WordPress Security Lockdown
Posted: Wed Nov 20, 2013 5:47 amIf you are running a WordPress-powered website, its security should be your primary concern. In
most cases, WordPress blogs are compromised because their core files and/or plugin are outdated;
outdated files are traceable and it’s an open invitation to hackers.
I am introducing a security strategy , that is best implemented on new sites. It just makes everything (like renaming table prefixes) so much easier. Here is our eight-step Security Lockdown for WordPress:
After uploading fresh files, the next step is to ensure proper file permissions. WordPress defaults to 644 for files and 755 permissions for folders. Make sure these are set properly. While cleaning up, we noticed some crazy permission settings for sensitive files. For example, wp-config.php was set to 777 – executable and writable by the entire world!! Make sure you don’t see anything like that, and if you do, fix it.
In addition to setting proper file permissions, we can also lock down key files with .htaccess. There are numerous files to protect, perhaps most importantly the wp-config.php file, which contains your database login information. Place the following code in your site’s root .htaccess file to protect it:
# SECURE WP-CONFIG.PHP
<Files wp\-config\.php>
Order Deny,Allow
Deny from all
</Files>
Changing the default table prefix is one of the best ways to protect your database. Malicious scripts need targets, and default targets are easy to hit. Change wp_ to something more like a password. Some random scripts like “crUQZPadESeKSy8Q_” will make your tables difficult to hit.
There are two ways to change your prefixes: the easy way and the hard way. The easy way is to add the following line to your wp-config.php file before installing WordPress (important: change the random string to something unique):
$table_prefix = 'crUQZPadESeKSy8Q_'; // custom table prefix
Do that before running the install script and WordPress takes care of the prefix naming automatically when it creates the database. Going forward, there is no reason not to change default prefixes for all future WordPress installs. For existing sites, you can do it the hard way by doing it manually.
Directly after your MySQL database credentials in the wp-config.php file, you have the option of specifying a set of Authentication Unique Keys. These keys improve WordPress’ authentication system, providing strong security to your site. It is highly recommended that you take advantage of this feature.
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
By Automatic Key-generation we can generate the key and replace the above.
Place the following code in your site’s root .htaccess file to protect it:
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
Disable the File Editing by adding the following code in wp-config.php,
define('DISALLOW_FILE_EDIT', true);
To secure our WordPress Powered blog or site here are the top 10 WordPress security plugins to keep secure our blog.
The previous steps comprise the majority of our security lockdown, but there are some important details to consider:
• Keep your WordPress install, plugins, themes, and scripts updated with current versions
• Use strong passwords and change them often
• Restrict user privileges over database
• Disable user registration if not needed/used for your site
• Check roles and permissions for all users
• Clean up and consolidate old/loose files
• Remove unused plugins and themes
• Check permissions of upload, upgrade, and backup directories
• Keep a backup of your site files
• Keep your database optimized and backed up
These all steps will put our site out of reach for a vast majority of malicious scripts and other automated attacks. The lockdown strategy presented in this post provides strong security in the most efficient way possible, but there is always room for improvement, so share your ideas and we can make our sites secure.
Thanks!