How to secure WordPress
How to secure WordPress
This is a coleciton of… lets call them best practices for securing your WordPress installation. I used to be very carefree when it came to the Internet. But as you have probably heard hacking is a much more common activity nowadays. Back in the day usually the main targets were large corporations, now everyday people are targets either indirectly through the hacking of a companies’ database or directly by means of obtaining computer bots. I really was not concerned until I received a communication which made it a very real thread to me (You can read more about it here: Global Attack on WordPress Sites). In summary hackers are targeting WordPress sites as means of spreading malware to gain control over your computer and redirect massive attacks from them. After securing my installation I saw through my logs attacks on the sites I run on a per minute basis for hours a day. Unfortunately this are automatic attacks which means they can do them on a massive scale and the attacks themselves have become more and more intelligent. Therefore the basics as far as securing your WordPress site go, they have become must haves in today’s treacherous environment.
1. Change Database Prefix ($table_prefix
)
I know this falls under the “let´s go ahead and change the default Windows directory” kind of mindset, but lets get real, this is a minor operation and thus far in my experience it has not been an issue. The idea is simple, everybody knows what the WordPress tables are and as a hacker you could exploit that knowledge. Clearly you would be after wp_user in order to obtain the credentials you need to gain control over the site. This has become a popular security consideration and it is included in many plugins nowadays. In case you want to manually perform this change below are the steps:
go ahead and edit your wp-config.php file and find the following line:
$table_prefix = 'wp_';
You will need to change it to something random like:
$table_prefix = 'awdr_';
I would recommend using a different random prefix for each of you sites. Also, if this is a new site I believe WordPress would make the new tables for you but if it is an existing one and you encounter issues you probably have to go to your database and change the name for all of your tables to match the new name nomenclature.
2. Disable Editing of Theme/Plugin files
As a power user I am crazy about editing files in WordPress. But lets be honest, most users do not code and probably never use this feature. Guess who is not afraid of using this feature: hackers. Suppose through some exploit a hacker gains access to your site. Being able to edit files through the webpage gives them the power to add malware to your site and therefore infect all your readership. This of course becomes an issue for you as your followers lose trust on your site and nobody wants their computer and personal information to become compromised. Again, below are the manual changes you can make in order to disable editing of theme and plugin files. In case you love this feature like I do you can consider the following: a) You can always re-enable it when you need it and b) You can always edit files via your web host (ftp or http).
Again, go to your wp-config.php file and add the following line:
define('DISALLOW_FILE_EDIT',true);
3. Disallowing user to install plugins, themes or doing updates.
In the same line of thought as the previous point, you may want to restrict the installation of themes and plugins. If the hacker gains access to your backend / admin panel then he can install a “plugin” he made that would spread the joy of being hacked. Again, you can always enable the installation of plugins, etc. by changing your wp-config.php file or you can manually install a theme/plugin via FTP
define('DISALLOW_FILE_MODS',true);
4. Forcing use of FTP
for all uploads, upgrades and plugin installation.
