Secure your WordPress Installation
A few years ago, only hackers where able to crack websites and bring them down due to their level of knowledge in systems, networking and coding. In recent times, however, things have changed and just about anyone can find tutorials on the Internet that show step by step procedures to penetrate a websites running vulnerable software.
At Keenweb Hosting, we take security seriously, and have implemented several systems to protect your applications from being exploited. We cannot, however, protect every piece of software that clients operate on their sites, as there is no guaranteed way to protect your websites from being exploited due to vulnerabilities resulting from not upgrading to the latest releases, poorly coded plugins or custom code.
This tutorial aims to focus on a common web application used by our clients – WordPress. We’ll provide some tips and suggestions that will help you add an extra layer of security to your WordPress installations.
- Always keep your WordPress installation up to date, including (crucially!) any plugins that you have installed
- Create a new admin user with a custom username, and then delete the default ‘admin’ user as many attacks will target standard usernames
- Change your admin account password regularly
- Only install plugins that are well reviewed by the WordPress community, and are actively developed
- When installing WordPress, change the default database prefix. All default WordPress installs use the database prefix of “wp_” which makes any exploiter’s job much easier. You can change this prefix to something unique during installation, and if you’ve already installed then the following plugin can easily help you changing your WordPress database prefix with a few clicks: http://wordpress.org/extend/plugins/db-prefix-change/
Below is a list of recommended modifications or adjustments to make to your WordPress installations. Read it carefully and if you have any questions feel free to get in touch with our support team before proceeding.
1) Configure the WordFence Plugin – WordFence is a fantastic plugin for WordPress that will dramatically increase the security of your WordPress blog. It is our recommended plugin for any WordPress site – with WordFence properly installed and configured, the likelihood of your blog being hacked is dramatically reduced.
2) Prevent access via wp-login.php…
3) Hide your WordPress version. Hiding the WordPress version makes it harder for bots collecting information about your site from identifying whether or not you run a vulnerable version.
4) Secure access to your wp-includes directory. This is often used by hackers to place malicious files when they find a vulnerable installation. Add the following lines to the .htaccess file in your WordPress installation directory:
# Block include-only files. RewriteEngine On RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # End block include-only files
Note that this won’t work well on Multisite WordPress installations, as the line RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] will prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
5) Block search engine bots from browsing your directories. Google and other search engines can crawl unwanted urls and expose them to hackers. It’s best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site’s root folder and is just a text file. Edit/Create your robots.txt files at your public_html folder and ensure it has the following parameters:
User-agent: * Crawl-delay: 10 Disallow: /feed/ Disallow: /trackback/ Disallow: /wp-admin/ Disallow: /wp-content/ Disallow: /wp-includes/ Disallow: /xmlrpc.php Disallow: /wp-* User-agent: msnbot Crawl-delay: 10
Read this article: 3 Great WordPress Security Plugins recommended by keenweb.co.uk
Comments are closed.