A Small Orange Community Newsletter November ’13
Intro to Advanced Policy Firewall and Brute Force Detection

WordPress Security 101

...to a WordPress site...

Keep tabs on your plugins and themes!

Keeping tabs on what plugins and themes you have installed is a very important step to keeping a secure WordPress site. Every theme and plugin you have installed can serve as a possible entry point to your site, so you should make sure you have uninstalled every theme and plugin that you do not currently use. Simply disabling them is not sufficient for security purposes, as the files are still present on your server and accessible to a clever hacker attempting to compromise your site.

Ditch the default admin account!

Every WordPress install by default has the "admin" username when you start out. Because of this, it makes it much easier for somebody with a password cracker to force their way into your admin panel. You should be able to follow these steps to remove the admin user:

  1. Login into your WordPress admin panel using your admin account.
  2.  Select ”users” from your dashboard, then click on “Add New User”.
  3.  Fill out the required fields and make sure under the "Role" drop-down menu you select "administrator". Be sure to use a strong password for this account, using a password generator and password manager is advised.
  4.  Log out of WordPress, then log in again using your new admin username.
  5.  Go to the "users" page, select the default "admin" user and choose "Delete" from the drop-down menu.
  6.  You should be asked about the articles that were originally posted under the default ”admin” username. Select the option “attribute all posts and links to” and select your new admin user.
  7.  Make sure the display name of your new admin user is different from the username. If the actual username is used also as display name of the author, a hacker can quickly identify the admin user and brute force their way into the account. Help protect against SQL injections, change your database prefix!

This is another setting that hackers will often assume is set to the default wp_ prefix, since not enough people change it. When making a fresh installation this is a simple task since it asks you what you want your prefix to be, although once the site has been installed this can be a bit tricky. Thankfully you can use phpMyAdmin to make this process a little easier.

  1.  Backups! This is the most important step, so you can quickly and easily revert if there are any issues. You will want to make a backup of your entire database, as well as the wp-config.php file.
  2.  Open up the wp-config.php file (either by using your favorite text editor via SSH, or using an FTP program to retrieve the file) and find the line that looks like this: $table_prefix = 'wp_'; You want to change the 'wp_' portion to whatever new prefix you decided on, making sure to keep the single quotes intact. Ex. $table_prefix = 'hG759_';
  3.  Open phpMyAdmin and select your WordPress database. You will want to change all of the tables that start with wp_ to your new prefix using the following steps: 3a. Click on the table, then click Operations. 3b. Under the "Table options" box you will see a "Rename table to" field, change the prefix in there to your new prefix. Click "Go" to save. 3c. Repeat for every table starting with wp_.
  4.  Once you have changed the table prefixes, select the *_options table (where * is your new prefix), and find the "wp_user_roles" in the options_name column and click edit. Change the prefix to *_user_roles (again where * is the new prefix). Click "Go" once completed.
  5.  Open the *_usermeta table and change all rows that start with wp_ to your new prefix, there should only be a few of them.
  6.  You should be all set at this point! Go through your entire site making sure every function still works. If anything isn't working properly, and doesn't look like there's an easy fix, you can always revert to your backups. Keep the wp-config.php file out of reach!

The wp-config.php file contains your incredibly valuable database connection information. There are many things you can do to secure this, most commonly you can use .htaccess tricks to stop people from accessing the file, but I personally think the best security is keeping it out of reach from the hacker's browser. By default, WordPress will search one directory above your webroot (the webroot is generally public_html) if it is unable to find your wp-config.php file. If you move your wp-config.php file above your public_html directory, it will no longer be accessible through a browser no matter what tricks the hacker has up his sleeves.

So instead of:

/path/to/public_html/wp-config.php you will have /path/to/wp-config.php 

Now the only way to access the file is via SSH or FTP, keeping your database information safe. If you do not have access to the folder above public_html, ask your webhost to assist you with this.

Proper file permissions go a long way in keeping things safe!

