- Published on
Wordpress security point need to take seriously
- Authors
- Name
- Jignesh Sanghani
- @jignesh19961020
Introduction
I know you already read lots of article and video on the security of WordPress site. but still, I want to add some common points maybe it'll help you to secure your site.
Now a day security of any system is most crucial and important portions. because everyday users try to do XSS, brute-force, some other normal attacks for their funs or break your site. as specially for WordPress. why WordPress? because WordPress has the functionality to extends site features by adding themes and plugins which are made by developers. Some of the developers put some script in their plugin/themes to get your details or credentials from your system. that's why I am going to tell you some quick point which helps you to secure your site. Use a reliable hosting company
Often overlooked, web hosting is one of the key components of every successful website. Choosing the best WordPress hosting for your needs can improve your SEO and increase sales. There are various different types of WordPress hosting options available such as Free, Shared, VPS, Dedicated, and managed WordPress hosting. In this guide, we will help you choose the best WordPress hosting for your website.
Choose those hosting provider who provides you better backup and restore points, network reliability, SSL, Firewalls, and DDoS Prevention, Antivirus and Malware Scanning and/or Removal, High Availability and Disaster Recovery, etc..You need to check whether service provided by them are working perfectly with the latest version or not. Apache, PHP(5/7), MySQL, MariaDB, PostgreSQL, PHPMyAdmin, SSL certificates Improve your login information
- Don't use admin as your password. This is the most vulnerable security breach for non-technical WordPress user who makes the password so that they can easily remember.
- Pick strong password (small-capital letter, number, special character: you can generate from here Random Password Generator)
- Disable login hints
- Rename your login URL
- Limit number of login
If your site is not like membership then don't select anyone can register
.
Stay up to date
WordPress release update as soon as they resolve the security bug. so if your WordPress is not up to date then someone may be breaching your system. because they know which security bug WordPress has and how to use that wormhole. Be vigilant about plugin and theme usage
- Know about plugin vulnerability if possible
- See the security aspect of the plugin
- Download and active plugins and theme from known resources
- Delete any plugins or themes you’re not using
- Don’t Download Premium Plugins/themes for Free, because sometimes hacker put their script in those themes/plugin to collect your sensitive information
- Most part of hacking done through themes and plugins, because they have a major security bug or as I said developer inject anonymous script in plugin/theme
Disable the WordPress theme and plugin editor
- Disable WordPress editor, so no one can edit your code via admin panel if another user has admin access
- If you need to edit code then use file directly using SFTP
Block access to your wp-config file
Make sure your wp-config.php know users can access or read because this file has all credential for WordPress site like an encryption key, database user, password, name etc... Prevent directory browsing (indexing) of your WordPress website
When someone enters the URL of a directory on your website, Apache looks for an index.php or index.html file, if it can’t find either of these files, it displays a list of all the files and folders in the directory, so make sure this not happen in any case. Two-step verification system
One of the most common tricks hackers use is called brute force attacks If they steal your password or accurately guess it, then they can infect your website with malware. One of the easiest ways to protect your WordPress website against stolen password is to add two-factor authentication. This way even if someone stole your password, they will need to enter a security code from your phone or email to gain access.
There are some plugins which provide you two-step verification system
- Wordfence ( recommended)
- Google Authenticator App
- SMS Verification
SSL Certificates
SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. This is one of security between client and server communication so that third party cannot access data send-receive between them. because those data are encrypted by trusted valid authority.
The primary reason why SSL is used is to keep sensitive information sent across the Internet encrypted so that only the intended recipient can understand it. This is important because the information you send on the Internet is passed from computer to computer to get to the destination server. Any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate. When an SSL certificate is used, the information becomes unreadable to everyone except for the server you are sending the information to. This protects it from hackers and identity thieves. Use Secure FTP (SFTP)
Using FTP/SFTP we can transfer files between FTP host and other places via user credentials. additionally, there is one more thing add for extra security purpose in FTP protocol which secure data being get by the third party at cost of transfer speed. FTP/SFTP both have the same task to do transfer file, but FTP transfer file based in text formate like DELETE text.txt while SFTP sends files in binary format so only server and client machine whose have valid certificate/key can understand those files.
