Hardening WordPress Security

WordPress out of the box is fairly secure but there are still some pretty big holes.  In addition, hosting environments and installation requirements often introduce gaping security holes in the WordPress framework. Below are a few best practices to help secure your WordPress framework.

Install Security Plugins

There are several good security plugins available.  Here are three that every WordPress installation should have installed and activated.

  1. Install wp-security scan and scan
  2. Install Login Lockout plugin
  3. Install WordPress Firewall 2

Changing security on WordPress directories

Some installations come with directories set to 777 out of the box.  Change security settings as follows (either chmod from the unix shell or use a FTP program such as FileZilla to set permissions and recurse permissions into subdirectories and files).

  1. Change your main WordPress home directory to 755
  2. Change .htaccess to 644 (all instances of .htaccess should be changed)
  3. Change wp-admin/index.php to 644
  4. Change permissions on wp-config.php to 644

Some WordPress plugins require the /wp-content/ folder be made writeable which may require setting 755 permissions on the plugin directory. The same is true for /wp-content/cache/ and maybe /wp-content/uploads/.

All directories should be 755 or 750 if possible.  All files should be 644 or 640 with the exception of wp-config.php which should be 600 to prevent other users on the server from reading it.

 

Security account changes

Lock down or delete the default admin account.  Create an account user and set their role to administrator.  Then select the admin user and change their role to subscriber (or delete it altogether).

Modify .htaccess to secure it

All instances of .htaccess should be modified to include the following lines.  Note that rewritecond below has a domain hardcoded in it.  You should change “yourdomainname” to the domain the .htaccess file is running under.

# DENY PUBLIC ACCESS TO YOUR wp-config.php File<files wp-config.php>

order allow,deny

deny from all

</files>

# DENY PUBLIC ACCESS TO YOUR php.ini file.

<Files php.ini>

order allow,deny

deny from all

</Files>

# DENY PUBLIC ACCESS TO YOUR php5.ini file.

<Files php5.ini>

order allow,deny

deny from all

</Files>

#Disable ability for outside domains to link to our images. Add this to .htaccess

#Only allow images to be linked from this website.  Change the image name below (with a message that says “you can’t link to my images” or leave as a non-existent image file.

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourdomainname\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Add salts to wp-config.php

I believe this happens automatically during an upgrade but regardless, these should exist in your wp-config.php file.  Go to https://api.wordpress.org/secret-key/1.1/salt/ and it will generate unique keys that you paste into the wp-config.php file. You can regenerate these at any time and replace. The worst that can happen is users have to log back in again.

Cut and paste the lines generated and paste into your wp-config.php file.  If the salts already exist then simply paste over them and save the file.

Rename files that are no longer needed

No point in holding onto files that are no longer needed or could be destructive if they were run.

  1. Rename /wp-admin/install.php to install.php_backup
  2. Rename wp-config-sample.php to wp-config-sample.php_BACKUP

Leave a Reply

Related Post

Nov 04

Passwordless logins in Unix

Connecting via SSH, requires a user provide his identity to the remote machine using one of several methods. One method lets you access the remote system without entering a password at each login. Normally, when you log in to a system, you authenticate by entering your password for that system. Your password goes, as it is typed, to the remote system, which authenticates it against the /etc/passwd or /etc/shadow file. By contrast, SSH allow a “password-less” authentication method based on public-key cryptography.

Oct 24

My Old Software

In the early 1990’s, I distributed several commercial software packages. Applications such as children’s and adult level games, Internet applications and online games, advanced testing applications, and programmer utilities were included in the SparTech repertoire. The following are the software applications that were distributed.

Feb 01

Universal Studios California Backlot Tour

One of the most interesting things we saw on our 2001 Southern California vacation was the backlot tour of Universal Studios. Below are pictures I took during the tour of the Universal Studios California Backlot Tour. Tours are given in trams with a guide narrating the scenes. Depending on when you go, areas of the backlot are sometimes closed while they are filming.