Securing your WP Blog
Securing a WP blog is the first thing that you must do after you have installed it on your server.
Encrypt your login
Whenever you try to login to the WP admin your password is sent unencrypted. To secure your login details you need to add a level of encryption:
There are different option you can use to carry our this task:
a. The Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
b. Enable SSL for the WP admin login console.
Details on recommended plugin's can be found in the chapter "Secure Login Plugins"
Stop brute force attack
Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you need to lockdown the login process so that the user is locked out after a number of bad login attempts. Also it's a good idea to record the IP address and timestamp of every failed WordPress login attempt.
Details on recommended plugin's can be found in the chapter "Secure Login Plugins"
Use a strong password
Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case as part of your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.
Protect your wp-admin folder
Your wp-admin folder contains all the important information, so this is the last place that you want to give anyone access to. Many WordPress attacks are carried out autonomously by malicious software bots that target the default structure of the wp-admin folder. By password all access to this directory you can prevent many automated attack
Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.
On IIS you can also password protect this directory
Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php.
Remove WordPress version info
A large number of WordPress theme include the WordPress version info in the meta tag. Hackers can easily get hold of this information and plan specific attack targeting the security vulnerability within the version of WP you are using.
To remove the WordPress version info,
- log in to your WordPress dashboard.
- Go to Design->Theme Editor.
- On the right, click on the Header file.
- On the left where you see a lot of codes, look for a line that looks like
- <meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
- Delete it and press Update File.
There are several WP plugins that will do this task for you.
Hide your plugins folder
If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using a ftp program, upload the index.html to the /wp-content/plugins folder.
If someone can gain a list of the plugins your are using then that target an attack against a know vulnerability in that plugin.
Change your login name
The default username is admin. You can make it more difficult for the hacker to crack your login credential by changing the login name.
In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.
Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion.
If you are giving several people access to the admin area of your blog, then create separate accounts for each user.
Upgrade to the latest version of WordPress and plugins
The latest version of WordPress always contains bugs fixes for any security vulnerabilities, therefore it is important to keep yourself updated at all times.
When a an admin user logs in to the WP Admin console it will always show an alert if there is new plugins or WP updates available
Do a regular security scan
Install the Website-Defender-WordPress-Security plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.
Backup your WP database
No matter how secure your site is, you still want to prepare for the worst. Install the wp-database-backup plugin and schedule it to backup your database daily.
Define user privilege
If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.
Change your Database table Prefix
By default the database prefix for all WP installations in " wp_ ". To mitigate against zero-day SQL Injection attacks and other types of attacks that are designed to target WP database you need to change the database prefix.
There are 2 way to change the database prefix
Option One:
- Makes a backup of your database.
- Export a copy of your database to a flat file
- Edit the flat file and change all the table reference that start with wp_ to a new prefix. Save the file and import it to your WP database.
- Edit the wp-config.php file and change the database prefix reference to match the new prefix
Option 2
- You can use a plugin like Website Defender WordPress Security to do this task.
Folder and Files Security
Often, hackers are able to gain access to your site because you have files or folders with the wrong permissions.
Depending on how you have installed WordPress, or the default practices from your webhost, the permissions for files and folders on your WordPress install may not be appropriate.
File and directory permissions can be changed either via an FTP client or within the administrative page from your web hosting.
Here is a list of the recommended file and folder permissions
|
Name
|
File
|
Access Level
|
|
WP Config file
|
Wp-config.php
|
0644
|
|
.htaccess
|
../htaccess
|
0644
|
|
Wp-admin/index.php
|
Index.php
|
0644
|
|
|
|
|
|
Name
|
Directory
|
Access Level
|
|
Root directory
|
../
|
0755
|
|
Wp-includes/
|
../wp-includes
|
0755
|
|
Wp-admin/js/
|
Js/
|
0755
|
|
Wp-content/themes/
|
..wp-content/themes
|
0755
|
|
Wp-contnet/plugins/
|
../wp-content/plugins
|
0755
|
|
Wp-admin
|
..wp-admin
|
0755
|
|
Wp-content/
|
../wp-content
|
0755
|
Securing wp-config.php
Use Secret Keys in your WP-Config File
The wp-config.php file is the file that stores the database login information used by the WordPress application when connecting to the database. This file contains the name, address and password of the MySQL database.
Bu using a secret key you can make it more difficult for someone to gain access to your account.
Solution 1:
Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.
Plug-in Solutions : Update Unique Keys
Solution 2:
Changing the location of the wp-config file
You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.
Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).
Solution 3:
Encrypt the wp-config.php file with an encryption solution like ionCude. http://www.ioncube.com/
Solution 4:
Update Unique Keys – Plugin
Securing wp-includes
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
# BEGIN WordPress
Database Security
Your database should not be access able from the internet.
Restrict the IP address and posts of which system can access your database.
Always update your database with the latest software patches
Web Server Vulnerabilities
The web server running WordPress, and the software/OS on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.
If you're on a shared server (one that hosts other websites besides your 's) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this document. Be sure to ask your web host what security precautions they are taking.