WordPress Security Guide

[amazinghorse]

 

Common advices

Update all the things

Every new release of WordPress contains patches and fixes that address real or potential vulnerabilities. If you don’t keep your website updated with the latest version of WordPress, you could be leaving yourself open to attacks.

Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.

Backup your WordPress database regularly

Keeping your own website or blog takes time and effort but what happens if you lose even part of your information? Having to re-do content or scrape the Wayback Machine for indexed page records is time consuming and sketchy. Even after that there is no guarantee that you can retrieve all files.

You can use this nice plugin - https://wordpress.org/plugins/wp-db-backup/

Use strong passwords

You will be surprised to know that there are thousands of people that use phrases like "password" or "123456" for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.

Store your passwords in safe place

Never use browser password auto-complete!

Better option is a good password manager!

You can use this nice app - http://keepass.info/

Always use SFTP instead of FTP

SFTP is a secure form of the FTP command.Whenever a user opens up a regular FTP session or most other TCP/IP connections, the entire transmission made between the host and the user is sent in plain text.Anyone who has the ability to snoop on the network packets can read the data, including the password information.If an unauthorized user can login, they have the oppurtunity to compromise the system.

When using ssh's SFTP instead of the FTP, the entire login sesion, including transmission of password, is encrypted.It is therefore much more difficult for an outsider to observe and collect passwords from a system using ssh/SFTP sessions.

Ensure your computer is free of viruses and malware

If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you've taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.

---

Valuable Hacks and Tricks

 

Protect WordPress against XSS injection

What Is Script Injection?

Perhaps a better name for "Script Injection" is "code injection."

Here, an attacker literally looks for some type of input element on your site - this could be a search field, a contact field, a name field, or any other type of element that submits data to a server. This is normally done through the use of a script - sometimes it's malicious JavaScript, but attackers can be successful in inserting PHP or MySQL commands, as well.

Finally, it's referred to as injection because if the attacker is successful, then they are literally injecting their code into your application.

Paste this code into your .htaccess file located in the root of website:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Kill the admin. (Say NO to default username  "admin")!

For attackers is always easier to access the site using brute-force, if username are already known.

And in most cases the default username for admin is a primitive... teeth gnashing "admin"

 

Just execute this queries to the database:

UPDATE wp_users SET user_login = 'Your new login' WHERE user_login = 'Admin';

and

UPDATE wp_posts SET post_author = 'Your new login' WHERE post_author = 'admin';

Remove unnecessary information on unsuccessful log in

If you try to log in the admin area of WordPress and you make a mistake in username or password, engine will tell you about it.

Why would attacker know the password, which he tries to pick up is wrong? Let's just cut off this information and little confuse the attacker.

Open functions.php lying in the folder of the active theme of our blog (wp-content/themes/name-your-theme/) and add the following code:

add_filter('login_errors',create_function('$a', "return null;"));

SSL Forcing

If you want to sent your information is secure way, you need to use the SSL Protocol that ensures the integrity and confidentiality of data exchanging.

First of all find out that your provider allows you to use SSL.

If Yes, then open the file wp-config.php (living in the root of the site) and add the following line:

define('FORCE_SSL_ADMIN', true);

Use .htaccess to protect wp-config file

wp-config.php contains all the information required to connect to the MySQL server and database. Protection of this file is one of the most important tasks.

Find the file .htaccess in the root of our website and add the following lines:

<files wp-config.php>
order allow,deny
deny from all
</files>

Hide the version of WordPress

WordPress can track your site, thanks to the footprints it leaves in its software that let the outside world know what version of WordPress you are using.

If you don’t regularly update WordPress, these footprints may be a security leak, though simply hiding your version of WordPress is not enough by itself to protect you from potential threats.

 

To hide your version of WordPress in all three areas, simply add the following code to your functions.php file:

/* Hide WP version strings from scripts and styles
 * @return {string} $src
 * @filter script_loader_src
 * @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings( $src ) {
     global $wp_version;
     parse_str(parse_url($src, PHP_URL_QUERY), $query);
     if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
          $src = remove_query_arg('ver', $src);
     }
     return $src;
}
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );

/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return '';
}
add_filter('the_generator', 'wpmudev_remove_version');

readme.html and license.txt files

Necessarily remove readme.html and license.txt files from the root folder of the website.

In fact, they are useless, but aside from them, you can find information about the version of WordPress.

 

Write a plugin to protect against malicious url requests

"Hackers"  are very often trying to find weaknesses with the help of all sorts of malicious requests. WordPress is well protected from it, but the extra protection be a plus.

Create a new file called blockbadqueries.php and put it in the folder wp-content/plugins. Then just activate it in the admin panel like any other plugin.

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID;

if($user_ID) {
  if(!current_user_can('level_10')) {
    if (strlen($_SERVER['REQUEST_URI']) > 255 ||
      strpos($_SERVER['REQUEST_URI'], "eval(") ||
      strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
      strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
      strpos($_SERVER['REQUEST_URI'], "base64")) {
        @header("HTTP/1.1 414 Request-URI Too Long");
    @header("Status: 414 Request-URI Too Long");
    @header("Connection: Close");
    @exit;
    }
  }
}

?>

Protect directories on the server from view

Many hosting companies allow anybody to view the directory on their server. So, if you type in the address bar www.yourblog.com/wp-includes very often you can see all the contents of this directory. Of course it is unsafe, so it's better to immediately turn-off this feature.

Add to .htaccess file line:

Options All -Indexes

---

Security plug-in's

 

Limit Login Attempts

Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

Features

•     Limit the number of retry attempts when logging in (for each IP). Fully customizable
•     Limit the number of attempts to log in using auth cookies in same way
•     Informs user about remaining retries or lockout time on login page
•     Optional logging, optional email notification
•     Handles server behind reverse proxy
•     It is possible to whitelist IPs using a filter. But you probably shouldn't. :-)

https://wordpress.org/plugins/limit-login-attempts/

 

Wordfence Security

https://wordpress.org/plugins/wordfence/

Looks very promising, but I prefer doing all important jobs by my own, and have some skeptic feelings about "commercial freeware"