I havent posted anything from a very long time here. So i thought I should share my own written article on WordPress Security. The tutorial is not well written because of lack of time but you can still actually make it hack proof :p
I'll be teaching you many ways to secure your WordPress site including securing admin area, vulnerable plugins, playing with .htaccess codes and much more. There are some plugins related to security and they can help you secure your site but just don't rely on plugins they can be bypassed easily and sometimes the plugin itself is vulnerable.images
Don't worry I'm here to help you and if you haven't installed WordPress yet so lets first secure it from the very beginning of the installation you can continue reading here for this. This tutorial ill teach you how you can install WordPress from scratch with security. If you've already installed WordPress I advice you to change the Database prefixes, by default it is wp change it to whatever you want.
1. Username Is Admin ?
Never use username admin, if you're using this username then immediately change this to something unique and hard to guess! Brute forcers will first try this username.
2. Strong Password
As explained above there are many ways a malicious user can get into your website and Brute forcing is one of them and very common. It's better to have a very strong password not one that is very hard to remember. Make it at least 9 characters long mixed with uppercase,lowercase,symbols and numbers. Brute forcers work with password list so make it unique also and it's very easy to make strong passwords.
3. Limit Login Attempts
I love this thing :p as I told you above about Brute force method, they will just enter random password until the correct password guess so in this case we can use plugins to make login form secured. Use to plugins to put Captcha and Login tries, what it will do is brute forcers can't enter captcha and after few failed login attempts user will be locked out from logging in again.
4. Change Default Login URL
By default, WordPress Admin login URL is wp-admin and everyone can access it and if someone manages to crack your password then he knows what to do next :p In that case, we can change the URL to whatever we want and trick them. You don't have to do this manually because there some paid and free plugins for this job.
5. Password Protect Admin Directory
Works like additional login panel. To view or login to Admin Panel user will be asked to enter password to unlock the page and on wrong password user will not be able to login. You can do this by uploading AskApachePassword plugin and the plugin will do the rest! You can download it from the link below.
6. Remove Login Error Message
By doing this you can easily prevent Username Disclosure Vulnerability. what actually happen is when someone enters a wrong username and tries to log in, form will come up with an error message saying Wrong username and this thing can help him identify the correct username and on a correct username it will come up with "The password you entered for "username" is wrong". Navigate to => Appearance => Editor and open functions.php file and add this code:
addfilter('login_errors',create_function('$a', "return null;"));
7. WordPress Firewall
Works just like a computer firewall and it's a great plugin and really helps.Some features are listed below.
- Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
- Also protect most WordPress plugins from the same attacks.
- Optionally configure as the first plugin to load for maximum security.
- Respond with an innocuous-looking 404, or a home page redirect.
- Optionally send an email to you with a useful dump of information upon blocking a potential attack.
- Turn on or off directory traversal attack detection.
- Turn on or off SQL injection attack detection.
- Turn on or off WordPress-specific SQL injection attack detection.
- Turn on or off blocking executable file uploads.
- Turn on or off remote arbitrary code injection detection.
- Add whitelisted IPs.
- Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.
8. Update WordPress
Keep your WordPress updated on time because it fixes vulnerability and after the update you will see all previous bugs are fixed.
9. Disable Directory Listings
This is also important one can easily your plugin files and wp-includes folder or theme files. Disabling Directory listings can help you prevent FPD (Full Path Disclosure) vulnerability. You can do this by adding this one line of code in your .htaccess file.
Options -Indexes
10. Disable PHP Execution
By doing this you can disable all already uploaded php backdoors or shells and this can really help you in many ways. Most of the backdoors and shells are coded in PHP that's why it' very useful. Do this by creating a new file and name it .htaccess and upload it to wp-content and wp-includes folders after adding this code.
<Files *.php>
deny from all
</Files>
11. Protect Wp-config.php
This is very important as I explained above if one website is vulnerable, so you are. you can prevent Symlink attack by just securing the config. We have to secure it so no one can see whats inside wp-config.php and we can protect our Database credentials. Add this code into your .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
Original article can be viewed from here will see you guys next time with another amazing tutorial!
5 Responses
Definitely! But with all the exploits already and the fact that "nothing is truly secure", following these guidelines will only help, not fix.
XML-RPC ??
you dont have to worry about that not everybody know about that thing :) apply above things..
I would be horrified of it regardless if I had anything on a server... Nice basic hardening guide tho.
to make it more helpful for beginners, i've removed the paragraph where i clearly mentioned that you cant make anything 100% secured because 100 secure is equals to 100% vulnerable :p
Share Your Thoughts