WordPress is an excellent content management system. However, due to its popularity its become a target for various botnet attacks. Here we have outlined 5 Security Tips to lock down your WordPress website to help secure your website.
As previously mentioned in ‘Securing WordPress – Change admin Username‘ make sure your default username has been changed from ‘Admin’ to something more unique and secure. From there you also want to secure your username from the source as outlined below.
1) Cleanup the WordPress Installation Files
Quite often we install or upgrade WordPress and forget to delete the installation files that are left behind. For starters, make sure you delete the main installation files that are listed below. If this is a step you have already completed, then proceed onto the next point.
/readme.html /wp-config-sample.php /wp-admin/install.php /wp-admin/install-helper.php
2) Protect Your User Login Name
Locating your username is half the battle and aids any hacker to cracking your password. The first step to hiding this is to view your users section, go into your profile and change the ‘Display name publicly as’ option to your nickname which you will want to be different than your username. Once you do this you can still locate your username in the source for ‘posted by’ option on your posts. The easiest way to change this is by installing the plugin “WP author slug” which will automatically change your username to appear as your display name, which helps prevent hackers from locating your username. You can verify this by checking the ‘posted by’ link for your user profile.
3) File Permissions to Protect Important Files
There are also several security plugins you can attempt to use for securing your site as noted in an earlier post (Top WordPress Plugins), but here we add to that by protecting important files by altering its permissions. The following files and permissions noted below are what we recommend to help protect your website.
You can contact your webmaster for these change or use your hosting panel (such as cpanel/vdeck) and use the ‘File Manager’ to select these files and then select the ‘change permissions’ option in file manager to change the permissions to match as displayed.
/.htaccess -- 0644 /wp-config.php -- 0600 /index.php -- 0644 /wp-blog-header.php -- 0644
4) Securing Wp-Admin Section
The easiest approach for securing your wp-admin section is to use your hosting panel (such as cpanel/vdeck) and look for the password protect directories option. Then select the directory wp-admin and select the option to protect the directory, and then create a username and password for access to this directory. This will automatically create an .htaccess file requiring a user/password to access anything in the wp-admin directory. Please Note: if you have comments enabled this could impacts users ability to login and post comments so you would not want to proceed with this option.
Note: if you experience a looping error after securing your wp-admin directory you can address that by adding an errordocument reference to your websites root .htaccess file as displayed below.
#wpadmin loop fix ErrorDocument 401 error401.html ErrorDocument 403 error403.html
5) Security Additions to .HTACCESS
Here are some additional security changes you can apply to your websites root .htaccess file. These changes will not impact users and their ability to comment on your website if you have comments enabled, and are specifically for securing important files on your website, files such as the wp-config.php which contains all your database information with WordPress.
In addition to the permission changes above you can also restrict all access to a particular file or restrict access by IP address so only you can login from your IP. This requires maintenance and updates as your IP address changes so keep that in mind. You can edit the htaccess file by using the ‘file manager’ in your hosting panel, and just add these entries towards the top of the file. When clicking on ‘file manager’ you may have an option to ‘show hidden files’ and that needs to be checked for the .htaccess files to appear so you can edit them through the file manager.
# Protect wp-config file <files wp-config.php> order allow,deny deny from all </files> # Protect htaccess files <files .htaccess> order allow,deny deny from all </files> # Restrict wp-login.php to your IP only # Note: Do not use if you have comments enabled <Files wp-login.php> Order Deny,Allow Deny from All Allow from YourIpAddressHere </Files>
Check back for future posts that include additional changes you can make to lock down your website and protect your data. Feel free to contact us for any questions or consulting support.