Following our blog post about the (in)famous Dolohen hacks affecting thousands of WordPress sites, we thought that it is the right time to write an article about wordpress security and to show you how to ‘harden’ your site.
One of the most important aspects of any website is without doubt, security. Hacked websites can seriously damage any business and the company's reputation, or even worse - may result in compromised data and stolen private information.
Sites getting hacked all the time, especially WordPress ones. Let’s analyse some of the best practices that can be applied for securing your WordPress website.
1) First step (and the most important one) is to make sure that your WordPress, plugins and themes are up-to-date and always downloaded/purchased from a trusted source. Statistically, the main reason for a malware to infect a site is a vulnerability in one of the above.
2) Install a security plugin that provides additional protection, like Cerber or Wordfence.
3) Avoid using "admin" as login username. In case you already have it created, you will need to set-up a new account and delete the "admin" one since WordPress doesn't allow username changes.
This is recommended as that particular username is commonly targeted for brute-force attacks.
4) Install a plugin that limits the login attempts like the following: https://en-gb.wordpress.org/plugins/wp-limit-login-attempts/
5) On the hosting/server side, set strict permissions on some of the important core WP files:
- "wp-config.php" set to 400 - this would mean that no "edit"-ing would be allowed, only "read"-ing by the user.
- "index.php" set to 444 - this ensures that the file can be only read and not written into.
All other .php files should be set to 644 and directories to 755. If you notice different permissions on your website's content, it is very likely to be compromised.
6) Restrict .php extension files in wp-content/uploads/ and wp-includes/ directories by creating an .htaccess file in them and adding the following:
<files *.php>
deny from all
</files>
7) Disable directory listing by adding the following in your document root directory .htaccess:
Options -Indexes
This way the websites files won't be directly accessible via the browser.
8) Block unwanted files from being accessed in your wp-content folder by creating an .htaccess file and adding the following code:
Order deny,allowDeny from all<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">Allow from all</Files>
9) Block anyone from accessing wp-includes by adding the following code to your .htaccess located in the public_html of your site:
<IfModule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteRule ^wp-admin/includes/ - [F,L]RewriteRule !^wp-includes/ - [S=3]RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]RewriteRule ^wp-includes/theme-compat/ - [F,L]</IfModule>
10) Restrict anyone from accessing the wp-config.php file by adding the following code to your .htaccess:
<files wp-config.php>order allow,denydeny from all</files>
11) Block any requests to xmlrpc.php (hackers use this a lot for various attacks) by adding the following to your .htaccess:
<Files xmlrpc.php>order deny,allowdeny from all</Files>
Securing your website can sometimes be tricky and time-consuming process, so do not hesitate to contact us to discuss the best options for you.