Securing wordpress is very important for every blog using wordpress be it a personal dairy blog or a big authority blog. Wordpress is a very popular opensource platform for blogs some very popular and big news sites also use wordpress platform usually they use the VIP wordpress platform which comes with more security, support, maitenance and features but it is a paid platform and not everyone can afford to use it.
Well no free wordpress is also very secure many big professional bloggers use it.
Free Wordpress platform's popularity is both a BOON and an BANE
The difference between free wordpress and VIP wordpress is like your pc is secured but you still use security measure like avoiding visiting dangerous websites and also use antivirus to protect yourself, VIP wordpress is like you hire someone for managing your security, performance stuffs and pay him for his service. I hope you understood what I am trying to say.
In .htaccess you can set the rules for accessing your website contents. There are also some wordpress plugins available for setting .htaccess rules to make your wordpress secure. In case you just need a quick fix you can use them however I like to set each .htaccess rules according to my needs.
So the First step to make your wordpress secure will be using a different wordpress database prefix than the deault one. By default it is set to 'wp_' and if you don't change it while installing wordpress it makes the hackers work easy to guess your database prefix and further exploit is using sql injections to run malicious sql queries. Database is your wordpress memory and without it is like a person without brain so securing it is very important.
You can use the Better WP Security Plugin to change your wordpress prefix in one click.
For normal wordpress functions the required wordpress privileges is only Select, Insert, Update and Delete.
However some plugins while installing and updating may require special wordpress privileges to make structural changes to the database. So before updating your wordpress installation or any other plugin you should grant them all privileges temporally.
If you don't grant the required privileges it will create a error.log in your wordpress directory with the details of the error like xxxx database could not execute the xxx database not exactly like this but something like so if you suspect any plugin not working properly due to not enough privileges you should check for any error.log in your wordpress installation directory.
I do not actually think changing wordpress default admin directory helps much because anyone with enough skills can figure out your admin directory path instead I would suggest using incapsula to protect you admin directory using a 2 factor authentication.
Changing wordpress admin directory can help to create a honey pot for the bad visitors I will cover that in another post. Basically we will set some rules if anyone try to bypass them their details will be stored in a database and we can use this database to blacklist those users from accessing your site.
This is a very good security measure and to figure out how to hide it properly it took me very long time I was ashamed I couldn't do this simple trick.
The problems you will encounter is if you go to your wordpress admin dashboard and in the profiles add a different nickname and set it to the Display name you will see your display name as posted by. But this doesn't solve the problem it will show your nick name as display name but when you will hover over it eventually it will reveal your real username like www.sitename.com/author/username you can try it yourself.
So the solution to the problem is to remove the admin user completely. How to do it ? see in my post how to hide wordpress admin username
To do this we will install just a simple yet effective plugin BBQ Block Bad Queries it removes bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. Seriously a must have plugin.
For this task I would recommend using this Google Authenticator Plugin if you are having trouble configuring it I will cover a post how to configure this google authenticator plugin later.
Add a blank index.php in every directory (wordpress installation directory) this will prevent user from viewing your directory listing.
Prevent user from browsing your wordpress directories/folders structure from browsers
For example you would not like anyone to view all the images stored in your wp-content/uploads folder and copy everything from their very easily some good hosting hosting companies provide this option by default.
To do this add Options All -Indexes in your .htaccess folder
If you followed my incapsula method you will not need it and because now we are also using a google authenticator, we do not need it that much and frankly speaking it becomes a pain to enter like 10 different passwords before logging in the wordpress dashboard but remember nothing comes free so great pain comes with great protection :p
Anyways so here is how to do it :-
Password protect with .htaccess
Limit Login Attempts to prevent bruteforce attacks
Whitelist your IP to access the crucial files an super easy and super effective measure if you have a static ip I will explain the complete method in another post.
I think I have covered most of the security measure if I have forget any please do comment below and I will add that.
Wordfence It offers a lot of security features like hiding your wordpress version throttling/blocking bad visitors or you can even input your own bad ip ranges or just set the rules before anyone is blocked. It also has a paid version which offers more features but its free version is also good enough. The author regularly update it and also reply to support threads and because it also has a paid version which means there is very low chances of this plugin getting abandoned.
Better WP Security This plugin also offers a lot of features like renaming your database prefix, remove meta generator, hiding wordpress version and a lot more
Prevent Script Execution with .htaccess
If your wordpress installation is already infected or you suspect it to be then you should scan your wordpress installation directory for any malicious code and if you have a recent backup use it to restore your site.
Do not use auto installers like softaculous, fantastico because manually installing wordpress is just a task of few clicks and I personally feels they leave vulnerabilities so if you have a wordpress copy which you installed with auto installer take a back up of it and install a fresh copy manually yes it is a time consuming task but I would not advise you to compromise your security at any cost. To better explain this topic I will try to cover a topic around pros & cons of using auto installer and are they really worth it ?
And in the last I would recommend you to use a good host like Hostgator because no matter how much you try to secure yourself if your wordpress hosting server is not configured properly all your wordpress security measure will fail.
So free wordpress is not secure ?
