Secure WordPress

Blog security 101,  how to lock down your WordPress site. Most of these techniques are easy to implement for a beginner or recover from if something goes wrong. If your new to WordPress please read our basic guide before proceeding with this one.

1. Delete the Admin login

The default Admin login and privileges makes an easy target for any exploit. You should delete this user account right away. The steps:

1. Login with the default Admin account
2. Create a new user with a unique name with Admin privileges  <— very important
3. Login with “new” user and delete the Admin user.

Note: This step can also be quickly done on a fresh install by changing the default user name to something other than “Admin”.

1. Change your WordPress Nickname

Bots will scrape your sites posts looking for author tags and then use the names it find as your login username, this is a very effective attack vector for guessing through brute force. In your WP admin click your Profile or Users and add a Nickname ( or First Name) and then select “Display name publicly as” something different from your actual login username!

2. Schedule regular backups

Regular backups are a must and having tiered backups is even better. That means backing up the WordPress database and also your server disk. There are several backup plugins and services that will back your data up. It is also very advisable to ask your host about disk based backups and remember to read the fine print.schedule

3. Get some WordPress security keys

WordPress has implemented encrypted security keys for information stored in your cookies.
These keys go into your wp-config.php and you can find a random number key generator on the official wordpress.org site here https://api.wordpress.org/secret-key/1.1/salt/ . Hit refresh on your browser to get new keys and copy/paste the whole thing into your wp-config.php.

4. Rename the database prefix pre-installation only!

This is for PRE-INSTALL ONLY. We cover doing this to a live site in the advanced guide as doing this wrong will kill your site. If your starting with a fresh new install, you have an option during the install screen to change the database prefix. All default WordPress installs use the database prefix of “wp_” which makes any exploiter’s job much easier, change this prefix to something unique.

5. Limit your plugin and theme use and delete unused ones.

Not only are many plugins and themes insecure but they can slow your site down to a crawl. Limit your plugin use as much as you can, delete unused plugins and themes and keep them updated. Keeping your system clean not only reduces fingerprinting and rogue code from being exploited but if something does happen to infect your site, it is much easier to manage.

6. Move wp-config up one directory and lock it down

The wp-config.php file contains all your WordPress database credentials, you can move this file up one directory on your server, outside the web root which can protect it from any browser based attacks. It it also a good idea to change the permissions on it to 600.

7. Limit login attempts

Plugin use for security can be an afterthought, and relying on something to protect what is already insecure is bad practice. The plugin Limit Login Attempts on the other hand is very useful as it prevents too many failed logins to your site and locks out brute force attacks. It can even log IP’s that are failing to get in.

8. Check your file and directory permissions

File and directory permissions can be tricky depending on the host. In the majority of cases you want to have files set to 644 or 640 and folders set to 755 or 750. You should never have to set anything to .777 unless your host has been mis-configured, EVER! The golden rule with permissions is to set them as low as you can while keeping the site in working order.

9. Hide version info

Hiding the WP version info is a small step to prevent bots from crawling your site, it does not prevent fingerprinting, but every little bit helps. In your theme’s functions.php add the following:

// remove version info from head and feeds
function complete_version_removal() {
    return '';
}
add_filter('the_generator', 'complete_version_removal');

10. Enable ssl login

Enable ssl login if your site has an ssl certificate. To enable ssl your site must be reachable by using https. You can enable this just for the login or for the whole Admin in your wp-config.php. SSL login will encrypt the data you send to WordPress and is especially helpful to thwart man-in-the-middle attacks.

// this goes in your wp-config.php file
//
//for just the login
 define('FORCE_SSL_LOGIN', true);
//for the whole admin
define('FORCE_SSL_ADMIN', true);
11. Don’t allow search bots to browse your directories

Google search can crawl unwanted urls and expose them to hackers. It’s best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site’s root folder and is just a text file.

User-agent: *

Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-
12. Disable user registration.

Yes you can disable user registration in the Admin, so if your running a small blog or CMS and don’t have multiple people sharing, go ahead and disable user registration completely under your General settings.

13. Disable theme and plugin edits/updates

Prevent users from being able to edit or update sensitive files via the admin.

 
define('DISALLOW_FILE_EDIT',true); //edits
define('DISALLOW_FILE_MODS',true); //updates
14. Basic .htaccess Rules

Some basic rules that you can add to your root .htaccess file, more advanced rules are covered in the advanced guide as messing around here can break your site, but these won’t do much other than protect you.

//limit indexing of directories
Options All -Indexes

//protect the htaccess file,
//this is done by default with apache config file,
// but you never know.

order allow,deny
deny from all


//disable the server signature
ServerSignature Off

//limit file uploads to 10mb
LimitRequestBody 10240000

// protect wpconfig.php.
//If you followed step 6 this is not necessary.

order allow,deny
deny from all

15. Delete the readme and any unnecessary files.

WordPress has a default readme.html, and many plugins and themes also come with one. It’s best to just delete them as they can be used for fingerprinting or general snooping and often contain version info. Also keep your folders clean of any junk files.

Tell me more.