Quantcast
Channel: Digitalquill - My Life and Times » web
Viewing all articles
Browse latest Browse all 2

20 Tips To Increase WordPress Security

0
0

I have recently been blogging about how my web servers have been compromised. I am fairly sure that the attackers gained access to the server via WordPress.

I use WordPress as the backbone to 90% of my sites, this being so it is critically important that it is secure. I have therefore been researching methods to make those installs more secure. Here is what I have found:

The Obvious:

1. Keep up-to-date

Always use the latest version of Wordpres, there is no excuse not to, WordPress now has an inbuilt update feature which is very simple to use. Make sure that you use the latest version of WordPress, All plugins and all themes, even if those plugins or themes are not active.

2. Admin User

Although WordPress 3.x allows you to  choose your WordPress admin username, many people still use ‘admin’ especially if you have upgraded from older version of WordPress and have a pre-existing user.

The problem with this is that it is known by hackers who can try and use brute force attacks on your password. If they do not know your username they have to do a brute force attack on both your username and password and get them to match and as such the likelihood of getting the correct combination is reduced

Change your admin user to something else using the SQL command:

UPDATE wp_users SET user_login = ‘YourChosenUser’ WHERE user_login = ‘Admin’;

3. Use a secure password

I use http://strongpasswordgenerator.com/to create strong passwords. Make sure you do not use dictionary words as many brute force attacks use dictionaries to work through tries on your password.

Tips are to use numbers and letters, mixes case and some characters.

4. Add Keys to the wp-config.php file

WordPress 3.x does this for you, but it is worth checking that you have the keys completed in your wp-config.php file. It should look something like:

define('AUTH_KEY',        '19[9lL.u~lwAMWEv-HwZ+@Fm{1FP+<jDgcq|GMF|G@Oklq_w;ftPlsXO@|S^4');
define('SECURE_AUTH_KEY', 'JiSUZrIM5T!7$z;rcS];qL>L L)c@,Tqe~B=#M=V,Wgb:>F|h$d0g55)!_9Ol-');
define('LOGGED_IN_KEY',   'm~ v--9/-l+9=[$VD($<o-Afz(8uxH[p4yaVnTR3Zf5mbV6PUdu3W?J|Wr8/:`e');
define('NONCE_KEY',       '%i.WRYyslvZ.C*Np5L5S27t4 ihJF,HMhy~$aEKV0#=/`I~$o-Mu<revq/fIhb+e');
define('AUTH_SALT',        '[J&pERV+!rfO6|n0OzNo5g7 P .cOia|{^4A$Ol4w`([o-JC3:|D3nTXDx4S9H');
define('SECURE_AUTH_SALT', '%P)h3cUD=EX/2z+EY@/~i;%TjlB(EL]RB]N,B)7Tr+Rw(L2:i(V+N+VS5i2Obu0I');
define('LOGGED_IN_SALT',   'n|yRYtIi#y5Q|-3|Y~-y]f0t|1n,aE7M@ubchoibda?RDdeCwRC|~e)-d?u*JJMc');
define('NONCE_SALT',       'w|1+voiV-[q5,F3,M@wOLvOJJz*>&3Ui9drlQ{Q>Ls2|#lZVzA46?&+6&Vrgg1x');

The Not-So Obvious

5. Database setup - user, password, and database

Make sure you create a database for each blog, if one is compromised you do not want it affecting any other sites you may have on your server.

Make sure you create a username for each of the installs, do not share them between wordpress installs and DO NOT USE ROOT!

The user should be a limiuted userm grant it SELECT, INSERT, UPDATE privileges.
mysql> GRANT SELECT, INSERT, UPDATE ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'newpassword';
mysql> FLUSH PRIVILEGES;

Make sure that your user only has local access to your database, so that it can not access your database remotely.

6. Do not use default wp_ table prefixes

Don't use the default wp_ prefix to table names. This method is useful but should not be relied upon for a security fix, one a hacker has got as far as being able to conduct SQL injections or other hack then this method will not prevent them getting further for very long, but it will keep them guessing. Do not use the default wp_ prefix instead use a random one.

This is rather more difficult if you are trying to secure a site that has already been setup, but you can use the WP Security Plugin to do this

7. SSL for wp-admin

SSL connections are far more secure than normal http connections so, force SSL for admin add the line define('FORCE_SSL_ADMIN', true); to your wp-config.php file Options All -Indexes to your .htaccess file

8. Allow access to your wp-admin from one IP Address

Although this method worries me, due to loosing access to my files I have implemented it to see how it goes. If you have a static IP address you can Secure the wp-admin files from being edited. By default all but the wp-config.php file can be edited via the wordpress admin area.