Think of this as an alternative to option #3. The idea here is that in order to upload you need to do it via FTP, and hence you need to know your FTP credentials. Let’s say this provide an additional checkpoint as credentials would be needed to perform an upload. If your site does not support SSL (https) then those credentials would be sent unencrypted. If your machine or network is compromised it won’t help much either. Anyway, if this is something that you would consider helpful to have here is what you need to add to your wp-config.php file:
define('FS_METHOD', 'ftpext');
I strongly suggest that if your ftp host supports SSL that you use that connection method. Here is what you need to add in order for WordPress to use a secure channel to communicate with your ftp host:
define('FTP_SSL', true);
define('FS_METHOD', 'ssh2');
5. Change Security Keys
For some reason when you install WordPress by yourself the Security Keys are left blank, but when you install them via some web host applications they are kind enough to generate some random ones for you and set them up. Regardless, it is recommended that you open your wp-config.php and look to see if you have them set up or not. Even if you have some it is recommended you generate new random ones in case your web host is not generating random or somehow the ones you got assigned got compromised. Look for something like this:
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
As mentioned if you have the wording ” then you must replace that immediately. WordPress provides a tool to generate random keys for you. I recommend you use that site, for security generate a few and pick one of those. Each site you own must have its own unique keys. You can get new keys from this site: https://api.wordpress.org/secret-key/1.1/salt/ and below is how the new keys should look:
define('AUTH_KEY', '_8*N%FB15~aiVO2sGlty_$kX,!+o>R*^gDJ|LlrT~2[>)i;w;s:8G;6i~T+/c(}^'); define('SECURE_AUTH_KEY', '7f9-GeaJFYM!&.N8-Tvo`k?m--wl<-oSHm=:Q{G&u[pTbB~Q8@MBB`i`BjLDv[G4'); define('LOGGED_IN_KEY', 'l)#u0NSAU_Lh?X>mMY!np&RT1bX_s-5y$<aX!ar6S0E{/#J3.wSaH=++;ug*c~rM'); define('NONCE_KEY', 'Yrso{^z^*-PNE_z|A_F~uWk0|!_?;56:&76@b:l}a.cHI/> A|zJ;R|`as3M]L@n'); define('AUTH_SALT', 'jn9<>1{b2s0q-Rp1Y-qU )cKGvImn]<g[bgE3|+yZ1^ZUJZo<9t;V7U`_L-P:[|`'); define('SECURE_AUTH_SALT', 'Jmi+3D.nN{b3@bO!!!Ap.7PM;|D?7kxb6XU`$d^j-WUA+b.*Z->7<|x[^T{0Q>0l'); define('LOGGED_IN_SALT', '&K^x`;<=Y^%];(Gok)(hv,|S;oMj/<O;-v0-;;+U ?vK1lh)=3-LmdW-Hw~R>t/q'); define('NONCE_SALT', '?Lo-1=+|#z7v*++6@K5c>Vg=%Hh3VIZ*:JI4}oE$rL^?A]?{~DFB5}ME%,|G!DiO');
Also, in case your site gets hacked, it is highly advisable to change these keys with new ones. This will force all users to login again and old cookies will not gain them access to your site any more.
6. Move wp-config.php
out of the core WordPress folder.
This is an interesting trick. Usually a risk you have with WordPress is that due to an issue with your web host settings (like not having php installed, etc) people can read your wp-config.php, sometimes edit it, etc. Also, everybody knows where it is. This little trick what it does is it places your WordPress file in a folder which is not published on the web and few people do this trick so it adds obscurity and therefore security to your WP installation.
This is how it works. Usually the wp-config.php file lives with the rest of your WordPress files based out of a root folder which is published to the internet… let’s say /public_html/ or your c:/InetPub/MyWordPress in Windows. So in this example your config file would be in /public_html/wp-config.php or c:/InetPub/MyWordPress/wp-config.php. WordPress supports for you to move the wp-config.php file one level up. For example, the new locations of the wp-config.php file would be:
/wp-config.php or c:/InetPub/wp-config.php
You can see this would be an issue in Windows as other WordPress sites would be sharing that wp-config. Ideally you would have the following structure:
C:InetPubMyWordPressSiteWWWroot so that you don´t share a father folder with the other sites. Just keep in mind some backup plugins might not be able to get to this file or know about it so you might need to manually back it up.
7. File Permissions of wp-config.php
There are a few files that you should secure like wp-config.php and .htaccess (web.config for Windows hosts running .Net). These files should be set up so that only your webserver can access them and it can only read them. If you are using FTP you could set the permissions to 400 or 440 depending on your setup or using cPanel on your web host. I personally had no luck trying to set this up seems permissions either way I set them up are reverted but oh well. You could also use .htaccess to deny access to your wp-config.php file and others by adding the following lines:
order allow,deny <strong>deny from all </strong><strong>