How to Set up and Properly Secure WordPress

2012
05.28

I once struggled to remove a virus from my website and in the process learned much about WordPress security.

WordPress

WordPress (Photo credit: Adriano Gasparri)

There are a few simple things you can do to greatly increase security. The most important is to update frequently (there are plugins which can automate this process, including backing it up somewhere), install a few security plugins (listed below), and if possible change the table prefix from the default ‘wp_’ to something else (explained below). I prepared the following for myself every time I set up a new WordPress and is compiled from several sources. Happy blogging!

On this page:

Installing WordPress
Securing wp-includes
Basic .htaccess Rules
Rename the database prefix pre-installation only!
Hide version info
Don’t allow search bots to browse your directories
Disable user registration.
Delete the readme and any unnecessary files.
Change the database prefix on a live site
Synopsis Written Out
Themes
Widgets
Security Plugins

 

Installing WordPress


Note that if you are on a shared-server the permissions of your wp-config.php should be 750 [although WP itself says 400 or 440, which makes more sense]. It means that no other user will be able to read your database username and password. If you have FTP or shell access, do the following:

chmod 750 wp-config.php

http://codex.wordpress.org/Hardening_WordPress :

Stoliv Montenegro How to Set up and Properly Secure WordPress

Pictures of my travels, Stoliv, Montenegro

Adding server-side password protection to /wp-admin/ adds a 2nd layer of protection around your blog’s admin area, login, and files. This forces an attacker or bot to attack this 2nd layer of protection instead of your actual admin files. Most of the time WordPress attacks are carried out autonomously by a malicious software bot. But simply securing the wp-admin/ directory might also break some WordPress functionality, because the Ajax handler wp-admin/ajax-admin.php and other files can’t be accessed without the password. See the #Resources section for more documentation on how to password protect your wp-admin/ directory properly.

Securing wp-includes

A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

BEGIN WordPress
Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

Basic .htaccess Rules

Some basic rules that you can add to your root .htaccess file, more advanced rules are covered in the advanced guide as messing around here can break your site, but these won’t do much other than protect you.

//limit indexing of directories
Options All -Indexes

//protect the htaccess file,
//this is done by default with apache config file,
// but you never know.
<files .htaccess>
order allow,deny
deny from all
</files>

//disable the server signature
ServerSignature Off

//limit file uploads to 10mb
LimitRequestBody 10240000

// protect wpconfig.php.
//If you followed step 6 this is not necessary.
<files wp-config.php>
order allow,deny
deny from all
</files>

Password protecting with .htaccess

Rename the database prefix pre-installation only!

Stoliv Montenegro 2 How to Set up and Properly Secure WordPress

Stoliv, Montenegro

This is for PRE-INSTALL ONLY. We cover doing this to a live site in the advanced guide as doing this wrong will kill your site. If your starting with a fresh new install, you have an option during the install screen to change the database prefix. All default WordPress installs use the database prefix of “wp_”which makes any exploiter’s job much easier, change this prefix to something unique.

<really? Don’t think Fantastico offers this – there is a manual explanation below.>

Hide version info

Hiding the WP version info is a small step to prevent bots from crawling your site, it does not prevent fingerprinting, but every little bit helps. In your theme’s functions.php add the following:

// remove version info from head and feeds
function complete_version_removal() {
    return '';
}
add_filter('the_generator', 'complete_version_removal');

 

Don’t allow search bots to browse your directories

Google search can crawl unwanted urls and expose them to hackers. It’s best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site’s root folder and is just a text file.

User-agent: *Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-

 

Disable user registration.

Yes you can disable user registration in the Admin, so if your running a small blog or CMS and don’t have multiple people sharing, go ahead and disable user registration completely under your General settings.

 

Delete the readme and any unnecessary files.

WordPress has a default readme.html, and many plugins and themes also come with one. It’s best to just delete them as they can be used for fingerprinting or general snooping and often contain version info. Also keep your folders clean of any junk files.

– add xml sitemap to root robots.txt once done
– page navigation: http://codex.wordpress.org/Template_Tags/wp_list_pages, for which the Sitemap plugin is handy, but this only concerns Pages and not Posts.
More advanced security: http://wpsecure.net/secure-wordpress-advanced/ (danger of disabling site)

Change the database prefix on a live site

Stoliv Montenegro 3 How to Set up and Properly Secure WordPress

Stoliv, Montenegro

As mentioned in the basic guide WordPress installs with a default database prefix (‘wp_”) which can be used by bots and attackers to gain access to your database by easily guessing your database names. Changing the prefix on a live site can be a scary task so proceed with caution. There are many methods to do this and even some plugins, it is advisable to do some research and testing before hand. Below I have outlined the steps for a manual change where you download the dump and change the text with a text editor as a “safe method”, alternatively you can do this directly in MySQL.

