Guide to Secure WordPress

[fdls]

WordPress is open source, meaning anyone, including a hacker with malicious intent, can sand the source code to find holes in its security. That’s why I’m going to show what are good to take precautions to protect you, your WordPress and most importantly, your users.

Every version comes with improvements, but until we get a completely secure WordPress version we have to find ways to improve the security ourselves. I just wanted a list of items you can do that can make your blog a little harder to crack. Some security is better than no security, in my opinion. If a bot or a hacker spends too much time trying to get it, hopefully move on to something different and easier to find.

There shouldn’t be any reason for you to leave your WordPress wide open for hackers to creep in and steal your information and/or destroy your data

Follow the following steps to secure your WordPress installation and your website.

- Regular Backups

Regardless of the level of security of your WordPress site, it is a good habit to always backup your site.There are many ways to do this.

You can take advantage of cron jobs, if you’re hosting company provides it, by using this command:

Code: 

DBNAME=DB_NAME
DBPASS=DB_PASSWORD
DBUSER=DB_USER
EMAIL="you@your_email.com"
mysqldump --opt -u $DBUSER -p$DBPASS $DBNAME > backup.sql
gzip backup.sql
DATE=`date +%Y%m%d` ; mv backup.sql.gz $DBNAME-backup-$DATE.sql.gz
echo 'BLOG BACKUP:Your Backup is attached' | mutt -a $DBNAME-backup-$DATE.sql.gz $EMAIL -s "MySQL Backup"
rm $DBNAME-backup-$DATE.sql.gz

The easiest way to go is to just log into the admin panel, navigate to Tools and then click on Export. This makes your life easier especially when you need to re-set up your WordPress.

Plugins on WordPress

- Use Strong Password

Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. Yes, I know, you’re sick and tired of this tip. But having a good password is a must.

Random PassWord Generator might help you out with this.

- Hide WordPress Version

Let me guess you don’t have time to update your WordPress version or 5 minutes to spare. Would you give a chance for a hacker to creep in ? No ? Then do the following to hide the current version of your WordPress blog.

Remove the following from your header.php (if exists). Delete it and press Update File.

Code: 

<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />

If you’re using a premium theme, odds are that the developer took the liberty of disabling for you, but it’s always better to be sure. Open your functions.php file and drop in this line of code.

Code: 

<?php remove_action('wp_head', 'wp_generator'); ?>

- Change Default admin Account

Create a new account with a username you like, give it full rights, then log in with that new account, and change the privileges of the admin user subscriber. That’s better than deleting the admin account. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis – an editor account would be sufficient.

Why? Because the hacker or bot or whatever will first check the username admin, and if it does not exist, say wordpress will make mistakes, but if it does exist, he will believe is the real administrator account, and he will try to break the code for. Even if he manages to do, he is registered as a subscriber, he can not hurt. So we are actually misleading them in the wrong direction.

- Always UPDATE WordPress & Plugins

This is very important. Once a new update is for WordPress Plugin or Theme, or back up your database and click the update button without hesitation. Besides a few cool features that may have been added to WordPress in the new version there’s a good chance that some major security hole is fixed.

Nearly 60 million sites use WordPress, when Automatic pumps out an update, the sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed.

3rd party application makers always keep updating their applications by fixing the security holes. Make sure you update them also from time to time.

- Limit Login Attempts

When you are the admin of the site do you require more than 5 tries to login into the admin dashboard ? Well a hacker who is trying to get into it will probably require more than 5 attempts to get in there. Installing plugins will improve the security is what I feel by adding another layer for the security. Login LockDown is one of the best plugins to limit the login attempts. There are few options you can select like amount of unsuccessful login attempts in a certain period of time, and the “ban” time. This plugin is useful when it comes to defend yourself against a brute force attack – most of the attackers to give a site if they IP banned for 5 minutes, while running their brute strength program.

