WordPress security

The Role of WordPress Hosting:

1. They continuously monitor their network for suspicious activity.?
2. All good hosting companies have tools in place to prevent large scale (*)DDOS attacks (*)DDOS attacks :a method where cybercriminals flood a network with so much traffic that it ? They keep their server software, php versions, and hardware up to date to prevent hackers from? exploiting a known security vulnerability in an old version.?
3. They have ready to deploy disaster recovery and accidents plans which allows them to protect? your data in case of a major accident.

Initial actions:?

• Keeping WordPress Updated?
• Change the Default “admin” username?
• Strong Passwords and User Permissions:? Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting? account, and your custom email addresses which use your site’s domain name.?

Secondary actions:

• Install a WordPress Backup Solution:? Backups allow you to quickly restore your WordPress site in case something bad was to happen. ? WordPress Security Plugin: auditing and monitoring system that keeps track of everything that? happens on your website.?
• Enable Web Application Firewall (WAF): A website firewall blocks all malicious traffic before it? even reaches your website.?
• DNS Level Website Firewall These firewall route your website traffic through their? cloud proxy servers. This allows them to only send genuine traffic to your web server. o Application Level Firewall – These firewall plugins examine the traffic once it reaches? your server but before loading most WordPress scripts. This method is not as efficient as? the DNS level firewall in reducing the server load.?
• Move Your WordPress Site to SSL/HTTPS? SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and? users browser. This encryption makes it harder for someone to sniff around and steal? information.??
• Disallow file edit : you can easily do this by adding the following code in your wp-config.php file.

define (‘DISALLOW_FILE_EDIT', true );?         

• ?Limit Login Attempts: By default, WordPress allows users to try to login as many time as they want. This leaves your? WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to? login with different combinations.
• What's a Brute Force Attack? This is an old attack method, but it's still effective and popular with hackers. Because depending on the? length and complexity of the password, cracking it can take anywhere from a few seconds to many? years.

Operational actions:

.htaccess?

What is .htaccess??

The .htaccess file allows you to set server configurations for a specific directory. This could be the root? directory for your website or an /images or /downloads directory. It is used on the Apache web server.?

How does .htaccess work??

The .htaccess file is placed in a directory on the web server. When this is done it will be executed by the? Apache web server when a request is made from that directory. It is common to place a .htaccess file in? a site's root directory e.g. /public_html. This configures the web server for the entire website. It is a little? less common to place .htaccess files in a sub-directory, but it is practiced and has some specific uses?

1. Block Bad Bots?

One of the best uses of the .htaccess file is its ability to deny multiple IP addresses from accessing your? site. This is useful when blocking known spammers and other origins of suspicious or malicious access.? The code is:?

# Block one or more IP address.?

# Replace IP_ADDRESS_* with the IP you want to block?

<Limit GET POST>?

order allow,deny?

deny from IP_ADDRESS_1?

deny from IP_ADDRESS_2?

allow from all?

</Limit>
        

2. Disable Directory Browsing?

This is one of the most undermined security flaws in a WordPress site. By default, the Apache web server? enables directory browsing. This means that all files and folders inside the root directory (sometimes? called the home directory) of the webserver is enlist able and accessible by a visitor. You do not want? that because you don’t want people browsing through your media uploads or your theme or plugin files.?

If at random I pick 10 personal or business websites running WordPress, 6-8 of them won’t have? directory browsing disabled. This allows anyone to easily sniff around the wp-content/uploads folder or? any other directory which doesn’t have the default index.php file. In fact, the screenshot you see is from? one of my client’s site, before I recommended the fix. Code snippet to disable directory browsing:?

# Disable directory browsing?
        

Options All -Indexes         

3. Allow Only Selected Files from wp-content

As you know the wp-content folder contains the most your themes, plugins and all media uploads. You? certainly don’t want people to access it without restrictions. In addition to disabling directory browsing,? you can also deny access of all file types, save a few. In essence, you can selectively unblock files like? JPG, PDF, DOCX, CSS, JS, etc. and deny from the rest. To do this, paste this code snippet in your .htaccess? file:

# Disable access to all file types except the following?

Order deny,allow?

