WordPress is web software that can be used to create websites, blogs, or applications. It is widely used and as a result often the target of attack by hackers. In order to ensure the integrity of your content, the efficiency of your hardware, and your own privacy, you need to properly harden WordPress. Over the course of several years, I have been constantly enhancing my hardening practices and wanted to share some tips learned along the way. Read on to learn more!
General
- Do not use default usernames, database table names, etc — default options make it easier for hackers to get in
- Enable lockdown features — if you do not limit attempts then hackers can constantly attack until they get in
- Log everything to a remote logging tool (like Log Insight!) — in order to see what hackers are attempting to do
- Configure backups to a remote destination — just in case
Operating System
Since WordPress runs on a web server that runs on an operating system, you need to ensure you harden your operating system as well.
- Block all unnecessary ports: Do not expose more than you need too. I currently only expose 22, 80, and 443. Technically, 22 is not needed for WordPress, but I do have a need for it and thus leave it open — with additional hardening of course.
- Install security patches automatically: For example, have a look at this post.
- DenyHosts: This script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).
- Fail2Ban: This script scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured. Out of the box Fail2Ban comes with filters for various services — though none are enabled by default. If you are running Apache and/or SSH then you should enable the included filters for these applications. You may consider writing a rule to block too many 404s for Apache as well — this can be used as a free alternative to some of the plugins mentioned below.
- PHP security settings: Since WordPress runs on PHP, you need to ensure you harden PHP as well. For example, have a look at this post.
Web Server
Since WordPress runs on a web server, you need to ensure you harden your web server as well. I am using Apache on a Linux-based operating system, which means I can leverage things such as:
- ModSecurity: This module is a toolkit for real-time web application monitoring, logging, and access control.
- .htaccess: Outside of web servers modules, you can also edit the WordPress .htaccess file to provide additional security. Of course, if you have access to the web server then these security measures can be done directly in the web server configuration. Note many WordPress plugins — discussed next — leverage the .htaccess file to provide enhanced security measures. If you are comfortable editing the .htaccess file then you can skip some of the plugins or at least some of the options available within the plugins. One thing you may consider adding to your .htaccess file are 6G firewall settings. Note if you are using the All In One WP Security & Firewall plugin it includes the option to enable 6G firewall settings.
Plugins
A variety of WordPress plugins exist to assist with hardening a WordPress installation. It is important to note that many features of these security plugins require purchasing either a subscription or a supplemental plugin. In almost all cases, these purchases are not necessary as free alternatives can be configured through the web server directly. In fact, the majority of the functionality provided by these plugins can be done manually from the CLI. Also note that each plugin provides slightly difference functionality so you may want to configure more than one of these plugins on your site.
- All In One WP Security & Firewall: This plugin offers a variety of security checks and adjustments — including 6G firewall settings. For example, all of the general recommendations made above can be configured via this plugin!
- Bulletproof Security: WordPress Website Security Protection. Website security protection against: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking.
- Google Authenticator: For two-factor authentication when logging in.
- iThemes Security (formerly Better WP Security): This plugin takes the best WordPress security features and techniques and combines them in a single plugin thereby, ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.
- Wordfence: This plugin is a free enterprise class security and performance plugin that includes a very fast caching engine, firewall, anti-virus scanning, cellphone sign-in (two factor authentication), malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security and performance plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.
Summary
As you can see, there are a lot of things you could and should do to protect your WordPress site. While protecting WordPress is important, you also need to ensure your web server and operating system are protected as well. What things do you do to secure WordPress?
© 2016, Steve Flanders. All rights reserved.