How to Secure WordPress

October 17, 2012

WordPress IS NOT SAFE…..”out of the box” and If you are willing and daring enough to DIY it, then the checklist below is  what you need to do in order to make your wordpress install more secure.

Server security will never ever be 100% bullet proof but the methods below will provide a heightened level of security for wordpress and  will deter casual hackers and their automated robots but at the same without causing too much inconvenience to the web site owners.

    1. Give wordpress its own directory
      Quite often, hackers will use automated robots to attack the default admin folders for wordpress so giving wordpress its own directory makes it a little harder for them to find it. Its very simple to do this and wordpress provides very specific instructions here

      1. create a folder in the root of your site called /mywordpress (or another familiar name).
      2. upload the latest wordpress version to that folder.
      3. make a copy of the /mywordpress/index.php file and move it to the root at /
      4. change this line from: require(‘./wp-blog-header.php’); to require(‘./mywordpress/wp-blog-header.php’);
      5. run the wordpress install and tell wordpress that the site url is: mysite.com and the wordpress url is: mysite.com/mywordpress.
    2. Install and update to latest version of wordpress
      Its very important to upgrade to the very latest version of wordpress in order to take advantage of any new security updates that wordpress has integrated since the last version.
    3. Install Login Lockdown Plugin
      This plugin will trap hackers who try and brute force the login page by only allowing 3 failed login attempts  before locking the users ip out and preventing them from accessing wordpress.
      Plugin URL: http://wordpress.org/extend/plugins/login-lockdown/
    4. Install Wordfence
      Wordfence provides an amazing array of security features. A little long winded to configure but provides ample protection for the standard wordpress user.
      Plugin URL: https://wordpress.org/plugins/wordfence/
    5. Delete akismet plugin as its not needed (if you dont accept comments)
      Unless you will be allowing users to comment and you wish to use the spam filtering from wordpress.org, then delete this plugin. Its easy to reinstall if you need it later.
    6. Delete hello dolly plugin as its not needed
      Although this plugin is totally harmless, there is no point in having plugins which have no use to wordpress.
    7. Delete any themes you are not using
      Dont think that just because a theme is not activated it cant be hacked. You should remove any theme files except for the theme you are currently using and the latest wordpress default theme. Any older wordpress themes or any themes you are not using, uninstall them. Its easy to do through the wordpress admin.
    8. Delete any plugins you are not using
      Like themes, plugins which are not activated should not be sitting on your server. Having code.
    9. Change the wordpress table database prefixes to avoid sql injection
      Using the WP Security Scan plugin installed earlier on, we just add a random prefix to the wordpress tables so in the case a hacker tries to inject data into a table, it makes it harder for them to guess the tables names. The deafult wordpress table prefix is wp_ so you will make it something like wp_xff_
    10. Delete /wp-content/uploads folder and changed upload folder to /images
      Hackers will always try and target the /wp-content/uploads folder, so moving it will bypass any robot attempts to hack it.
      a. open the wp-config.php file
      b. add this line to make wordpress store images in the root like /yourdomain.com/images:

      define( 'UPLOADS', ''.'images' );
    11. Remove admin username
      Removing the admin username eliminates a known username for hackers to target. If admin username is used, this gives the hacker an extra 50% chance of getting access as they already know the username.
    12. Add directives to robots.txt to not index wordpress files and folders.
      Hackers will use search engines to find login pages for wordpress as well as core folders so preventing them from being indexed in the first place will make it a little harder for your wordpress install to be discovered.However there is also the argument that if someone scans your robots.txt file it will show any files and folders that you dont want to show, however for me I would rather take my chances by excluding them from search engines and adding extra protection using different security layers.

      ######################################
      # ROBOTS! DO NOT INDEX WORDPRESS STUFF!
      # added by craig@craig-edmonds.com
      ######################################
      User-agent: *
      Disallow: /cgi-bin
      Disallow: /wp-admin
      Disallow: /wp-includes
      Disallow: /wp-content/plugins/
      Disallow: /wp-content/cache/
      Disallow: /wp-content/themes/
      Disallow: */trackback/
      Disallow: */feed/
      Disallow: /*/feed/rss/$
      Disallow: /category/*
    13. Add htaccess protection /.htaccess file
      This code will prevent hackers from checking to see if there is a .htaccess file on your web site or accessing it directly.