Often times permissions are changed due to recommendations of certain plugins or for ease of use by the user, but they don't always recommend the most secure permissions. If set correctly, the user/plugins should have no issues accessing the files, without compromising security. If a directory is set to 777 anybody has access to read, execute, and worst of all write to files in that directory. What I consider safest permissions for a directory is 755, this gives the user full control (read, write, execute), while the group and anonymous only have access to view and execute files within that directory (both required for PHP based web content managers such as WordPress). Within the directory you will also need to make sure each file also has correct permissions. The files should be set to 644, this gives you (the user) the ability to read and write to the files, but the group and anonymous users can only view the files. This is important because if anonymous users can't view the files, they won't be able to see the content on your pages. You can get a full breakdown of the Linux permission system here.

Take additional steps to restrict access to wp-admin login!

A major step you can take in securing your WordPress admin panel is only allowing specific people to access the wp-admin login page. This is best set up by putting an .htaccess file within your wp-admin directory. Using this .htaccess file you can restrict people from seeing the page without the proper username/password, or require their IP to be in a whitelist (or both!). Here is an example .htaccess file you could use within your /wp-admin/ directory. This setup will give you access if your IP is on the list, but if it's not on the list you will be prompted for a username and password.

AuthType Basic AuthName "Please Log In" AuthUserFile /path/to/password/file/.htpasswd Require valid-user Order deny,allow Deny from all Allow from Allow from Satisfy any

If you'd like to be even more secure, you can change "Satisfy any" to "Satisfy all" and it will require both your IP to be in the whitelist and the username and password. You can also use plugins to limit the amount of login attempts coming from a certain IP address, so if somebody fails to supply a proper username/password to log in they get banned for a certain amount of time.

Keep your admin pages out of view from search engines! By default search engines will crawl over your site and find all URLs, including your wp-admin url which you do not necessarily want put out to the public. You can help prevent this by adding the following line to your robots.txt file, preventing your admin page from showing up on search engines: Disallow: */wp-admin/

You can't exploit plugins you can't find! Often times sites will be exploited by accessing a plugin directly, and depending on your hosting environment you may be able to go to domain.com/wp-plugins and see a list of all installed plugins (another reason you will want to uninstall plugins you don't use, instead of just disabling them). If you hide this list, then the hacker won't be able to get an idea of what he's working with and can't easily rely on common plugin exploits. You can prevent people from viewing this directory simply by placing a blank index.html file within your /wp-plugins/ directory. This way anybody who tries to view that folder just sees a white screen.

How long has it been since you updated?! This is the most common step you will see in any blog post about securing your WordPress site. WordPress is one of the most common content management systems (CMS) in use right now (roughly 59.6% of all sites using a known CMS are running on WordPress, which is roughly 20% of all websites on the internet as of Nov 1st, 2013). That being said, WordPress sites are some of the most targeted by hackers due to the amounts of sites it would allow a hacker to access if they found a way in. WordPress sends out updates often that can patch security holes that people have found and exploited, which is why it's so important to update as soon as WordPress has a new stable release out. Plugins and themes also must update to keep up with the latest security changes, so you will want to update those whenever possible as well. The older your WordPress/plugin/theme version, the more time hackers have had to find a way in.

Don't rely on other people's backups! While most hosting companies do supply backup services that they can restore from in case your site gets compromised, it's a smart move to save a copy of your verified clean site (both files and database) on your local computer as well as a cloud storage if available. This way if your site was hacked longer than the hosting company has backups, you can provide them with a clean version to bring your site back online. Make sure you verify your site is clean often, and replace your backups accordingly to try and keep your content as current as possible. There are also several plugins that can also assist with keeping your site clean, I personally use the Sucuri Security plugin to watch for malware so I don't feel like I have to manually scan the site as often.

Never forget that your home or office computer is an access point! If your home or office computer gets infected, it could lead to the hacker gaining login information for your website or corrupting files that you might later upload to your site. Uploading corrupted files will allow a hacker quick and easy access to your site, potentially without you noticing right away. For this reason you want to make sure you have a good anti-virus program running on any computer you use to work on the website, as well as the other computers on the network.

Never forget that hackers are clever! Unfortunately it is impossible to completely safeguard a site from being compromised. Hackers are generally intelligent people who can be good at finding ways in even with proper prevention methods in place, but these prevention methods will be able to stop a great deal of them in their tracks. If somebody does find their way into your site, you at least you can be up and running shortly with minimal content loss with regular scanning and backups. icon_planicon-dedicatedNeed hosting? Take a look at all our hosting plans right here.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.