How to lock down WordPress
I give you a few tips how to secure WordPress. The subjects we are going to discuss are:
1. Security best practices.
2. Limit access to the server.
3. Hardening the WordPress core.
4. Essential security add-ons.
Security best practices
WordPress is secure due to the open-source codebase and the community; constant updates; WP evolves quickly. Keep your site up-to-date.
Since WP 3.7.1. WP ships with automatic (minor) updates. Reduces also time.
Full version updates from e.g. 3.8 to 3.9 is manual.
When WP crashes during update theme or plug-in could be wrong code.
Work-around: choose standard theme and disable all plug-ins. Then update WP and after update activate each plug-in one at a time and later on the theme.
Back-up WP regular.
Secure username and passwords. Avoid default names as admin, administrator, test, user, site name. Longer passwords are better then short cryptic password.
Create second account with Editor role for creating and editing content. Use the admin account only for updates et cetera.
Contributor: write own content.
Author: write own content and edit own content.
Editor: write and edit other peoples content.
Administrator: full control.
Limit access to the server
Use Git when available which is more secure then FTP.
Use SFTP when available (encrypted connection).
Never use FTP on a public network.
Permissions on WordPress.
files: 644
first digit: owner 6 read/write
second digit: group 4 read
third digit: public 4 read
folders: 755
first digit: owner 7 read/write/execute
second digit: group 5 read/execute
third digit: public 5 read/execute
Check those permissions if something is wrong with WP.
Hardening the WordPress core
Disable access to wp-includes and wp-config.php by placing redirect code in the .htaccess file. This prevents malicious code to sneak into the files.
Disable wp-includes:
Add the redirect code in .htaccess after ‘order allow’ but before #begin WordPress.
# Block the include-only files.
<IfModule mod_rewrite.c>
ReWriteEngine On
ReWriteBase /
ReWriteRule ^wp-admin/includes/f – [F,L]
ReWriteRule !^wp-includes/ – [S=3]
ReWriteRule ^wp-includes/[^/]+.php$ – [F,L]
ReWriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
ReWriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
Reload your site and back-end to see everything is working.
Modify Wp-config.php:
Wp-config.php is important due to different info like database info. So block access to this file from the web due to malicious code.
Add the following code to .htaccess:
<files wp-config.php>
order allow,deny
deny from all
</files>
Reload your site and back-end to see everything is working.
Recreate Salts:
Also check on wp-config if the Unique Keys and Salts are filled in, otherwise recreate them.
Disable Editor:
Add to wp-config.php (above the line /* That’s all):
define(‘DISALLOW_FILE_EDIT’, true);
Dashboard, Appearance, Editor and Dashboard, Plugins, Editor will be disappeared due to this.
Essential security add-ons
Limit logins:
Use Limit Login Attempts plugin.
Two factor authentication:
Two different things to login; password and e.g. code.
Google Authenticator is a way to accomplish this. Use the Google Authenticator APP on your smartphone which creates a code.
https://en.support.wordpress.com/security/two-step-authentication/
Diverting:
A step further in security is placing someone between the user and logging into the website. A external service (a so called CDN) like CloudFlare. Traffic will be filtered and also the website will be more efficient to load.
Disaster:
Ask VaultPress (from the creator of WordPress) when your WordPress site is hacked, paid service.
Sucuri.net, paid service, they clean your site.
Photo credit: CarbonNYC [in SF!] / Foter / CC BY
Damiaan van Vliet is WordPress front-end developer bij Albus Webdesign. Hij heeft meer dan 30 jaar ervaring in de ICT sector. Zijn kernwaarden zijn geduldig, doelgericht en gestructureerd. Hij stemt zichzelf af op de wensen van de klant en houdt de zaken eenvoudig waar dat kan.