Deny from all?

<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$"> Allow from all?
        

</Files>         

You must create a new .htaccess file with the code and paste it in the wp-content folder.

4. Restrict All Access to wp-includes?

The wp-includes folder contains only the files that are strictly necessary to run the core version of? WordPress – one without any plugins or themes. Remember, the default theme still resides in the wp content/theme directory. Thus, no visitor (including you) should require access to content of the wp include folder. You can disable access using this following code snippet:?

# Block wp-includes folder and files?

<IfModule mod_rewrite.c>?

RewriteEngine On?

RewriteBase /?

RewriteRule ^wp-admin/includes/ - [F,L]?

RewriteRule !^wp-includes/ - [S=3]?

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]?

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]?

RewriteRule ^wp-includes/theme-compat/ - [F,L]?

</IfModule>
        

5. Allow only Selected IP Addresses to Access wp-admin?

The wp-admin folder contains the files required to run the WordPress dashboard. In most cases, your? visitors don’t need access to the WordPress dashboard, unless they want to register an account. A good? security measure is to enable only a few selected IP addresses to access the wp-admin folder. You can? allow the IPs of the people who need access to the WordPress dashboard – editors, contributors and? other admins. This code snippet allows only fixed IPs to access the wp-admin folder and denies access to? the rest of the world.?

# Limit logins and admin by IP?

<Limit GET POST PUT>?

order deny,allow?

deny from all?

allow from 302.143.54.102?

allow from IP_ADDRESS_2?
        

</Limit>        

Make sure that you create a new .htaccess file and paste it in the wp-admin folder and not the base? installation directory. If it’s the latter, no one except you will be able to browse you site – not even? search engines! You certainly do not want that. A couple of downfalls of this measure is as follows:

• If your site allows or promotes new user registration, it would be nearly impossible to keep track? of the number of users. For example at WPExplorer, if you want to download our awesome free? themes, then you have to register.?
• People with dynamic IP addresses (mostly ADSL broadband users using PPP or PPPoE protocols)? have their IPs changed, every time they logout and login to their ISP. Certainly it would be? impractical to keep track of all these IPs and add them to the htaccess file.?
• Mobile broadband: Whether you’re on 3G or 4G, your IP address depends on current cell tower? you’re connected to. Say you’re travelling – your IP will be constantly changing with every? couple of miles you move from the origin. Again, keeping track for the htaccess file is nearly? impossible.?
• Public Wi-Fi Hotspots: Using credentials when connected to the Internet using a public Wi-Fi? hotspot is a big no-no, since a kid with a tiny software can extract every character you type. Not? to mention, each Wi-Fi hotspot will have a unique IP address.

6. Protect wp-config.php and .htaccess from everyone?

The wp-config.php file contains the most sensitive access credentials of your WordPress site. It contains? the database name and access credentials and various other critical data, amongst other settings. Under? no circumstances do you want other people looking into this file. And of course, you want to disable? public access to the source of all this security – the .htaccess file itself. You can disable access to wp config.php with this following code:?

# Deny access to wp-config.php file?

<files wp-config.php>?

order allow,deny?

deny from all?

</files>?

# Deny access to all .htaccess files?

<files ~ "^.*\.([Hh][Tt][Aa])">?

order allow,deny?

deny from all?

satisfy all?

</files>?

        

6. Protect wp-config.php and .htaccess from everyone?

The wp-config.php file contains the most sensitive access credentials of your WordPress site. It contains? the database name and access credentials and various other critical data, amongst other settings. Under? no circumstances do you want other people looking into this file. And of course, you want to disable? public access to the source of all this security – the .htaccess file itself. You can disable access to wp config.php with this following code:?

# Setup browser caching?

<IfModule mod_expires.c>?

ExpiresActive On?

ExpiresByType image/jpg "access 1 year"?

ExpiresByType image/jpeg "access 1 year"?

ExpiresByType image/gif "access 1 year"?

ExpiresByType image/png "access 1 year"?

ExpiresByType text/css "access 1 month"?

ExpiresByType application/pdf "access 1 month"?

ExpiresByType text/x-javascript "access 1 month"?

ExpiresByType application/x-shockwave-flash "access 1 month"?

ExpiresByType image/x-icon "access 1 year"?

ExpiresDefault "access 2 days"?
        

</IfModule>        

10. Custom Error Pages?

You can also the .htaccess file to configure user-friendly custom error pages for errors such as 403, 404? and 500. Once you have prepared your error page – let’s say error.html, upload it to your base? WordPress installation directory. Then add the following code snippet to your .htaccess file to enable? the custom error page:

# Custom error page for error 403, 404 and 500?

• ErrorDocument 404 /error.html?
• ErrorDocument 403 /error.html?
• ErrorDocument 500 /error.html?

1. HTTP Error 500 (Internal Server Error)?

• The description of this error pretty much says it all. It’s a general-purpose error message for ?when a web server encounters some form of internal error. For example, the web server ?could be overloaded and therefore unable to handle requests properly.?

2. HTTP Error 403 (Forbidden)?

• This error is similar to the 401 error, but note the difference between unauthorized and ?forbidden. In this case no login opportunity was available. This can happen, for example, if ?you try to access a (forbidden) directory on a website.?

3. HTTP Error 404 (Not Found)?

• Most people are bound to recognize this one. A 404 error happens when you try to access a ?resource on a web server (usually a web page) that doesn’t exist. Some reasons for this ?happening can for example be a broken link, a mistyped URL, or that the webmaster has ?moved the requested page somewhere else (or deleted it). To counter the ill effect of ?broken links, some websites set up custom pages for them (and some of those are really ?cool).?

4. HTTP Error 400 (Bad Request)?

• This is basically an error message from the web server telling you that the application you ?are using (e.g., your web browser) accessed it incorrectly or that the request was somehow ?corrupted on the way.?

5. HTTP Error 401 (Unauthorized)?

• This error happens when a website visitor tries to access a restricted web page but isn’t ?authorized to do so, usually because of a failed login attempt.

.wp-config?

Change Database Prefix?

Have you ever seen your WordPress database tables? (You can access it through your web host account)? By default, the database has eleven tables. Each table has a specific function.?

$table_prefix = ‘wp_’;??




You need to change it to something random like:??
        

$table_prefix = ‘agora_’;        

Disable Editing Theme/Plugins Files?

In the WordPress dashboard, there is an option to edit the plugin/theme file. This means that with? access to the dashboard and sufficient permission anyone can edit your themes or plugins.?

By disabling the option to edit these files. Simply place the following code in your WordPress

config file: define(‘DISALLOW_FILE_EDIT’,true);?        

Prevent Users From Installing or Updating Plugin & Themes?

Disabling users from editing these files only offers one level of security. It does not prevent the hackers? from installing a malicious plugin which they can use to exploit your site. Once they have access to the? admin panel along with the right user permission, they can install a rogue theme or plugin. If you don’t??

install plugins often, then you can disable the option by adding the following code in the WordPress? config file:?

define(‘DISALLOW_FILE_MODS’,true);        

Hide the ‘wp-config.php’?

In any WordPress site, the wp-config file has a default location. Hence changing the file location can? prevent it from falling into the hand of the hackers. Fortunately, WordPress allows the ‘wp-config’ folder? to reside outside your WordPress installation. For instance, if your WordPress is installed in the? public_html folder, then the config file will be present in the public_html folder by default. But you can? move the wp-config outside the public_html folder and it’ll still work.?