Tags
.htaccess security, advacned wordpress security, anti hacking, securing wordpress, wordfence guide, wordpress security, wp-config security
Being a WordPress security expert .. I have to say this … I have seen many of my clients getting totally freaked out … even b amateur hacks.
I don’t blame them .. normal people doesn’t usually have technical knowledge and its only netural to get freaked out when someone attacks/there is a threat on your virtual business place (website).
But these are usually punk wannabe’s as … they are not the real deal .. otherwise simply they won’t be wasting time on “John Doe’s website”, they would rather poke Large fortune 500’s like Google/Facebook/Twitter/LinkedIn etc and so on.
So my advise is that … take solace in the fact that these are just a wannabe’s and you don’t need to worry about them much.
Now ofcourse we can’t just sit and let these punks mess around with our virtual business places .. so here is my two cents about WordPress security:
When installing WordPress, make sure to add Unique Authentication Keys in your wp-config.php file, here is how to do it,
Step1: Open the wp-config file using any text editor and look for the following:
Step2: Now visit https://api.wordpress.org/secret-key/1.1/salt/
Step3: And copy/paste all the codes that show up in the page and replace them as following:
Step4: Save and that is it, complete.
When installing WordPress:
1. Make sure NOT to use the default user “Admin” as your admin user .. change it to an user name of your choice.
2. Also remember to use a strong password, something like v!IcQX)z4+zX%
(its hard to remember but its hard to guess as well and that is why we security experts advise uses of strong password like above, make sure to save it in a safe place.)
Security plugin:
I’ll not brag and say I tested them all but the truth is … I have used and tested quite a few plugins and found that many of them are good and some are too complex for everyday Joe’s but when it comes to security you want the best but also at the same time .. something easy to use .. I mean like something that doesn’t require you to go back to school.
So my favorite plugin is : WordFence
I know its perhaps not that popular however the developer seems quite skilled in server security and as well WordPress and being honest this dude actually knows whats he’s doing.
If you’re planning to use a new WordPress site/blog or if you already have a site and looking to add some security measures .. whatever the situation .. my advise that you give this plugin a chance and bellow of is an screenshot of the plugin settings(options) that I recommend:
Now to make things simple …
As you can see I marked all the alert fields and most importantly the following fields:
Alert when someone is locked out from login (This alerts you when someone tried to login to the website and failed .. this option is not recommended for membership type websites though.)
Alert when the “lost password” form is used for a valid user (This alerts you when someone uses the lost password to get get new password for their user id, this option is not recommended for membership type websites ether.)
Alert me when someone with administrator access signs in (This alerts you when an admin user login’s to the website, this option is very important .. usually server side breach doesn’t happen .. so most likely our hacker friends will try to breach the front end as the the WordPress admin section and if they succeed .. this option comes in handly .. whenever someone with admin credentials login’s to the website .. an email notification is sent to your email, this should be active for all type of websites.)
PS: If you would like to add and extra level of security, you can block the theme and plugin editing feature:
Add the following lines in your themes function.php file:
1. Removing theme editor link from menu using remove_action()
function tcb_remove_editor_menu() {
remove_action('admin_menu', '_add_themes_utility_last', 101);
}
add_action('admin_menu', 'tcb_remove_editor_menu', 1);
2. Removing theme editor link from menu using remove_submenu_page()
add_action('admin_init', 'tcb_remove_menu_elements', 102);
function tcb_remove_menu_elements(){
remove_submenu_page( 'themes.php', 'theme-editor.php' );
}
The problem with these two methods is that they don’t actually stop anyone with the right roles and capabilities from editing the theme files. It just removes the link from the menu. If a plugin or theme provided links to the editor from somewhere else, then the above methods are pretty useless.
3. Disable theme and plugin editing completely using WordPress’s built in constant definition
Luckily WordPress has a really easy way to stop themes and plugins being edited from within WordPress admin panel(dashboard).
define('DISALLOW_FILE_EDIT', true);
This not only removes the links from the menus, but effectively disables the theme and plugin edit capabilities from the dashboard altogether. So even with the link to the right place, no user including the admin/you will have permission to edit themes/plugins from dashboard. This is not only shorter, but more powerful. It is just a single line on the wp-config.php file (add it anyone in your wp-config.php file.).
And also this makes sure that even if there is a breach on the WordPress back-end .. our punk wannabe friends won’t be able to make any changes or add malicious codes to the theme/plugin.
Whitelisted IP addresses that bypass all rules:
This is a very important option .. which be used at our advantage .. only if you have an static IP that is … static as in .. if you have your own fixed IP, for example: 120.54.04.85 , if you don’t know if you have an static IP or a dynamic one, call your Internet Service Provider and ask about it and if it turns out the IP you have is static, then you can use the whitelist feature.
What you need to do is .. add your IP there and thats it .. wordfence won’t give you any trouble but anyone else trying to login/breach will have a hard time doing so.
If you have a Dynamic IP with with batch like for example 123.23.34.[1-50] then you need to list it as 123.23.34.[1-50] , you can get the info form the Internet Service Provider.
Be-advised: This option isn’t recommend for most people.
Also make sure to scan your site regularly and make sure to take necessary measures to fix the issues found.
.htaccess to secure your website
This is very important, in your WordPress installation directory there should be a file called .htaccess, if there isn’t one .. you need to create one and add the following code:
# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
# disable directory browsing
Options All -Indexes
# protect wp-config.php
Order deny,allow
Deny from all
# protects readme.html so people can't check the WordPress version
Order allow,deny
Deny from all
# protects license.txt so people can't check the WordPress version
Order allow,deny
Deny from all
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
I’ll not get all technical as most Joe’s won’t even understand what the above means .. so Just copy/paste the code in your .htaccess file which can be found in your WordPress installation directory.
Which is generally at : /home/username/public_html/.htaccess
If you are having problems implementing the above suggestion or enhancing up the security of your WordPress website, please comment bellow and we will gladly assist you and answer any WordPress/web related questions you might have.
Raz's <code> Adventures 