How to Protect Your WordPress Site

How to Protect Your WordPress Site

This is a post I had over on my old website and was requested to put it back up here. Since I wrote the original guide on how to lock down a WordPress site well over a year ago, there are now some new methods on how to improve the security on this CMS.

For the past year and a half, the world has seen the growth of several massive botnets comprised of thousands of computers working together to try and infect or totally take down WordPress sites. While plenty of tech sites have reported on this issue, few have given direction on how to combat the problem. I will address several methods that can be used to safeguard against such attacks on your site in this article.

This information assumes that you are already tech-minded, fully comfortable in the backend / admin area of the WordPress CMS, have FTP access, and are knowledgeable and comfortable with making changes within your site via a FTP program. If you do not have this background, experience, or level of comfort to feel you can work in these areas, stop reading this page right now and contact a WordPress security professional today! Some of these changes are capable of breaking your site or taking it down if done inaccurately.

Securing Your Login

One of the first steps you have hopefully already done when creating / installing your WordPress CMS is to create a secure login username. You should never use the default “admin” username for your site, as this is almost always the username that a botnet will use when running a brute-force attack on your server.

It should hopefully go without saying that each user should have different passwords that would be impossible for anyone who personally knows them to guess. Examples of terrible passwords include:

  • strings of any consecutive numbers anywhere in the password [i.e., 12345]
  • any part of your first or last name, a nickname, names of relatives / significant other / pets / other names that others may be able to guess
  • any portion, whole or in part, of your phone number, street address, city name, or ZIP / postal code – this information can be scraped from the publicly-viewable Registrant record for your domain
  • anything else superficially obvious, common, or used by those who don’t feel like making up real passwords [i.e., your login and password are both “admin”; or your password is “password1”, “pass12345”, “admin123”, etc.]

TimThumb Security Hole

Although the TimThumb security hole has been floating around in WordPress a few years now, many users are still surprisingly unfamiliar with this potentially massive security hole. The TimThumb security breach was a huge problem when first discovered in 2011: an image resizing tool present in many WP themes which, out of the box, has really meaningful and legitimate usage. However, the hole found in this tool made literally hundreds of thousands of sites running on the WP CMS open to, and ultimately attacked by hackers and botnets. Fortunately, this hole is easy to fix and can be patched with the free plugin TimThumb Vulnerability Scanner.

Upgrade and Update Often

The latest version of WordPress is designed to automatically update, but this doesn’t mean that you will never have to do this task yourself. Many hosts actually have this feature turned off by default if you install it through something like cPanel, or simply have permissions set to disallow WordPress from updating itself without your interaction. You really should be checking on your site once a week as it is to see if updates are available and to ensure your site is running smoothly (though ideally, more frequently than this). This includes updating any plugins you have installed, as these also frequently have update releases.

Install a Security Plugin

Another easy step to prevent WP attacks is to install one (or more) security plugins. My personal favorite is Wordfence, which has both free and paid versions (although the free one is sufficient for most sites). This plugin will scan your site periodically for theme and file changes. It also provides 24/7 monitoring of traffic to your site with a number of parameters that can be tailored to however secure or limiting you wish your site traffic to be. A great feature of Wordfence is it emails you as attacks occur and IPs are blocked.

In this, the plugin allows you to instantly throttle or block IPs based on unwanted behaviors. This includes bot or human IP addresses exceeding the threshold of 404 page loads, attempts to access the admin area of the WP CMS, brute-force attacks, and more. IPs can be blocked for a set period of time or permanently. The paid version allows you to block entire countries if desired.

Lockdown with .htaccess

If you’re familiar with creating and editing .htaccess files on your server via a FTP program, then you can also restrict access / load of directories and files by IP. The downside to this method is you will need to append your .htaccess with each and every IP address you intend to access your admin area from (i.e., your home, your office, your cabin, etc.). The upside to this is your site logins will become much more secure, ensuring only the IP addresses you have personally identified will have permission to access these crucial areas of the site.

Only proceed with editing your .htaccess files further described below if you are already familiar with this process, using FTP, and editing text files, as inputting the wrong information in these steps can make your site inaccessible.

Changing the .htaccess file should be done not only within the /wp-admin directory, but also to the wp-config.php and wp-login.php files in your root WordPress installation directory.

Likely, you already have an .htaccess file in the root directory of your site, which probably contains something similar to the following if WordPress has already been installed:

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

To block access by IP to the wp-config.php and wp-login.php files from the root directory, you will need to append the following lines to the end of this file, replacing the x.x.x.x with your own IP address:

<Files wp-login.php>
order deny,allow
allow from x.x.x.x
deny from all
</Files>
<Files wp-config.php>
order deny,allow
allow from x.x.x.x
deny from all
</Files>

Your /wp-admin directory likely won’t contain a .htaccess file, but can easily be created:

  • Open a new text document
  • Save as type “all files” with the filename “.htaccess” (no quotes, no extension at the end of the filename), then close the file

You can also accomplish this by creating a “New > File” on your server via FTP, and naming the file as .htaccess. Most FTP programs will allow you to edit the .htaccess file directly from the server, and will download an editable copy for you to edit via Notepad or another similar program.

Open your newly-created .htaccess file, and enter the following, replacing x.x.x.x with your own IP address:

allow from x.x.x.x 
deny from all

In Conclusion

While each of these steps is important and necessary in ensuring your WordPress site’s security, the .htaccess method is one of the more complete and all-encompassing solutions to use, although the most time-consuming to set up. That being said, if you are familiar with editing .htaccess files these steps should only take several minutes of your time.

If you want your WordPress site to be secure, you must focus on your actions and responsibilities with your install. Not only are bugs and holes discovered and patched with frequent upgrades, any themes or plugins can be vulnerable to their own security holes.

So long as the principles described in this article are followed, the chance of your site being hacked with be greatly diminished.

Leave a reply