Securing your WP Blog

Securing a WP blog is the first thing that you must do after you have installed  it on your server.

 

 

Encrypt your login

Whenever you try to login to the WP admin your password is sent unencrypted. To secure your login details you need to add a level of encryption:
There are different option you can use to carry our this task:
a. The Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
b. Enable SSL for  the WP admin login console.
Details on recommended plugin's can be found in the chapter "Secure Login Plugins"

 

 

Stop brute force attack

Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you need to lockdown  the login process so that the user is locked out after a number of bad login attempts. Also it's a good idea to record the IP address and timestamp of every failed WordPress login attempt.
Details on recommended plugin's can be found in the chapter "Secure Login Plugins"

 

Use a strong password

Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case as part of your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.

 

 

Protect your wp-admin folder

Your wp-admin folder contains all the important information, so this is the last place that you want to give anyone access to. Many WordPress attacks are carried out autonomously by malicious software bots that target the default structure of the wp-admin folder. By password all access to this directory you can prevent many automated attack

Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.
On IIS you can also password protect this directory

Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php.
 

 

Remove WordPress version info

A large number of WordPress theme include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability within the version of WP you are using.

To remove the WordPress version info,

  • log in to your WordPress dashboard.
  • Go to Design->Theme Editor.
  • On the right, click on the Header file.
  • On the left where you see a lot of codes, look for a line that looks like
    • <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
  • Delete it and press Update File.

There are several WP plugins that will do this task for you.
 

 

Hide your plugins folder

If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using a ftp program, upload the index.html to the /wp-content/plugins folder.
If someone can gain a list of the plugins your are using then that target an attack against a know vulnerability in that plugin.

 

 

Change your login name

The default username is admin. You can make it more difficult for the hacker to crack your login credential by changing the login name.
In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.
Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion.
If you are giving several people access to the admin area of your blog, then create separate accounts for each user.

 

 

Upgrade to the latest version of WordPress and plugins

The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times.
When a an admin user logs in to the WP Admin console it will always show an alert if there is new plugins or WP updates available

 

 

Do a regular security scan

Install the Website-Defender-WordPress-Security plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.

 

 

Backup your WP database

No matter how secure your site is, you still want to prepare for the worst. Install the wp-database-backup plugin and schedule it to backup your database daily.

 

 

Define user privilege

If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.

 

 

Change your Database table Prefix

By default the database prefix for all WP installations in " wp_ ". To mitigate against zero-day SQL Injection attacks and other types of attacks that are designed to target WP database you need to change the database prefix.
There are 2 way to change the database prefix

Option One:

  • Makes a backup of your database.
  • Export a copy of your database to a flat file
  • Edit the flat file and change all the table reference that start with wp_ to a new prefix. Save the file and import it to your WP database.
  • Edit the wp-config.php file and change the database prefix reference to match the new prefix

Option 2

  • You can use a plugin like Website Defender WordPress Security to do this task.

 

 

Folder and Files Security

Often, hackers are able to gain access to your site because you have files or folders with the wrong permissions.

Depending on how you have installed WordPress, or the default practices from your webhost, the permissions for files and folders on your WordPress install may not be appropriate.

File and directory permissions can be changed either via an FTP client or within the administrative page from your web hosting.

Here is a list of the recommended file and folder permissions

 
Name

File

Access Level

WP Config file

Wp-config.php

0644

.htaccess

../htaccess

0644

Wp-admin/index.php

Index.php

0644

 

 

 
 
 
Name

Directory

Access Level

Root directory

../

0755

Wp-includes/

../wp-includes

0755

Wp-admin/js/

Js/

0755

Wp-content/themes/

..wp-content/themes

0755

Wp-contnet/plugins/

../wp-content/plugins

0755

Wp-admin

..wp-admin

0755

Wp-content/

../wp-content

0755

 

Securing wp-config.php

Use Secret Keys in your WP-Config File
The wp-config.php file is the file that stores the database login information used by the WordPress application when connecting to the database. This file contains the name, address and password of the MySQL database.

Bu using a secret key you can make it more difficult for someone to gain access to your account.

Solution 1:
Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.
 

Plug-in Solutions : Update Unique Keys

Solution 2:
Changing the location of the wp-config file
You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

Solution 3:
Encrypt the wp-config.php file with an encryption solution like ionCude. http://www.ioncube.com/

Solution 4:
Update Unique Keys – Plugin
 

 

 

Securing wp-includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

# BEGIN WordPress

 

 

Database Security

Your database should not be access able from the internet.
Restrict the IP address and posts of which system can access your database.
Always update your database with the latest software patches
 

 

 

Web Server Vulnerabilities

The web server running WordPress, and the software/OS on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.

If you're on a shared server (one that hosts other websites besides your 's) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this document. Be sure to ask your web host what security precautions they are taking.

 

   
   
   
  Threat Scan –  WP Plugin
  WP-MalWatch – Plugin
  Better WP Security – Plugin
  Website Defender WordPress Security – Plugin
8 WordPress File Monitor Plus – Plugin
  WP Mute Screamer -Plugin
  WP Content Security Policy – Plugin
  WordPress Update Unique Keys – Plugin
  BulletProof Security – Plugin
  WordPress HTTPS (SSL) Plugin
  WordPress Chap Secure Login Plugin
  WP Login Security Plugin
  Limit WordPress Login Attempts Plugin
  WP Email Login Plugin
  WordPress Google Authenticator Plugin