WordPress Security

Not to long ago I watched some Lynda tutorials and read up on WP security. Basically as with many things on this blog I am posting this information here as a reference that I can use in the future.

Backing up

Plugin – BackWPUp
Description – Back up both files and db to any number of locations. Cron controlled for automatic backups.

Random Passwords

The best password is a completely random generated one. Use a website or tool to automatically generate passwords. I like http://onlinepasswordgenerator.com/

Keep an eye out as I’ve noticed that many of them are hilariously crude despite their random nature. Might be awkward giving some to clients.

wpconfig.php Restrictions

Restrict access to wpconfig.php using .htaccess. Simply add under your existing rules,

<Files wp-config.php>
Order Allow, Deny
Deny from all

Also ensure you’ve limited your file permissions to 640 or 644.

 Set Secret Keys in wp-config.php

Don’t forget when you are initially setting up your site to set the secret keys located in your wp-config.php. WordPress provides a generator such as https://api.wordpress.org/secret-key/1.1/salt, but check your config as it will have the most current address.

Database Prefix

Don’t use the default database prefix. Essentially should someone access your db using code injection, it is much more difficult for them to be malicious if db tables don’t have regular names.

Admin Login

In the more recent versions of WordPress you have been given the option of choosing your admin user name. Don’t use ‘admin’! It’s basically giving attackers a head start on accessing your website. Not only do they know one username, but they know the most powerful users username.

Directory Views

By default many hosting companies and Apache installs come with directory list disabled, but always ensure this is true. Should you find that you can list directories with no index.php/html or main.php/html then you can block this in the .htaccess. Simple add the following,

#Add to top of .htaccess
Options -Indexes 

Removing Version Numbers

Another leg up you can give attackers is letting them know what version of WP you are running. If your client is hesitant or unwilling to upgrade their WP version they are putting themselves at risk. The older the version, the more likely someone has identified a security issue at some point. A good idea is to remove all notification to visitors of the sites version. By default your WordPress theme will print something in the header to the tune of ,

<meta name="generator" content="WordPress 3.2.1" />

You can easily remove this by adding the following PHP to your functions.php.

// remove version number from head & feed
function disable_version() {
	return '';
add_filter('the_generator', 'disable_version');
remove_action('wp_head', 'wp_generator');

Secure the Login Page

A weak point of WordPress is that the admin login page essentially allows for unlimited attempts. This makes it very easy for a bot to sit for as long as it likes trying to access your account. Install the Login Lock plugin.

This plugin allows you to limit login attempts, block IP’s, force password updates at intervals, force strong password selection policies and force global password reset should you ever need to.

Detect Malicious Code

Finally there is an amazing plugin called Exploit Scanner. This allows you to scan all the files in your WP install and look for malicious code that may have been injected and remove it.

That’s it for now. I’ll try and update this as I learn more or find better plugins. Good luck.