With around 32.3%% of all world’s websites powered by it, and Pipe Ten customers using WordPress Hosting more and more each day, we’ve put together this post about securing WordPress and keeping your blog safe.
In no particular order:
- Avoid vulnerabilities on your computer
- Update, Update and Update
- Secure wp-admin and other directories
- Do not use default user account
- Hide WordPress version number
- Use strong passwords
- Read/Write permissions and wp-config
- Change default secret keys
- Check if install.php file is accessible via HTTP
- Check for display of unnecessary information on failed logins
Top Tips!
1. Avoid vulnerabilities on your computer
Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.
In order to protect your blog from getting hacked it is important to employ the latest versions of WordPress and plugins. WordPress will tell you when it or the plugins are out of date so there’s no excuse for them not to be!
3. Secure wp-admin and other directories
Place blank “index.html” file in directory’s, “wp-includes” and “wp-includes” sub directory’s if on both windows and linux hosting.
Place the below code at the top of your .htaccess file in your root directory (if on Linux hosting)
Example .htaccess
# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # BEGIN WordPress
Also disable “index listings” in your control panel. As seen below. Once changed don’t forget to click apply. This may take 5 minutes to employ.
3. Do not use default user account
By default WordPress will create the first user registered as “admin“. To avoid an easy to know administrator account name, create a new one, ideally something hard to guess mixed with letters and numbers. Don’t forget to add administrator privileges.
4. Hide WordPress version number
Reveling the wordpress version can be dangerous. Exploits could be readily available for outdated versions of wordpress. We don’t want to make this easy for attackers to find. You can also remove the generator version tag in the html, using this plugin.
Hiding the version number is fine, but consider leaving the powered by wordpress link somewhere. We did! See bottom right of this page.
This advice isn’t just for wordpress, but i thought i should put it in anyway. ALWAYS use secure passwords, containing both upper-case character’s, letters and numbers. I recommend, https://www.pipeten.com/password to automatically generate ultra secure ones, But remember to keep them stored in a safe place. Not on your desktop as a passwords-for-websites.txt file.
6. Read/Write permissions and wp-config
Make sure you wp-config.php file has the right, write permissions. Either 400 or 440 You don’t want it to be read by anything other than your server.
If you are using Linux, turning on FastCGI is advised as this will change the user that the site is run as. This means that you should not need to change file permissions to 777 which can be a security risk. To do this click on your domain name in your control panel, then click the ‘Edit’ icon next to ‘Web Service’. Next set ‘PHP’ to be Off and then turn On ‘PHP Advanced’. Then click ‘Add’ in the PHP mode and select PHP 5 FastCGI. When done the settings should look like this:
Change the follwing code within your wp-config.php using the secret key generator below.
define('AUTH_KEY', ''); define('SECURE_AUTH_KEY', ''); define('LOGGED_IN_KEY', ''); define('NONCE_KEY', '');
Visit https://api.wordpress.org/secret-key/1.1 and copy replace your code with the generated one. Easy, but vital for hashing salt (making your password even stronger)
8. Check if install.php file is accessible via HTTP
There have already been a couple of security issues regarding the “install.php” file. Once you install WP this file becomes useless and there’s no reason to keep it in the default location.
This is a very easy problem to solve. Rename “install.php” (you’ll find it in the wp-admin folder) to something more unique like “install-random-number.php“; delete it; move it to another location so it’s not accessible via HTTP.
9. Check for display of unnecessary information on failed logins
By default on failed login attempts WordPress will tell you whether username or password is wrong. An attacker can use that to find out which username’s are active on your system and then use brute-force methods to hack the password.
The solution to this problem is simple. Weather the user enters wrong username or wrong password we always tell them “wrong username or password” so that he doesn’t know which of two is wrong. Open your theme’s “functions.php” file and copy/paste the following code:
function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login');
We’ve tried to cover most things in this post regarding security that every user should be able to do, although we may of missed some tips & tricks (that aren’t specific to a particular template script or plugin).
Classification: Public
Last saved: 2021/07/06 at 15:48 by Jamie