      ######################################
      # STRONG HTACCESS PROTECTION!
      # added by craig@craig-edmonds.com
      ######################################
      <Files ~ "^.*\.([Hh][Tt][Aa])">
      order allow,deny
      deny from all
      satisfy all
      </Files>
    14. Add no directory browsing to /.htaccess file
      Some hosts prevent web site visitors from browsing directories and wordpress to an extent does provide an empty index.php file in most directories but adding this code to your .htacess file will disable directory browsing across all folder on your web site.

      ######################################
      # DISABLE DIRECTORY BROWSING!
      # added by craig@craig-edmonds.com
      ######################################
      Options All -Indexes
    15. Add additional wp-config.php protection to /.htaccess file
      Although we are providing some security in an earlier step to protect the wp-config.php file, this step, like the .htaccess protection, prevents hackers from directly accessing the wp-config.php.

      ######################################
      # PROTECT WP-CONFIG.PHP FILE!
      # added by craig@craig-edmonds.com
      ######################################
      <files wp-config.php>
      Order deny,allow
      Deny from all
      </files>
    16. Add some extra sql injection inside of root htaccess file
      This code will prevent various sql injection methods being passed through query strings to your wordpress files.

      ######################################
      # PROTECT FROM SQL INJECTION!
      # added by craig@craig-edmonds.com
      ######################################
      Options +FollowSymLinks
      RewriteEngine On
      RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
      RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
      RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
      RewriteRule ^(.*)$ index.php [F,L]

Additional Advanced Options

  1. Change the following files so they are read only (chmod 444) to prevent malicious users writing to them.
    Usually hackers will use robots to login with ftp and rewrite or append to your wordpress files. The 3 files below are the main ones that you need to protect so only allowing read access to them means they cannot be written to in the even that your ftp is compromised.
    /wp-config.php
    /.htaccess
    /index.php
  2. Add wp-login.php protection to /.htaccess file
    Automated scripts can attack the default wordpress login page, but by closing off the wp-login.php page and locking it down with an ip or fixed ip’s, you are in effect displaying a 404 error to attackers that are not in the list of authorised ip’s. In the RewriteCond %{REMOTE_ADDR} part of the code below, just enter your ip address parts, replacing each instance of 255.

    IMPORTANT NOTE
    : you need to have a fixed ip for this to work, if not try htpsswd method below which is more common.

    #################################
    # LOCKDOWN AND PROTECT WP-LOGIN.PHP FILE
    # added by craig@craig-edmonds.com
    #################################
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^255\.255\.255\.255$
    RewriteRule ^(.*)$ - [R=403,L]
  3. Add /wp-admin protection using htpsswd method file 
    Its not fun for server admins when your wordpress is getting attacked. Automated attacks can cause a kind of ddos effect and can really give a server a workout. Now, if you only use wordpress yourself or a handful of users, this method puts a layer of security on top of the /wp-admin folder, so when someone tries to access the /wp-admin folder, they will be prompted for a username and password regardless of what ip address they are using.

    Step 1: Create the Password File
    Create a empty file named .wpadmin and place it in your home directory, where visitors can’t access it. Usually this is ABOVE the public_html  directory in your account (Please note there is a period preceding the wpadmin in that file name.)EXAMPLE: /home/username/.wpadmin
    (where “username” is the cPanel username for the account.)htaccess-protection

    Step 2: Create the Encrypted Username and Password
    1. Visit: http://www.htaccesstools.com/htpasswd-generator/
    2. Use the form to create the username and password.EG. If you put the username as being john and used the password johndoe, then the page would give you a funny looking string looking something like this:  john:$apr1$NFzCXrln$LK4N5.FkrMmqYgFWn8l5E1htaccess-protection

    STEP 3. copy that string as you will now need to enter it into your .wpadmin file you created in step 1.

    htaccess-protection3

    Step 4: Update/Create the root .htaccess file
    The last step is to place the following code in the /home/username/.htaccess file. Some servers create the .htaccess file automatically so if it exists already just add the code below to it. If not then just create a new one.1. open /home/username/.htaccess (if there is not one already just create a new one)
    2. paste into the .htaccess file the following code

    ErrorDocument 401 "Unauthorized Access"
    ErrorDocument 403 "Forbidden"
    <FilesMatch "wp-login.php">
    AuthName "Authorized Only"
    AuthType Basic
    AuthUserFile /home/username/.wpadmin
    require valid-user
    </FilesMatch>

    Your wordpress login page should now prompt you for a username and password.

    Happy Days!