Another difference is that most versions of SFTP Server software are able to deliver a much richer and more detailed set of data about the files, such as the permissions, date, time, size, and other information not normally available to FTP, thanks to the more robust request protocol of the SFTP. Protecting WordPress using .htaccess
.htaccess is a configuration file for use on web servers running the Apache Web Server software. the wp-includes contains files that aren’t necessary for any user, but it contains files necessary for running WP. We can protect it by preventing access and adding some text to the .htaccess file. Keeping in mind to stay out of the code within hashtags.
Add this little snippet of code to the .htaccess file.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress <-- Always add code outside, before this line in your .htaccess file -->
This wouldn’t work for wp multi-sites Remove this line – RewriteRule ^wp-includes/[^/]+.php$ – [F, L], this will offer less security but it will work for multisite.
Your wp-config.php file contains sensitive information about your connection details and the WP security keys we previously discussed. Modifying your .htaccess will protect your website against hackers, spammers and significantly beef up your website’s protection.
This process involves moving your .htaccess file out of your WP install and to a location accessible only with an FTP client or cPanel or from the web server.
Add this to the top your .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
This will essentially prevent access to anyone who surfs for the wp-config.php file and only access from the web server space will be permitted.
All this added protection is great, but remember all of this was accomplished from your .htaccess file. That means if someone can access your .htaccess file, all your added security isn’t helpful.
Add the following to the top of your .htaccess file. It will prevent access to your .htaccess file.
<files .htaccess>
order allow,deny
deny from all
</files>
You can add more modifications to the .htaccess file if you’d like.
You could restrict files, by file types and extension. This piece of code will not only restrict access to your wp-config but it will prevent access to ini.php and your log files.
<FilesMatch "^(wp-config.php|php.ini|php5.ini|install.php|php.info|readme.html|bb-config.php|.htaccess|.htpasswd|readme.txt|timthumb.php|error_log|error.log|PHP_errors.log|.svn)">
Deny from all
</FilesMatch>
#Code courtesy - WPWhiteSecurity
Next, we can disallow browsing of the WP directory contents. Options All -Indexes
Apart from that, we can add a few other changes to improve security by making changes to the .htaccess file in WordPress.
Block IPs and IP ranges. You can limit access to your login pages by IP range, I would have covered it in the Login section but login page protection plugins already block IP ranges which try to access login pages through brute force techniques.
Keep bad bots at bay
Prevent hotlinking
This is quite extensive and we are starting to get off point. If you’d like to do the other stuff as well, for which I haven’t presented the code here, you can use this piece of custom code from WP White Security.
Please remember to keep track of which files you have moved to root directory of WP. You’ll need to be aware of where each file/folder is so that you can not only edit them but also be sure not create multiple copies in different locations which again jeopardizes the point of the entire exercise. Turn Off PHP Error Reporting & PHP execution
PHP executions need to be kept to a minimum. Why? A good example of a hack would be the Mailpoet Newsletter hack which could be used to add files which are run from the wp-content/uploads folder. To prevent such vulnerabilities, we can deny PHP any room to run on WordPress. Add this code snippet to the .htaccess file.
<FilesMatch ".(php|php.)$">
Order Allow,Deny
Deny from all
</FilesMatch>
This code detects PHP files and denies access. You need to add it to the following wp folders.
- wp-includes
- wp-content/uploads
- wp-content
You’ll need to create a .htaccess in the other folders. By default, it may be available in the root directory but to prevent PHP execution the .htaccess file needs to be created and added to the aforementioned folders. The three folders mentioned are primarily folders where content is uploaded and is particularly vulnerable to a PHP script that can cause a lot of problems.
PHP error reporting is a signal to all hackers who are looking for vulnerabilities that there is something not working on your website.
Adding these two lines of code to your wp-config.php file should resolve the problem.
error_reporting(0);
@ini_set(‘display_errors’, 0);
define('WP_DEBUG', false);
Although having read multiple threads and discussions about PHP error reporting, it may not work. In which case your best option is to contact your web host and ask for instructions on how you can accomplish the same.
I hope you understand the basic things which we need to look at on every WordPress project. I told in starting of this article that WordPress has many minor security holes, now you understand why I told you there are lots of files which not supposed to be accessed by the anonymous user. because those files contain sensitive info about your project. if those details compromised then your site might break, can delete the database, alter info/data of the database. especially be aware of .htaccess and wp-config.php file. I am suggesting you that, if you are a non-tech person then take advise from WordPress developer. so your site runs securely.