WordPress IS NOT SAFE…..”out of the box” and If you are willing and daring enough to DIY it, then the checklist below is what you need to do in order to make your wordpress install more secure.
Server security will never ever be 100% bullet proof but the methods below will provide a heightened level of security for wordpress and will deter casual hackers and their automated robots but at the same without causing too much inconvenience to the web site owners.
- Give wordpress its own directory
Quite often, hackers will use automated robots to attack the default admin folders for wordpress so giving wordpress its own directory makes it a little harder for them to find it. Its very simple to do this and wordpress provides very specific instructions here- create a folder in the root of your site called /mywordpress (or another familiar name).
- upload the latest wordpress version to that folder.
- make a copy of the /mywordpress/index.php file and move it to the root at /
- change this line from: require(‘./wp-blog-header.php’); to require(‘./mywordpress/wp-blog-header.php’);
- run the wordpress install and tell wordpress that the site url is: mysite.com and the wordpress url is: mysite.com/mywordpress.
- Install and update to latest version of wordpress
Its very important to upgrade to the very latest version of wordpress in order to take advantage of any new security updates that wordpress has integrated since the last version. - Install Login Lockdown Plugin
This plugin will trap hackers who try and brute force the login page by only allowing 3 failed login attempts before locking the users ip out and preventing them from accessing wordpress.
Plugin URL: http://wordpress.org/extend/plugins/login-lockdown/ - Install Wordfence
Wordfence provides an amazing array of security features. A little long winded to configure but provides ample protection for the standard wordpress user.
Plugin URL: https://wordpress.org/plugins/wordfence/ - Delete akismet plugin as its not needed (if you dont accept comments)
Unless you will be allowing users to comment and you wish to use the spam filtering from wordpress.org, then delete this plugin. Its easy to reinstall if you need it later. - Delete hello dolly plugin as its not needed
Although this plugin is totally harmless, there is no point in having plugins which have no use to wordpress. - Delete any themes you are not using
Dont think that just because a theme is not activated it cant be hacked. You should remove any theme files except for the theme you are currently using and the latest wordpress default theme. Any older wordpress themes or any themes you are not using, uninstall them. Its easy to do through the wordpress admin. - Delete any plugins you are not using
Like themes, plugins which are not activated should not be sitting on your server. Having code. - Change the wordpress table database prefixes to avoid sql injection
Using the WP Security Scan plugin installed earlier on, we just add a random prefix to the wordpress tables so in the case a hacker tries to inject data into a table, it makes it harder for them to guess the tables names. The deafult wordpress table prefix is wp_ so you will make it something like wp_xff_ - Delete /wp-content/uploads folder and changed upload folder to /images
Hackers will always try and target the /wp-content/uploads folder, so moving it will bypass any robot attempts to hack it.
a. open the wp-config.php file
b. add this line to make wordpress store images in the root like /yourdomain.com/images:define( 'UPLOADS', ''.'images' );
- Remove admin username
Removing the admin username eliminates a known username for hackers to target. If admin username is used, this gives the hacker an extra 50% chance of getting access as they already know the username. - Add directives to robots.txt to not index wordpress files and folders.
