The Thing – WordPress SecurityInder
No !! its not about John Carpenter’s 1982 horror movie ( The Thing). But its about the horror things we terribly face with our wordpress websites getting infected and running malwares-spywares or sending outgoing port scanning attacks to remote networks. It’s not just about creating a professional website, I think its high time we understand what is more required for your wordpress website to prevent such attacks and doing the right things.
Developing a wordpress site is very popular these days and there is no doubt wordpress is by far the most prominent CMS out in the market, It’s the most popular with business websites like Web Hosting, Design company, Development company or even other small or mid-sized companies of various sectors. Its very easy to install and customize more ever its free of cost with tons of plugins available for tweaking and optimization. WordPress sites have the look and feel of a perfect website which every one wants today for social networking and SEO friendly.
There are lot of ready made wordpress based themes available along with images which you can customize according to your needs. So you don’t have to ask the designer or developer to purchase images.
However with wordpress websites ever after using security plugins there comes a risk of hacking and you get worried when you start receiving LFD alerts about wp-login.php, xmlrpc.php files under attack. These attacks are nothing but automated brute force attacks which the hackers use to break in or infect your site with malware contents.
Here are some of the tips I would like to share to keep your websites secure and safe from brute force attacks.
First step to start doing the right things is choosing the right Admin username.
During installation process avoid using admin or root for admin user. You can easily put your email address or some complex username with strong password.
The default plugin which is installed with wordpress is Akismet to prevent your blog from spam comments, it basically filters out spam comments from the articles. The basic plan is free with limited checks so you can use it by activating the account. but if you don’t want any comments on your article or post the best thing to do is disable comments from Settings>>> Discussions .
We will divide the security levels between two stages. First stage will be at server level and second will be at website level.
Core Server Security Implementation
The webserver running on the server whether its Apache, Nginx or Litespeed should be running at its latest version, Make sure you install and integrate Mod-security with webserver. Common exploits like SQL injection, XSS, file uploads and code execution. All of these can have consequences to WordPress site and can be blocked using mod-security rules if properly implemented on the server.
Since wordpress is based on PHP language, servers should have updated php versions and hardened properly. Use of Cloudlinux based kernel is recommended.
1.) Install of CSF firewall and LFD ( Login Failure Detection ) to prevent server from brute force attacks.
2.) Stop unused services and lock down ports with firewall.
3.) Install maldet scanner to scan the files on regular interval. Maldet will help to find malwares and spywares on the server.
4.) Monitoring the access and error log files for brute force attacks. If you notice such entries in domain access log its clear the site is under attack.
xx.xx.xx.xx – – [22/May/2016:23:09:50 -0500] “GET /wp-admin/ HTTP/1.1” 302 – “http://www.sitename.com/wp-login.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0”
Website Level security
2.) Install SSL certificate on your site.
3.) Remove unwanted plugins which are of no use as it could still pose a security risk. And if you are using customized themes make sure the themes which are not used remove them except for the default one.
4.) Automatic Core Updates (WordPress Automatic updates available in admin panel). Set Plugins and Themes to Update automatic.
5) Disable PHP Error Reporting (Hackers usually get the server full path when php error reporting is enabled.)
6) Protect wordpress Files like wp-login.php, xmlrpc.php, wp-config.php Using .htaccess , A lot of information is given on net for this. Here is one example of setting up HTTP authentication for wp-login.php to restrict brute force attacks on wp-login.php, first setup htpasswd file with htpasswd command and put the following code in .htaccess file
# Protect wp-login <Files wp-login.php> AuthUserFile ~/.htpasswd AuthName “Restricted access” AuthType Basic require user mysecretuser </Files>
OR you can simply setup IP based restriction for wp-login.php file.
<Files wp-login.php> order deny,allow Deny from all allow from 115.xx.xx.xx </Files>
Access restriction for wp-config.php file with .htaccess , Add the following code.
<Files wp-config.php> order allow,deny deny from all </Files>
7) Change admin username from admin to something different and give it admin privileges.
8) Track of Dashboard Activity (WP Security Audit Log)
9) Database Security (If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases.
10) Finally the golden rule of book is to make sure you have the backup of your database, Store Backups locally and remotely.
11) Use of Security plugins like WP DB backup which lets you backup your core wordpress database tables by just few clicks, The other plugin like WP Security Scan which finds vulnerabilities in your site.
I hope the above tips helps.