Well no free wordpress is also very secure many big professional bloggers use it.
Free Wordpress platform's popularity is both a BOON and an BANE
The difference between free wordpress and VIP wordpress is like your pc is secured but you still use security measure like avoiding visiting dangerous websites and also use antivirus to protect yourself, VIP wordpress is like you hire someone for managing your security, performance stuffs and pay him for his service. I hope you understood what I am trying to say.
Anyway so instead of antivirus we will be using here security plugins and .htaccess rules as firewall.
In .htaccess you can set the rules for accessing your website contents. There are also some wordpress plugins available for setting .htaccess rules to make your wordpress secure. In case you just need a quick fix you can use them however I like to set each .htaccess rules according to my needs.
So the First step to make your wordpress secure will be using a different wordpress database prefix than the deault one. By default it is set to 'wp_' and if you don't change it while installing wordpress it makes the hackers work easy to guess your database prefix and further exploit is using sql injections to run malicious sql queries. Database is your wordpress memory and without it is like a person without brain so securing it is very important.
You can use the Better WP Security Plugin to change your wordpress prefix in one click.
Now you should also change your wordpress database privileges to the minimum.
However some plugins while installing and updating may require special wordpress privileges to make structural changes to the database. So before updating your wordpress installation or any other plugin you should grant them all privileges temporally.
If you don't grant the required privileges it will create a error.log in your wordpress directory with the details of the error like xxxx database could not execute the xxx database not exactly like this but something like so if you suspect any plugin not working properly due to not enough privileges you should check for any error.log in your wordpress installation directory.
Changing your default wordpress admin directory
I do not actually think changing wordpress default admin directory helps much because anyone with enough skills can figure out your admin directory path instead I would suggest using incapsula to protect you admin directory using a 2 factor authentication.
Changing wordpress admin directory can help to create a honey pot for the bad visitors I will cover that in another post. Basically we will set some rules if anyone try to bypass them their details will be stored in a database and we can use this database to blacklist those users from accessing your site.
Changing/Hiding your wordpress admin username.
This is a very good security measure and to figure out how to hide it properly it took me very long time I was ashamed I couldn't do this simple trick.
The problems you will encounter is if you go to your wordpress admin dashboard and in the profiles add a different nickname and set it to the Display name you will see your display name as posted by. But this doesn't solve the problem it will show your nick name as display name but when you will hover over it eventually it will reveal your real username like www.sitename.com/author/username you can try it yourself.
So the solution to the problem is to remove the admin user completely. How to do it ? see in my post how to hide wordpress admin username
Secure your wordpress installation against against Cross site scripting XSS attacks
To do this we will install just a simple yet effective plugin BBQ Block Bad Queries it removes bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. Seriously a must have plugin.
Using 2 Factor Authentication for admin login
For this task I would recommend using this Google Authenticator Plugin if you are having trouble configuring it I will cover a post how to configure this google authenticator plugin later.
Add a blank index.php in every directory (wordpress installation directory) this will prevent user from viewing your directory listing.
Prevent user from browsing your wordpress directories/folders structure from browsers
For example you would not like anyone to view all the images stored in your wp-content/uploads folder and copy everything from their very easily some good hosting hosting companies provide this option by default.
To do this add Options All -Indexes in your .htaccess folder
Password Protect your admin directory.
If you followed my incapsula method you will not need it and because now we are also using a google authenticator, we do not need it that much and frankly speaking it becomes a pain to enter like 10 different passwords before logging in the wordpress dashboard but remember nothing comes free so great pain comes with great protection :p
Anyways so here is how to do it :-
Password protect with .htaccess
Limit Login Attempts to prevent bruteforce attacks
Whitelist your IP to access the crucial files an super easy and super effective measure if you have a static ip I will explain the complete method in another post.
I think I have covered most of the security measure if I have forget any please do comment below and I will add that.
Install any one of these 2 wordpress security plugins
Wordfence It offers a lot of security features like hiding your wordpress version throttling/blocking bad visitors or you can even input your own bad ip ranges or just set the rules before anyone is blocked. It also has a paid version which offers more features but its free version is also good enough. The author regularly update it and also reply to support threads and because it also has a paid version which means there is very low chances of this plugin getting abandoned.
Better WP Security This plugin also offers a lot of features like renaming your database prefix, remove meta generator, hiding wordpress version and a lot more
Prevent Script Execution with .htaccess
If your wordpress installation is already infected or you suspect it to be then you should scan your wordpress installation directory for any malicious code and if you have a recent backup use it to restore your site.
Do not use auto installers like softaculous, fantastico because manually installing wordpress is just a task of few clicks and I personally feels they leave vulnerabilities so if you have a wordpress copy which you installed with auto installer take a back up of it and install a fresh copy manually yes it is a time consuming task but I would not advise you to compromise your security at any cost. To better explain this topic I will try to cover a topic around pros & cons of using auto installer and are they really worth it ?
And in the last I would recommend you to use a good host like Hostgator because no matter how much you try to secure yourself if your wordpress hosting server is not configured properly all your wordpress security measure will fail.
No comments:
Post a Comment