Securing your WordPress Installation
A few years ago, only hackers where able to crack websites and bring them down due to their level of knowledge in systems, networking and coding. In recent times, however, things have changed and just about anyone can find tutorials on the Internet that show step by step procedures to penetrate a websites running vulnerable software.
At Kualo, we take security seriously, and have implemented several systems to protect your applications from being exploited. We cannot, however, protect every piece of software that clients operate on their sites, as there is no guaranteed way to protect your websites from being exploited due to vulnerabilities resulting from not upgrading to the latest releases, poorly coded plugins or custom code.
This tutorial aims to focus on a common web application used by our clients - WordPress. We'll provide some tips and suggestions that will help you add an extra layer of security to your WordPress installations.
- Always keep your WordPress installation up to date, including (crucially!) any plugins that you have installed
- Create a new admin user with a custom username, and then delete the default 'admin' user as many attacks will target standard usernames
- Change your admin account password regularly
- Only install plugins that are well reviewed by the WordPress community, and are actively developed
- When installing WordPress, change the default database prefix. All default WordPress installs use the database prefix of "wp_" which makes any exploiter's job much easier. You can change this prefix to something unique during installation, and if you've already installed then the following plugin can easily help you changing your WordPress database prefix with a few clicks: http://wordpress.org/extend/plugins/db-prefix-change/
Securing WordPressBelow is a list of recommended modifications or adjustments to make to your WordPress installations. Read it carefully and if you have any questions feel free to get in touch with our support team before proceeding.
1) Configure the WordFence Plugin - WordFence is a fantastic plugin for WordPress that will dramatically increase the security of your WordPress blog. It is our recommended plugin for any WordPress site - with WordFence properly installed and configured, the likelihood of your blog being hacked is dramatically reduced.
2) Prevent access via wp-login.php, see this article: Protecting WordPress from distributed brute force attacks.
3) Hide your WordPress version. Hiding the WordPress version makes it harder for bots collecting information about your site from identifying whether or not you run a vulnerable version. You can use the following plugin to do it for you: http://wordpress.org/extend/plugins/hide-wordpress-version/.
4) Secure access to your wp-includes directory. This is often used by hackers to place malicious files when they find a vulnerable installation. Add the following lines to the .htaccess file in your WordPress installation directory:
# Block include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# End block include-only files
Note that this won't work well on Multisite WordPress installations, as the line RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] will prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
5) Block search engine bots from browsing your directories. Google and other search engines can crawl unwanted urls and expose them to hackers. It's best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site's root folder and is just a text file. Edit/Create your robots.txt files at your public_html folder and ensure it has the following parameters:
Extra PrecautionsWe recommend that you consider installing the following plugins into your WordPress installation to add an extra layer of security. Please note that you don't have to install them all, just choose the ones that best suit you:
- https://wordpress.org/plugins/wps-hide-login/ - Renames the WordPress login page to prevent bots and attackers from being able to perform brute force attacks against your installation (WordPress 3.8+)
- http://wordpress.org/plugins/login-security-solution/ - Login Security Solution: It blocks IPs after several authentication failures. Great plugin for the recent brute force attacks to WordPress installations.
- http://wordpress.org/extend/plugins/stealth-login-page/ - Changes your login page to an address only you will know
- http://wordpress.org/extend/plugins/bulletproof-security/ - WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.
- http://wordpress.org/plugins/ultimate-security-checker/ - Ultimate Security Checker is a plugin that helps you identify security problems with your wordpress installation. It scans your blog and give a security grade based on passed tests.
- http://wordpress.org/plugins/block-bad-queries/ - Block Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings.