanism called Cross Site Scripting (XSS) which exploits systems which have HTTP TRACE functionality. HTTP TRACE is a default functional feature on most webservers and is used for things like debugging. Hackers who use XST will usually steal cookie and other sensitive server information via header requests.

You can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

2. Remove header outputs from your WordPress installation

WordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.

Warning: This can break some functionality if you are not careful. Eg, if you’re using RSS feeds then you may want to comment that line out.

Add the following code to your theme’s functions.php file:

remove_action('wp_head', 'index_rel_link');
remove_action('wp_head', 'feed_links', 2);
remove_action('wp_head', 'feed_links_extra', 3);
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'parent_post_rel_link', 10, 0);
remove_action('wp_head', 'start_post_rel_link', 10, 0);
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);
remove_action('wp_head', 'noindex', 1);

3. Deny comment posting via proxy server

You can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

4. Change your default WordPress DB prefix

You may already be aware that WP uses a default prefix value of “wp_” for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.

In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.

Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.

A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:

1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies – one for editing and the other as an original just in case.
3) Using a good code editor, replace all instances of “wp_” with your own prefix.
4) From your WP admin panel, deactivate all plugins
5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
6) Edit your wp-config.php file with the new DB prefix value.
7) Re-activate your WP plugins
8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.

Caution:

Sometimes plugins add their own prefix after the wordpress prefix where both are identical.

example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.

Be sure when replacing the “wp_” instances in step 2 above that you only replace the first “wp_” prefix and not the one following it.
For instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called “trx_”.

The new name would look like:

trx_wp_abc_tablename

Note that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.

5. Deny Potentially Dangerous Query Strings

You can put the following code in your .htacces file to help prevent XSS attacks.

BEWARE: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

6. Apply PHP hardening to your system

You can install and enable Suhosin which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.

Suhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)

If you can read more about Suhosin here.

 

Further reading: http://codex.wordpress.org/Hardening_WordPress

 

Source:

Advanced WordPress Security Tips

Essential WordPress Security Tips – Is Your Blog Protected?

 

Comments are closed.