December 23, 2018

Hardening your WordPress (Protect from Attackers)

WordPress is one of the most used content management system on Internet. WordPress has become a favorite content management system due to it’s rich features. At the same time it had also become favorite content management system for hackers to attack. If you running a WordPress site and concerned about the Security of your Data on your WordPress site then here is what you need to do.
Note the security measures which I am going to discuss here are the basic security measures which every site should use. To protect from bot attacks by hardening your wordpress . And you should also complete functionalist of your plugins on your WordPress site, i.e you should know what you are going to happen on your site from the measure which you are taking.

Here are some complete basic security measures that you must implement on your WordPress site to protect from being hacked.

Before continuing reading further make sure that your computer/laptop which you use for logging into your WordPress dashboard and hosting dashboard is completely free from malwares and virus.By the time you are reading this post you might have installed some firewall and security plugins on your site. Please go through the security plugin’s features and complete functionalists of that plugin because some of the measures that are mentioned below can also be implemented by plugins too. So it is compulsory for you to go through your plugin in order to avoid conflicts.

And Make sure you take the complete backup of your WordPress site.

Use Strong passwords:

It is always recommended to use the strong password.Always make a habit of using random password for your sensitive accounts. If you don’t want to use random password then you should choose which should be far away from guessing your password. If you think that you can forget the password. Then better use the password managers.

And it is also a good idea to protect your WordPress account with double authentication. You can enable double authentication on your WordPress site the DUO WordPress security plugin,Clef and another plugins name,

Don’t use Admin username:

It is always highly adviced not to use the default username Admin as your WordPress account username. Since this user name is default username, some attackers create a bot trying to login with different password on this username(brute force attack). Since most of the brute forces attacks takes with default vales we can avoid few bot attacks on our site by using other than default values.This is the reason why some hosting companies like SiteGround, BlueHost will allow us to get the desired username before installing itself. If you are using default username then check out this post on changing username of WordPress account PHPMYADMIN.

Update your WordPress:-

You should never stop updating your WordPress site. If you neglect updating your WordPress site then you are inviting hackers with red carpet to hack your site.WordPress updates contains not just the features, It also contains some security updates.

Hide WordPress version:-

You must hide your WordPress version. Because if you reveal your WordPress venison number. It will be easier for hacker to know the WordPress venluaribits in that version and they can easily work on on that venerability to jack your site.

To remove the WordPress version just add the following function

 

in your functions.php file which will be in your theme file.

Use only Trusted plugin and Themes:-

It is always recommend that you should be always downloading and using the themes from WordPress plugins and themes reprosicoty. You should never install the plugins or themes (Nulled) from other unrestricted sources.Usually people tend to use the premium themes and plugins from the un-trusted sources for free. This is a trap by Attackers, they take the premium plugins and themes and insert the malicious code in the plugins and themes, Which sends valuable information of your site to the attacker to hack your site. So never use the plugins from un-trusted sources and remember,Before using plugins or themes from other resources you can test the plugins on your demo WordPress site and test with the some scanner plugins which work same as antivirus on your computer. Here are some plugins which you should be using on your demo site to scan:

Theme Authenticity Checker (TAC) get from here
Theme authenticity checker is a free plugin which helps you in scanning for the malicious code in the themes.

Sucuri:-

Sucuri is one of the best scanner plugin for your WordPress which scans your complete WordPress site to get malicious code in your site. Sucuri offers a paid version which offers the malicious code removal. There is a free version of this plugin but the paid plugin offers great support to your site.

Exploit Scanner:- If you are looking for the best alternative to the Sucuri then you should get the Exploit Scanner.

Deleting the unwanted plugins and themes.

Even though there will be no direct effect on the performance of your WordPress site,You should always deleted the unwanted and unused plugins and themes on your site.Because there are some situations which were discussed on WordPress forms that site getting hacked front the unused plugins.

Updating the WordPress Security Keys

WordPress makes use of some security keys which are a set of random letters,numbers and symbols to encrypt the information in the cookies.Here is how you can update the WordPress security keys on your site.
First get the set of Security keys from here.(Official WordPress security key generator).

As soon as you click on the link the keys will be generated. Copy them and place them in the wp-config.php file. If the values are already there in the file then replace them with the newly generated keys.

Disable the File Editing:-

WordPress by default allows you to edit the php files(of plugins and themes) from your WordPress dashboard. Which is actually a great feature but this can be used for malicious purpose if you are giving giving access to other people(allowing registrations). So it is advised to disable this feature to avoid unnecessary problems.

You can just add the following line

define('DISALLOW_FILE_EDIT', true);

to the wp-config.php file.

Note this cannot stop the attacker from running the code from back-end, This is will stop at the frontend. Adding this line to your file will remove all the php editing capabilities for every user.

Change the default WordPress Database Prefix:-

WordPress while automatic installation creates a new database for your WordPress site. By default WordPress create a new database with wp_ as table prefix. This lets your attackers and bots to easily know the tables on your database on which they should attack on.So in-order to stop this we need to change the database prefix from default value to randomly generated prefix. (Note some webhosts automatically overrides the default table prefix, In that there is no need to change).

Make use of this plugin Change DB-Prefix to change your database prefix from your WordPress dashboard

Disable the Directory Browsing:-

You should disable directory browsing on your WordPress site. If you enable Directory browsing on your site then the world can see the directories present on your site, Which reveals the structure of your site and valuable information to the attackers. You can stop this by adding a empty index.html or index.php file in every file. This method is useful for small sites with less number of directories, In-case of big it is time consuming process so we can add this small line to the .htaccess file.

Options -Indexes

Protect your wp-config.php

Protecting wp-config.php file from outside world is must because this file consists of so much of sensitive information about your site. So giving access this file to outside world is  just inviting them with red carpet to hack your site.

Here is how you can protect your wp-config.php file. Add the following lines to your .htaccess file.

<Files wp-config.php/>
order allow,deny
deny from all
</Files>

Protect your .htaccess file

Protecting the .htaccess file so important. You can protect the .htaccess file from out side world accessing it by adding the following lines to your .htaccess file

<Files .htaccess/>
order allow,deny
deny from all
</Files>

Stop showing error messages:-

You should stop showing the error messages on your login page. Because when you enter invalid credentials on your login page WordPress shows a generic error message example when you enter a wrong username  you get an error message as follow as ERROR: Invalid username and when the attacker enters the correct username and enters the wrong password the error message will be Invalid password for the given password. Here it is giving complete hint to the attacker to save the time. So avoid this we can simply add the following function to functions.php file (present in your current theme)

add_filter('login_errors',create_function('$a', "return null;"));

Add 5G BlackList:-

Adding 5G BlackList to your site gives extra protection to your site from the bad requests,malicious activity on your site.

Here is a complete list of 5G Blacklist add this script to your  .htaccess file. This script by Jeff from perishablepress is completely safe to use.If you face any problem after adding this script please consider removing it or consider finding out the reason.

# 5G BLACKLIST/FIREWALL (2013)
# @ http://perishablepress.com/5g-blacklist-2013/

# 5G:[QUERY STRINGS]

	RewriteEngine On
	RewriteBase /
	RewriteCond %{QUERY_STRING} ("|%22).*(<|>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (|../|`|='$|=%27$) [NC,OR]
	RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|[|%) [NC]
	RewriteRule .* - [F]

That’s it these are the some basic WordPress security measures which you need to take on your site.

About the author 

Imran Uddin


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}