1. Make a complete database dump through MySQL ( not through the WordPress admin).
2. Copy the dump into 2 files, one back-up that you don’t touch, and 1 for editing.
3. Use a solid text editor to find/replace all instances of “wp_” with your new prefix on the dump you want to edit.
4. De-activate your plugins.
5. Turn on maintenance mode at an hour when traffic is low.
6. Drop your old database and import your edited one with the new prefix’s
7. Change your database settings in wp-config.php to the new prefix.
8. Re-activate your plugins
9. Refresh your permalink structure by hitting save ( even without changing structure)
10. Cross your fingers.

            Of these above instructions exact ones are written here:

Synopsis Written Out

For easy initial set up can use Fantastico. If your server does not offer that then refer to… How to Install WordPress (if setting up manually yourself, make sure to choose a different username and password than the standard suggested by WP – that one which hooks up to your MySQL database). Make sure that your administrator nickname is not the same as your Username for the Admin area, and choose a complex password, with lower and upper case letters, mixed with numbers. Write this down somewhere for your own records.

Once done first thing is to change your table prefixes, to protect yourself from hackers:

1. backup your wordpress database to a sql file (you can use phpmyadmin)

– when you click on your database from the list on the left, then click on the Export tab
– not zipped seems to work better, make sure all the tables are selected

2. open that *.sql file (make another copy first) using text editor, then find and replace all “wp_” prefix to “something_”.

– change .sql to .txt so that you can open it in, for example, NotePad or Word. If you cannot see your extensions (.sql, .doc etc) refer here to how to view filename extensions
– make sure that the “something” is rather strange, with numbers, to make it hard to guess by hackers, such as jkor7JK3_ (mix of capital and small letters, with numbers is good)

Stoliv Montenegro 4 How to Set up and Properly Secure WordPress

Stoliv, Montenegro

3. now, drop all tables of your wordpress databases (don’t drop the database)

– in phpadmin click on your database, should show the Structure tab, at the bottom click on Check All and “With Selected” to the right choose Drop. Confirm yes.

4. import the *.sql file which has been edited before into your wordpress databases.

– click now on the Import tab to import your changed sql file (after you change the .txt back to .sql)

5. and lastly, edit your wp-config.php file and change the $table_prefix = ‘wp_’; to $table_prefix = ‘something_’;

– the file wp-config.php is found in the root directory of where you just installed your WordPress. I find HTML Kit a good free software for editing php files.
– for ftp down/uploading files from your server I like to use Total Commander. Download the file to your computer, change it, upload it.

6. you may find that your plugins are deactivated automatically when this happens, so you’ll want to activate them again if that’s the case… I’d recommend deactivating them prior to doing this anyway as a precaution.

– When working in WP (WordPress) I like to have two tabs or browsers, one of the Admin and one for what it looks like to the world. Whenever I make a change I jump to the world view one and refresh the browser (F5) to see what the change looks like.

Now before you get all excited lets first better secure your WP against hackers.

  • Disable directory browsing , attackers will know what u got on your site [files etc] , so just write this to your .htaccess file (you can create an .htaccess file simply by creating a simple text file (New menu in open space with Windows File Explorer or My Computer) and rename it to .htaccess. Open it in Notepad or whatever and add the text, save. You want to apply these files to your online folders, and each such .htaccess file always applies to the folder it is in)
1 Options All -Indexes
  • Also write this code to your robots.txt file to prevent bots from indexing your sub-folders contents (the robots.txt file is always in the root directory of your online account, where it instructs the search engines where to go or not to go. You would replace the “wp-” with whatever the folder name is for your WP.)
1 User-agent: *
2 Disallow: /cgi-bin
3 Disallow: /wp-*
  • Protect your wp-config.php file, wp-config.php file contains all your database login information, it should be protected well, this code will prevent anyone from looking at it, write it to your .htaccess file
1 # protect wpconfig.php
2 <files wp-config.php>
3 order allow,deny
4 deny from all
5 </files>

or u can just move it, the wordpress has the ability to check for wp-config.php in your root directory,
which will make it harder to find or access your wp-config.php file
So you can change the location of your wp-config.php file from

/public_html/wordpress/wp-config.php

To

/public_html/wp-config.php

Alternatively, you can try the plugin Better WP Security but it said I did not have sufficient authorization to do all this (and it does much more).

coastal-rock-formations-near-agia-nappa-cyprus_0232 How to Set up and Properly Secure WordPress

coastal-rock-formations-near-agia-nappa-cyprus

To protect your config file further, since it has your passwords and everything in it, chmod it 400, which makes it readable only to the owner and no one from the outside. To change the chmod, in Total Commander click on the online version of the file, click Files > Change Attributes, and then type in 400, press Enter. It may change to something else but the important thing is that the World cannot see or change it.