- .htaccess For Security

.htaccess plays an important role and is also a key file for securing your blog in an efficient way. Build a hard wall around the wp-admin folder to allow only “you” to enter it and see the contents of using the following code in .htaccess

Code: 

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# Whitelist Your IP address
allow from xx.xx.xx.xxx
# Whitelist Your Office's IP address
allow from xx.xx.xx.xxx
# Whitelist Your IP address While Your Traveling (Delete When You Come Back Home)
allow from xx.xx.xx.xxx
</LIMIT>

If you have a dynamic IP then this method isn’t much helpful for you. Replace the xx.xx.xx.xxx with your IP address. To do the above make sure you are in the wp-admin folder, and not the root folder i.e., /wp-admin/ Folder.

- Configuring the wp-config file

Keys

Whenever you are installing wordpress for the first time make sure when you add the database details you should add the keys also to it. You can generate the keys from http://api.wordpress.org/secret-key/1.1/

This is the most common thing people forget to do.

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);

wp_ table prefix

The default prefix for tables in the database is “wp_” and it is advisable to change it into something else. You can use the WP Security Scan plugin to that and more on improving the safety to do so.

- Hide your Plugins

In the recent versions of WordPress this is already being implemented but just to let you I am writing about this. A hacker may easily find out if there are any security related plugins installed on your blog by going to /wp-content/plugins.

Adding blank index.html in the plugins folder is like a security sign, it does not matter if you actually security, but as long as the hacker does not know he will be less inclined to try something.

- Folder permissions

Unfortunately, this is a difficult issue and varies from server to server. In general, do you really want to limit who has access to your files on your server. For shared hosting, they are already configured for you. For others, you should probably limit entries to 755 or 644. You can start looking like some recommendations for right permissions on WordPress.

List of Recommended Plugins

Note that many plugins will run at the expense of the performance of your WordPress blog. Part of the plug-ins run only on demand, while others are present and run all the time, so your mileage may vary. Also, some of these plugins are not working properly.

Now with a safe and secure WordPress installation, you are ready to freely post your content without having to be afraid if you’re vulnerable to be hacked.

There may be many posts about this subject but my post focuses on a complete overview of the best ways to secure your WordPress blog. I might have missed something, if yes do let me know. I am not a pro, I just shared what i know.

Source : Feed The Flow

Tip from Proto Worker

Also move wp-config.php to somewhere below the www/public_html directory. You need not do any additional modifications for that, just move it and its works fine.

EDIT: I also suggest a pl;ugin named '404 Notifier'. It not only helps you in finding dead requests but also garbage requests, which can be a good start point for hackers.

fdls Reviewed by fdls on 8th Oct 2011. Guide to Secure WordPress WordPress is open source, meaning anyone, including a hacker with malicious intent, can sand the source code to find holes in its security. That’s why I’m going to show what are good to take precautions to protect you, your WordPress and most importantly, your users. Every version comes with improvements, but until we get a completely secure WordPress version we have to find ways to improve the security ourselves. I just wanted a list of items you can do that can make your blog a little Rating: 5

[Ar!yaN]

Thanks for the Info Dear

[piratebay]

Very nice information

[ProtoWorker]

Also move wp-config.php to somewhere below the www/public_html directory. You need not do any additional modifications for that, just move it and its works fine.

EDIT: I also suggest a pl;ugin named '404 Notifier'. It not only helps you in finding dead requests but also garbage requests, which can be a good start point for hackers.

[tut2tut]

bookmarked

[fdls]

Also move wp-config.php to somewhere below the www/public_html directory. You need not do any additional modifications for that, just move it and its works fine.

EDIT: I also suggest a pl;ugin named '404 Notifier'. It not only helps you in finding dead requests but also garbage requests, which can be a good start point for hackers.

Oh yea that's a good one, added to the main post

[jbisana17]

Thanks for this! Bookmarked!

[CloudShadow]

@fdls

I think you should suggest 'Limit Login Attempts' plugin instead of login lockdown. There are two problems with login lockdown:

1. It leaves a signature in your login page about the plugin and its name. If a known exploit of LL exists, a hacker will easily gain access to your site.
2. 'Limit login attempts' is constantly updated to fix bugs, unlike Login Lockdown.

[alexjer12]

Thanks for this! Bookmarked!

[XtremeShare]

Thanks very helpfull, I was looking to make automatic backups