Hackers will use search engines to find login pages for wordpress as well as core folders so preventing them from being indexed in the first place will make it a little harder for your wordpress install to be discovered.However there is also the argument that if someone scans your robots.txt file it will show any files and folders that you dont want to show, however for me I would rather take my chances by excluding them from search engines and adding extra protection using different security layers.###################################### # ROBOTS! DO NOT INDEX WORDPRESS STUFF! # added by craig@craig-edmonds.com ###################################### User-agent: * Disallow: /cgi-bin Disallow: /wp-admin Disallow: /wp-includes Disallow: /wp-content/plugins/ Disallow: /wp-content/cache/ Disallow: /wp-content/themes/ Disallow: */trackback/ Disallow: */feed/ Disallow: /*/feed/rss/$ Disallow: /category/*
- Add htaccess protection /.htaccess file
This code will prevent hackers from checking to see if there is a .htaccess file on your web site or accessing it directly.###################################### # STRONG HTACCESS PROTECTION! # added by craig@craig-edmonds.com ###################################### <Files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </Files>
- Add no directory browsing to /.htaccess file
Some hosts prevent web site visitors from browsing directories and wordpress to an extent does provide an empty index.php file in most directories but adding this code to your .htacess file will disable directory browsing across all folder on your web site.###################################### # DISABLE DIRECTORY BROWSING! # added by craig@craig-edmonds.com ###################################### Options All -Indexes
- Add additional wp-config.php protection to /.htaccess file
Although we are providing some security in an earlier step to protect the wp-config.php file, this step, like the .htaccess protection, prevents hackers from directly accessing the wp-config.php.###################################### # PROTECT WP-CONFIG.PHP FILE! # added by craig@craig-edmonds.com ###################################### <files wp-config.php> Order deny,allow Deny from all </files>
- Add some extra sql injection inside of root htaccess file
This code will prevent various sql injection methods being passed through query strings to your wordpress files.###################################### # PROTECT FROM SQL INJECTION! # added by craig@craig-edmonds.com ###################################### Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
Additional Advanced Options
- Change the following files so they are read only (chmod 444) to prevent malicious users writing to them.
Usually hackers will use robots to login with ftp and rewrite or append to your wordpress files. The 3 files below are the main ones that you need to protect so only allowing read access to them means they cannot be written to in the even that your ftp is compromised.
/wp-config.php
/.htaccess
/index.php - Add wp-login.php protection to /.htaccess file
Automated scripts can attack the default wordpress login page, but by closing off the wp-login.php page and locking it down with an ip or fixed ip’s, you are in effect displaying a 404 error to attackers that are not in the list of authorised ip’s. In the RewriteCond %{REMOTE_ADDR} part of the code below, just enter your ip address parts, replacing each instance of 255.
IMPORTANT NOTE: you need to have a fixed ip for this to work, if not try htpsswd method below which is more common.################################# # LOCKDOWN AND PROTECT WP-LOGIN.PHP FILE # added by craig@craig-edmonds.com ################################# RewriteEngine on RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR] RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$ RewriteCond %{REMOTE_ADDR} !^255\.255\.255\.255$ RewriteRule ^(.*)$ - [R=403,L]
- Add /wp-admin protection using htpsswd method file
Its not fun for server admins when your wordpress is getting attacked. Automated attacks can cause a kind of ddos effect and can really give a server a workout. Now, if you only use wordpress yourself or a handful of users, this method puts a layer of security on top of the /wp-admin folder, so when someone tries to access the /wp-admin folder, they will be prompted for a username and password regardless of what ip address they are using.Step 1: Create the Password File
Create a empty file named .wpadmin and place it in your home directory, where visitors can’t access it. Usually this is ABOVE the public_html directory in your account (Please note there is a period preceding the wpadmin in that file name.)EXAMPLE: /home/username/.wpadmin
(where “username” is the cPanel username for the account.)Step 2: Create the Encrypted Username and Password
1. Visit: http://www.htaccesstools.com/htpasswd-generator/
2. Use the form to create the username and password.EG. If you put the username as being john and used the password johndoe, then the page would give you a funny looking string looking something like this: john:$apr1$NFzCXrln$LK4N5.FkrMmqYgFWn8l5E1STEP 3. copy that string as you will now need to enter it into your .wpadmin file you created in step 1.
Step 4: Update/Create the root .htaccess file
The last step is to place the following code in the /home/username/.htaccess file. Some servers create the .htaccess file automatically so if it exists already just add the code below to it. If not then just create a new one.1. open /home/username/.htaccess (if there is not one already just create a new one)
2. paste into the .htaccess file the following codeErrorDocument 401 "Unauthorized Access" ErrorDocument 403 "Forbidden" <FilesMatch "wp-login.php"> AuthName "Authorized Only" AuthType Basic AuthUserFile /home/username/.wpadmin require valid-user </FilesMatch>
Your wordpress login page should now prompt you for a username and password.
Happy Days!