If you add a .htaccess file to your wp-admin folder and add the following:

Order Deny,Allow
Allow from xx.xx.xx.xx
Deny from all

This will then only allow you to edit those files from the IP address specified

You can use other options in the IP address such as:

A (partial) domain-name - Example: Allow from apache.org
A full IP address - Example: Allow from 10.1.2.3
A partial IP address - Example: Allow from 10.1
A network/netmask pair - Example: Allow from 10.1.0.0/255.255.0.0
A network/nnn CIDR specification - Example: Allow from 10.1.0.0/16

9. Deny access to the wp-config.php file

Perhaps a safer method than the above would be to specifically deny access to your wp-config.php file, thus keeping your database username and password more secure.

Add the following line to you r.htaccess file in the root of your site

<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

10. Move wp-config.php file to a directory below the one it is currently in

for example if your is the is setup as such:

/var/www/domain.com/htdocs/Site files here

you can move the wp-config.php file to below the htdocs folder i.e.

/var/www/domain.com/

WordPress will handle this change automatically and allow you to have the wp-config.php file below the web root which is a great deal more secure.

11. Add Apache Level security to wp-admin

AuthType Basic
AuthName "Domain.com WordPress Admin"
AuthUserFile /var/www/domain.com/.auth/.htpasswd
Require user domainAdmin

htpasswd -cm /var/www/domain.com/.auth/.htpasswd domainAdmin

12. Blacklist ip addresses

Edit the .htaccess file in the root of your site and add the following:

<Limit GET POST PUT>
order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780
</LIMIT>

Add the ip address of the visitor you want to ban, you can add multiple deny from xxx lines to ban multiple addresses.

This may not be as useful unless you are actively monitoring your logs, but it can be useful if you get a great deal of SPAM comments from one user.

You can also use the Lockdown plugin to record all failed attempts to access your wordpress admin. You can then add the IP address to the ban list.

13. Stop WordPress serving anything other than images from the wp-content/uploads folder

You can secure the wp-content/uploads directory to stop it serving anything other than images

Order Allow,Deny
Deny from all
<filesMatch  "\.(jpeg|jpg|gif|png|js|css)$">
Allow from all
</filesMatch>

Remember if you want to include other file types in your WordPress posts you will have to add them to the list for example a pdf document, you would add pdf to the 'files' line.

14. Stop SQL injection attacks

Although WordPress should already do this for your you can ensure that you stop SQL injection attacks. SQL injection attacks are where malicious users use forms on your site to add code to database records.

Add the following to the .htaccess file in the root of your website.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING GLOBALS(=|\[|\%[0-9A-Z]{0,2) [OR]
RewriteCond %{QUERY_STRING _REQUEST(=|\[|\%[0-9A-Z]{0,2)
RewriteRule ^(.*)$ index.php [F,L]

15. Remove your WordPress version

Sounds crazy but you should really do this. If hackers find a vulnerability in a particular build of WordPress then they will use search engines to find sites using that version and then exploit that vulnerability.

edit functions.php file of your theme and add the following line to it remove_action('wp_head', 'wp_generator');

16. Stop search engines indexing any of your WP- folders

add the following to your robots.txt file:

Disallow: /wp-*

This in combination with not allowing browsing of these folders will stop those files from being accessed.

17. Lockdown Plugin to stop brute force attacks

Using the Lockdown plugin to ban addresses after a certain number of failed login attempts will help prevent brute force attacks.

18. Use WordPress Firewall plugin

I have blogged before about the default set of plugins that I install, this is one of them, make sure you get it installed as it protects you against some of these holes especially SQL injection attacks.

19 File permissions

Here is a quick run down of some file permissions to check for your wordpress install are as follows:

../ 0755
../wp-includes 0755
../.htaccess 0644
index.php 0644
js/ 0755
../wp-content/themes 0755
../wp-content/plugins 0755
../wp-admin 0755
../wp-content 0755

On linux command line run 'chmod 0755 wp-includes -R' for example, or you can use your ftp client.

All my servers have ftp disabled as this is another potential security hole.

20. Backup, Backup, Backup

Ok this is not strictly a security fix, but it the worse happens it will help you to recover. Make sure you back everything up, WordPress install, uploaded files and critically the database. I use BackWPup which can up your data to Amazon S3. Very cheap method of keeping secure backups of your blog., or to FTP.

It is worth pointing out that if your site is hacked make sure you check all the files in the backup you are using before you restore. If a backup has run after the hack then any malicious files may be present in the backup.

If you are in this situation use the backup for your database and for any uploaded files and get a fresh copy of WordPress and any plugins.

Note:

Even with all these methods you may still be vulnerable, holes in your web server security, holes in plugins that you use or any number of factors could allow you to be compromised, but with these methods you are gaining more of the upper hand in the battle against hackers.

As a WordPress plugin developer I am looking into the possibility of creating a plugin that does some if not all of these methods for you or at least checks them and gives you advice as to how to improve the security. During this research I have found many plugins out there that claim to do this, some work better than others, indeed some do not work at all, but none are comprehensive and as such I think I will attempt to code one up that will do or check this list of 20 tips.

No related posts.


Viewing all articles
Browse latest Browse all 2

Latest Images

Trending Articles





Latest Images