When it comes to WordPress security, there are three sub-systems that need your attention to protect your website from potential threats viz., blogging CMS (WordPress), back-end database, and the web server itself.Note: Remember, your WordPress installation is only as secure as your web server. If there is any weak link in the server itself, all the security measures discussed below will go in vain.
Having this important information in our minds, let's move forward and start the security hardening process.
Secure WordPress Directory Tree
The basic strategy to make your WordPress installation secure is to restrict public access to sensitive files and directories. Whenever any CMS is installed, the directory tree where it is installed is assigned certain access permissions that may vary according to their importance, functionality, and usage to help protect them from unauthorized access.Following are the general guidelines to protect your WordPress files and directories from unauthorized access.
Assign correct directory permissions - Start with assigning correct access permissions to your WordPress directory tree. Here are some of the basic rules to follow.
1. No file or directory should have a permission of 777.
2. No file should have a permission of 666, except those theme files that are edited via built-in theme editor through the WordPress dashboard.
3. Ideally, all files should have the permission of 644. Similarly, all directories should have the permission of 755.
4. Some servers require the permission of
/wp-content/uploads/ folder to be 777. Rarely, a select file or a directory of a plugin or a theme may ask for a similar permission setting.Use FileZilla FTP software to configure these file permissions on your web server. Technically sound users can use SSH access feature to make the same changes via the command line.
Disable public browsing of the directory tree - Add the following code to
.htaccess file to prevent any kind of directory browsing activity from within the web browser.Options All -Indexesindex.html files in every directory, it is the most inefficient and least preferred method to disable directory browsing.If your web server is powered by Nginx, the directory listing option is disabled by default. In case, you can open the directory in a web browser, use the following method to ask Nginx to disable it completely.
Open the default configuration file generally located at
/etc/nginx/sites-enabled/default and add the autoindex directive within the main server block.server {
...
...
...
location /var/www/html {
autoindex off;
}
}/var/www/html is where the WordPress is installed. In case, your website is installed somewhere else, change the directory path accordingly.And, do not forget to restart Nginx for the changes to take effect.
sudo service nginx restartSecure wp-admin, wp-content, wp-includes, and wp-config directories - Apart from disabling direct browsing of the directory tree, some extra steps should be taken to restrict access to these important directories.
Add the following lines to the
.htaccess file to protect wp-config.php configuration file from unauthorized access. As the name implies, this file contains important WordPress configuration settings needed to connect to your blog's database and much more.Use the following directive to secure this important configuration file.
<files wp-config.php>
Order deny,allow
deny from all
</files>.htaccess file to protect the wp-admin.php file from any kind of unauthorized access. This will ensure your admin dashboard is protected from the intruders.AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
</LIMIT>xx.xx.xx.xx entries are the static IP addresses used by you or other administrators and contributors working on your website. In case, you get a dynamic IP address each time you connect to the Internet, this method will not work at all.In that case, you can use AskApache Password Protect plugin to protect wp-admin, wp-includes, and wp-content directories without any need to edit the
.htaccess file yourself. This excellent plugin acts as a firewall and adds an extra layer of security protecting your sensitive files from automated spam bots and hackers.Secure WordPress Database
Hackers often target WordPress database to insert countless spam links within the posts and pages. Whenever you install WordPress, by default, every table gets a prefix ofwp_ regardless of the type of the table created in the database.Intruders use this information to launch a certain type of SQL injection attacks on the database. For better security, you must change this default prefix to something unpredictable. There are 3 methods to change this table prefix.
Change prefix at the time of installation - This is one of the easiest methods to provide a random table prefix to your WordPress database tables.
At the time of installation, you get a chance to edit the table prefix. Choose a random and unpredictable table prefix that cannot be easily guessed. The image above clearly shows how the default table prefix can be easily changed to something that cannot be easily guessed.Change prefix manually - This method can be painful for the technically challenged. It requires editing of more than one
.php files along with execution of multiple SQL queries.However, if you are comfortable with basic blog maintenance (technical) skills, this excellent tutorial shows you how to change table prefix through direct file editing.
Change prefix via a plugin - Fortunately, WordPress has a large repository of plugins available for almost every requirement. You can use this plugin to achieve the same effect.
Take regular database backups - Backups are lifesavers in event of any catastrophe that may bring down your entire site. You can use your favorite backup plugin to backup the core as well as additional (plugins & 3rd party scripts) tables of your website's database.
Make the habit of taking backups at least once a week followed by saving of the same at two different locations.
Secure Both User Accounts and Login Process
Almost every CMS has built-in user access control mechanism that defines a hierarchy of user-types with each type having a different set of privileges. WordPress is no different and supports pretty good user access control mechanism.Hackers target this system to gain complete control of the CMS leaving no chance to recover from the disaster. Here are some methods and safe practices that can help you in strengthening the WordPress user access control mechanism.
Use strong credentials for the admin account - While installing WordPress, we get the chance to create a custom login ID and password for the administrator's account.
If you notice in the example shown above, an uncommon login ID is chosen for the administrator account. The same goes for the password where a complex auto-generated version is used instead of manually creating one.Do not take this step lightly and make sure you're generating extremely strong login credentials for the administrator account. Doing so will ensure you're automatically saved from different types of penetration attempts.
Strengthen login procedure - Now that we have strong login credentials, it's time to make sure the login process itself is hard to breach if anyone attempts to do so.
To do so, I'll recommend an extremely good plugin. Install and use Loginizer extension to harden the login process. Through it, you can check brute force login attempts, can blacklist or whitelist IP addresses, can configure 2-factor authentication, and much more.
Fine-tune user access privileges - Large WordPress sites having multiple authors, editors, administrators, and subscribers can use the User Role Editor plugin to further strengthen the security. This plugin gives you greater control over user access permissions.
Through this plugin, one can create custom roles with tailor-made access privileges that can be assigned to any WordPress user. You can even change and tweak the default roles provided by WordPress, though it is not recommended and should be avoided. Miscellaneous Steps to Harden WordPress Security
And now, let's go through some of the common tips and tricks to run a WordPress website, securely. These pointers will not only enhance the security but will also give you a peace of mind.Hide WordPress version - Older versions of WordPress have several loopholes that can be easily breached by seasoned hackers. It is always advised to hide your WordPress version to mask any vulnerabilities (if any) that may exist in the release you are using.
The best way to hide this information is by placing the following code in the
functions.php file of your current theme.<?php remove_action('wp_head', 'wp_generator'); ?>Keep search engines away from WordPress folders - You'll never want your website's entire directory tree to be indexed by search engines. This may expose the contents of sensitive directories making it easy for hackers to analyze and find the potential loopholes.
To tackle this issue, add the following line to the
robots.txt file which is located in the root directory of your website.Disallow: /wp-*Disable file editing from dashboard - Nowadays, almost every theme and several plugins give the facility to directly edit their code files right from within the WordPress dashboard.
A person with malicious intent having access to your desk can make undesirable changes to the code files if the dashboard is inadvertently left open behind your back. To address this scenario, add the following directive within the
wp-config.php file.define('DISALLOW_FILE_EDIT', true);And, following are some general safety precautions.
1. Create strong passwords and change them frequently.
2. Keep your plugins and WordPress release, updated.
6. Use specialized security plugins to find any vulnerabilities in your WordPress installation.
7. If possible, avoid remote publishing via 3rd party publishing tools.
4. Create a disaster recovery plan and simulate it on a test blog.
8. Use SSH or SFTP for secure editing of files and directories.
5. Avoid using plugins from unknown sources (may include malicious code).
9. If your budget allows, avoid shared hosting environments.
3. Regularly backup files and database.