Now in the Config file you want to change the secret keys to something really beally crazy. Use this website [https://api.wordpress.org/secret-key/1.1/] and copy/paste what it randomly generates for you and replace it in your Config file if your installation has not already changed it to something wacko. Just ctrl+f search for

define(‘AUTH_KEY’

to find where this section begins.

– After Activate my plugins, Update them before screwing around with them (can do bulk Activate and then bulk Update).

– For the plugin Better WP Security, requiring “secure connection for logins or for the admin area” might slow down things for you, but it will be better. Your choice. The rest fix as per your choice (“Non-administrators can see all updates” might not be so important if you do not allow others to register: Settings > General > “Anyone can register” is not checked, the default).

– Aksimet – need to register them but can use the same key with all your sites. Cuts out a lot of spam comments, which can be a headache, but comments added occasionally can be good because it keeps your page fresh and changing, which google likes.

– update Plugins whenever you see the message to do so. You can update many at once.

Themes

 

coastal-rock-formations-near-agia-nappa-cyprus_0270 How to Set up and Properly Secure WordPress

coastal-rock-formations-near-agia-nappa-cyprus

Once you got your WP installed and secured, plugins installed and set up, you can start to pretty things up with a different theme (WP’s many free ones, or you can search the web for many more), if you are not happy with the default. I mostly use the same one (example – although this site uses a different theme), since it is simple and does basically what I want. The left and right sides are strips which you can set and which appear the same way on every page or post. Press F5 to refresh the browser and it will circle through pictures in the /wp- content/themes/atahualpa/ images/header/ folder. You can replace rotating pictures in the header with whatever you want, such as the ones I’ve collected (example link above), just make sure they are sized the same for it to work properly (How to resize digital pictures).

There is an update for this Atahualpa 3.2 theme but I prefer this older version. Don’t worry, if you have secured your WP using all the plugins above, you will not need to update your theme for security measures. They should be found in wp-content/themes/atahualpa/images/header, unless you changed the name of wp-content as per one of the Better WP Security plugin.

For my own tastes I made the following changes to the theme, which you can access by going to Appearance > Atahualpa Theme Options (once you’ve Installed and Activated it – to install it just click on the Install tab when in Appearance > Themes and put Atahualpa in the search box):

Under Body, Text and Links:

– Link Default Colour: 63A8E6
– Favicon is the image that will show in the tab of most browsers, when viewing any page of yours. Follow instructions on this resize digital pictures page and save any image you want as .ico but first resize it (ctrl r) to 20 by 20 pixels.

Style&Edit Header Area: Configure Head Area: %logo %bar1 %image %bar2

coastal-rock-formations-near-agia-nappa-cyprus_0271 How to Set up and Properly Secure WordPress

coastal-rock-formations-near-agia-nappa-cyprus

RSS Settings: RSS Box Width: 400

– Show Post Feed Icon: No
– Post Feed Link Text: <blank>
– Comment Feed Link Text: Press F5 to Refresh page and view more pics

Style Widgets > Widget List Items:

– Link Text Weight: bold
– Link Color: 63A8E6
– Link Color – Hover: CC0000

In the atahualpa/images/ folder you can then replace logo.png with whatever image you want to replace the logo pic at the top left. Make sure the height is 68 when resizing.

Of course you can play around with this forever but at least you’ve seen how a few things work and you can customize the rest yourself. I put the above information here so I have a record somewhere.

– for Categories look under Posts.

Widgets

 

That concerns the left and right hand strips on the side of the window, which show up the same on every page. You can start playing with this once you choose your theme. If you change themes later you will probably lose a lot of this that you set up. Go to Appearance > Widgets, click on the down arrow beside the Left or Right Sidebar along the right to open it up, and simply drag what widges you want where. For my Links section at the top left, I dragged in the Text widget, gave it a title of “Links:” and then copied in standard html links code, such as:

<br>
<a href=”http://001yourtranslationservice.com/contact.php” target=”_blank”>Contact</a><br>
<a href=”http://africa-charity-project.org/”>Africa Charity Project</a><br>

“<br>” means new line in html speak. Just replace the links and the text with what you want.

