SECURITY 101: SECURE YOUR WORDPRESS WEBSITE - BY: LANCE HOWELL
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Security 101: Secure Your WordPress
Website
By: Lance HowellTable of Contents
Table of Contents 2
Clean Up Website After Installation: Post Installation Security 3
Basic and Easy Security Options 3
Backup Your Website 3
Restore Your Website 3
Keep Site Up to Date 3
Passwords 4
How to Change and Recover Passwords 4
Default Admin Username 4
Default User Roles 5
Customize Login 5
Secure Meta Information 6
Remove Version Numbers 6
Secure WP-ADMIN 6
Database Security 6
Disable Error Notices in wp-config.php. 7
Disable Directory Listing 7
Advanced Security 8
Stop Hotlinking 8
Website Security Checklist 9
Websites Resources 9Clean Up Website After Installation: Post Installation
Security
1. Remove Unused or Unwanted Plugins or Themes
2. Remove wp-config-sample.php
3. Remove Readme.html (This contains the version number of your WordPress Installation)
4. Remove License.txt (This is your call. This file is not needed for WordPress to function.)
5. Delete any backup files you may have uploaded to do a backup. These files include file
extensions of .bak, .zip, .rar, .tar
6. Remove log files such as .dat, .log, .txt.
7. Remove version control files such as .svn, git, .well-known.
8. Remove any other temporary files that you may have uploaded or created.
Basic and Easy Security Options
Backup Your Website
● Use Webhost Backup or
● Use UpDraft Plus
● Test Backup.
● Save a copy of your backup onto a disk away from your webserver.
Restore Your Website
● Test Backup by restoring your website.
● Restore with phpMyAdmin
○ Login to phpMyAdmin
○ Select all of your tables in your WordPress Database.
○ Drop the Tables
○ Then Install the backed up database files that you downloaded.
Keep Site Up to Date
1. Plug-Ins
2. Themes
3. WordPress Core
4. Use WP Update Notifier Plugin if you are not in WordPress all the time.Passwords
1. Use Pass Phrases.
2. Numbers, Letters, and Symbols.
3. Use a Password Manager
4. Change Regularly
How to Change and Recover Passwords
● Change Password via User Profile Page
● Change Password via the Lost Password Page
● Change Password via the WordPress Database
○ Go to phpMyAdmin
○ Click on the User Table
○ Click Edit.
○ Go to user_pass and Change the Value to “Your New Password” and then
Select the MD5 option in the Function Dropdown Box.
○ Click Go.
Default Admin Username
● Create a new admin-level user
● Log out as admin
● Log in with new admin-level user
● Delete the original admin userDefault User Roles
● Administrator
○ SuperUser
○ Has No Restrictions
● Editor
○ Publish and Edit Posts
○ Moderate Comments
○ Manage Categories
○ Upload Files
○ Plus Same Things as Author and Contributor
● Author
○ Edit and Publish Posts
○ Delete Published Posts
○ Upload Files
○ Plus Same Things as Contributor and Subscriber
● Contributor
○ Edit and Deleting Posts
○ Plus read, which is the only thing that subscribers can do.
● Subscriber
○ Read Posts
Customize Login
You need to customize your default login URL to restrict access to the login page via wp-admin
and wp-login PHP files. Almost all automated brute-force attacks can be prevented. Plugins like
iThemes Security can help achieve these settings.
● Change wp-login.php to something unique; like my_new_login
● Change /wp-admin/ to something unique; like m y_new_admin
● Change /wp-ligin.php?action=register to something unique; like my_new_registerationSecure Meta Information
Remove Version Numbers
1. Go to Active Theme in the File Manager.
2. Go to functions.php File
3. Tye the Following
//remove version from head
remove_action(‘wp_head’,’wp_generator’);
//remove version from rss
add_filter(‘the_generator’, ‘_return_empty_string’);
//remove version from scripts and styles function
shapeSpace_remove_version_scripts_styles($src){
if (strops($src,’ver=’))
{
$src=remove_query_arg(‘ver’,$src);} return$src;}
add_filter(‘style_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);
add_filter(‘script_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);
Secure WP-ADMIN
Don’t Allow File Editing in wp-admin
Make the following changes in the wp-config.php file.
Define(‘DISALLOW_FILE_EDIT”, true);
Add Authentication Keys also known as “Password Salts”
Go to the website https://api.wordpress.org/secret-key/1.1/salt/ Which is listed in the wp-config.php
file. Past your keys that are generated into the wp-config.php file.
Database Security
Change database prefix tables to anything other than the default wp_.
Remove Version Number from WordPress
Create a child theme and add the following information to the function file.Disable Error Notices in wp-config.php.
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('WP_DEBUG_DISPLAY', false);
ini_set('display_errors', 'off');
Disable Directory Listing
Open .htaccess and add the following information.
#DISABLE DIRECTORY VIEWS
Options –IndexesAdvanced Security
Stop Hotlinking
Hotlinking is otherwise called bandwidth theft. Hotlinking can have a lot of undesirable
consequences. One is the so-called "switcheroo". If you've linked to an image on
someone's server, what's to prevent them from changing the image you linked to?
Since most sites, forums, etc. have strict policies about offensive images, it wouldn't
take much for an aggravated webmaster you've been stealing bandwidth from to shut
you down completely with an unwanted "switcheroo".
Displaying an image or file that doesn't belong to could be a violation of copyright,
making you open to litigation. The owner of the file could utilize DMCA law to have your
site shut down and your information given for use in legal proceedings.
# STOP HOTLINKING
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://([^.]+\.)?example\.com [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [NC,F,L]Website Security Checklist
❏ Full Backup (Quarterly)
Do Not rely on your web host to backup the website. Also do not save the backup on the
web server that your website is located in.
❏ Weekly Backup of Changes since Full Backup
Do Not rely on your web host to backup the website. Also do not save the backup on the
web server that your website is located in.
❏ Security Scans Using Securi Bi-Monthly
Securi offers a WordPress Plugin to scan your website to determine if your website has
any security problems.
❏ Trim the Amount of Plugins and Themes that you use.
The more plugins and themes that you include both slows the site down and if you are
not using the plugin then you probably won’t be keeping them up-to-date that you need
to be making sure all updates are applied.
❏ Do Not use the Default Username (Admin) for a WordPress Website
The Default Username of the Administrator in WordPress is very well known, and it is
just one area that you just don’t need to give the bad guys.
❏ Use a strong and secure password
❏ Use SSL Certificates. https://
❏ Maintain updates of plugins and CMS Core
❏ Limit Logon Attempts
Websites Resources
● https://wpplugins.tips/best-wordpress-security-check-tool-list/
● https://www.codeinwp.com/blog/wordpress-statistics/
● http://codex.wordpress.org/Hardening_WordPress
● http://www.designwall.com/blog/how-to-handle-a-wordpress-security-attack/
● https://managewp.com/security-plugins-problemYou can also read
