How to make WordPress more secure

Old 2 Comments on How to make WordPress more secure 37

WordPress has been called a backdoor into the server because of vulnerabilities that can be exploited, especially with improper use.  It include features that make it convenient, but also very dangerous if they are exploited.  This is not a comprehensive list of everything that will make WordPress virtually unhackable, but they can help prevent and mitigate what can be done post exploitation.

  • Use a virtual private server to host the site.  This will require attention and skill with security for more than just the website, but if all you host is the site and static content, and install all non WordPress software with the package manager for easy updates, keeping the server secure is simplified.  The greater control will allow you to improve security.
  • Run a firewall to block the MySQL ports or configure the database server to only listen on localhost.
  • Make sure that none of the files are writeable by the web server and that they cannot be created by any web process.  If the web server user can edit files, then it is easy for an attacker to gain shell access.
  • Enable use of .htaccess files and create an IP address whitelist under the wp-admin folder of the site to restrict access to specific IP addresses.  You can use another VPS as a proxy to access the site, but do not run any other services.  If the proxy is compromised, it would be easy to access the site admin panel.  Even if files cannot be uploaded, access would still reveal personal information of users.
  • Do not use any plugin or theme just because it would be useful.  Only use widely use and well supported themes and plugins that are known to be secure.  Keep them updated.  Delete any unused themes and plugins.
  • Keep the site software updated.

Author

Sasha Pavelovich

Assistant sysadmin for Lexipedium

Related Articles

2 Comments

  1. Warren Galloway November 7, 2014 at 3:26 pm

    Good advice, granted, I want to say I follow all of those, but some how… The Friday before Halloween Friday, I was streaming using http://www.veetle.com.

    I noticed, I only have 5 viewers versus the 150+ viewers I normally would have on a Friday night at 9:30 p.m. I tried to find my own stream, but could not. I could see on my app that 5 people were watching.

    After going to my .com, I noticed me menu was missing some links.

    Not sure HOW it happened, but I went in an re-added the pages to the menu, done.

    I then went and blocked all IPs that looks suspicious. I’ve been having issues with ‘hackers’ in Russia and China (supposedly).

    Original attack in Nov 2013, took down my joomla site with SQL injections. Mainly my fault for not updating. Even though I did an update and it said it was updated. Just to get an email from google stating my site is about to be blacklisted if the issue is not resolve in a given time.

    Which by then, I got frustrated as I had no time to lend to ‘resolving’ the hack. I just created a simple HTML page and a new dir and google was satisfied and I did not get blacklisted.

    Now Aug 2014, I finally have it up and running with WordPress. And the hackers were bombarding me IP Blacklist is a time saver. The hack attacks have slown, but they come specifically, yesterday and today and attempt to login using, get this : Admin/123456.

    Funny, but also insulting. Which is why I’m not too active here, but do what I can as I’m migrating and building new sites in WordPress and doing customization as I lost 2 weeks messing around with a template that would have been great! Oh well, money and time lost one.

    I guess I’ll go delete the plugins I do not use and was testing.

  2. Niiles November 12, 2014 at 7:32 pm

    And some more …

    use WordPress Security Keys
    http://codex.wordpress.org/Editing_wp-config.php
    https://api.wordpress.org/secret-key/1.1/salt/

    change table_prefix
    http://codex.wordpress.org/Editing_wp-config.php

    Move wp-config.php file one directory up (wordpress will automatically search for it there).

    Force SSL admin Login
    http://codex.wordpress.org/Function_Reference/force_ssl_admin

    Use Cloudflare.com

    scan and check your directory permissions (755 directories / 644 files) example with “wp-security scan” plugin

Leave a comment

Back to Top