Security Plugins

 

After setting it up properly you can increase security by installing the following plugins. In the Install New Plugin window you can run a search for the name of the plugin, take a mental note of its author, then look for that author in the search results. Usually it should be the first result.

The below snippet includes all my favourite plugins.

Description
Select Add Post Footer Automatically add the ad code, related post, optional custom paragraph or technorati tags to the end of every posts. All options can be fully customized though Add Post Footer tab in the option panel within wordpress admin. It’s also possible overide the setting for specific post by adding custom field key and value. Please refer to the tips and addtional info provided at the Add Post Footer Page.Version 1.1 | By freetime | Visit plugin site
Select AddThis Social Bookmarking Widget Help your visitor promote your site! The AddThis Social Bookmarking Widget allows any visitor to bookmark your site easily with many popular services. Sign up for an AddThis.com account to see how your visitors are sharing your content–which services they’re using for sharing, which content is shared the most, and more. It’s all free–even the pretty charts and graphs.Version 2.3.2 | By The AddThis Team | Visit plugin site
Select Akismet Used by millions, Akismet is quite possibly the best way in the world to protect your blog from comment and trackback spam. It keeps your site protected from spam even while you sleep. To get started: 1) Click the “Activate” link to the left of this description, 2) Sign up for an Akismet API key, and 3) Go to your Akismet configuration page, and save your API key.Version 2.5.6 | By Automattic | Visit plugin site
Select All in One SEO Pack Out-of-the-box SEO for your WordPress blog. Options configuration panel | Upgrade to Pro Version |Donate | Support | Amazon WishlistVersion 1.6.14.3 | By Michael Torbert | Visit plugin site
Select AntiVirus Security solution as a smart, effectively plugin to protect your blog against exploits and spam injections.Version 1.3 | By Sergej Müller | Visit plugin site | Flattr plugin | Follow on Google+
Select Block Bad Queries (BBQ) Version 1.0 | By Perishable Press | Visit plugin site
Select Contextual Related Posts Displaying a set of related posts on your website or in your feed. Increase reader retention and reduce bounce ratesVersion 1.7.4 | By Ajay D’Souza | Visit plugin site | Settings | Support | Donate
Select Custom Headers and Footers This plugin adds custom header and footer for main page content.Version 1.2 | By Daniel Fru?y?ski | Visit plugin site
Select Google XML Sitemaps This plugin will generate a special XML sitemap which will help search engines like Google, Yahoo, Bing and Ask.com to better index your blog.Version 3.2.7 | By Arne Brachhold | Visit plugin site | Settings | FAQ | Support | Donate
Select Login LockDown Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. Distributed through Bad Neighborhood.Version v1.5 | By Michael VanDeMar | Visit plugin site
Select RSS Feeds Disabler Disables RSS Feeds from a WordPress Installation.Version 1.0 | By ppiekarc | Visit plugin site
Select SEO Smart Links SEO Smart Links provides automatic SEO benefits for your site in addition to custom keyword lists, nofollow and much more.Version 2.7.4 | By Vladimir Prelovac | Visit plugin site
Select WordPress Firewall 2 This WordPress plugin monitors web requests to identify and stop the most obvious attacks.Version 1.3 | By Matthew Pavkov | Visit plugin site
Select WP-PageNavi Adds a more advanced paging navigation to your WordPress blogVersion 2.82 | By Lester ‘GaMerZ’ Chan & scribu | Visit plugin site
Select WP-Polls Adds anAJAXpoll system to your WordPress blog. You can easily include a poll into your WordPress’s blog post/page. WP-Polls is extremely customizable via templates and css styles and there are tons of options for you to choose to ensure that WP-Polls runs the way you wanted. It now supports multiple selection of answers.Version 2.63 | By Lester ‘GaMerZ’ Chan | Visit plugin site
Select WP-PostRatings Adds anAJAXrating system for your WordPress blog’s post/page.Version 1.63 | By Lester ‘GaMerZ’ Chan | Visit plugin site
Select WP-PostViews Enables you to display how many times a post/page had been viewed. Modified by David Potter to include options for when and where to display view counts.Version 1.61 | By Lester ‘GaMerZ’ Chan | Visit plugin site

Protect your Computer and Windows
More on my Computer Tips pages.

 

Enhanced by Zemanta

Tags: , , ,

One Response to “How to Set up and Properly Secure WordPress”

  1. kenax says:

    Coding is required, php and knowledge of MySQL if you want to custom hack a template, otherwise everything is easy like navigating through a hotmail account.

Leave a Reply to Anonymous