Knowledgebase

How to secure your wordpress based website Print

  • 5

Securing a wordpress based website is actually quite a challenge. 
Wordpress being one of the most popular CMS world wide, hackers share a great interest into finding new exploits. 
Therefore, we are releasing a few steps and practices to help you securing your Wordpress installation. 

1) Do not use nulled Themes and Plugins. 

A common hackers practice is to inject into nulled themes and plugins an encrypted code which would hijack your website permanently. 
It is the best way to have an hacked website. 
Even if you remove the Ioncube encrypted code, it may not patch your whole website and you may also remove a critical part of the theme. 

While it is appealing to use free themes, it remains the best way to turn your wordpress website as a slave. 

2) Always update your wordpress installation.

The Wordpress group is deploying a lot of security updates which needs to be deployed immediately on your website. 
It will patch all the famous or unknown vulenrabilities. 

3) Change the default username to your admin area

Wordpress enables the Admin username as default and it should be modified to prevent bruteforces attack to find your administrator password. 
At HostStage, on shared web hosting offers and reseller web hosting, you are protected by a powerful firewall to deny all brute force attacks to your website. But you would never be too cautious. 

You would need to create a new username, and give it the administrator right and only then you can delete the admin user. 

4) Use a complex password

Nowadays, most of the brute force attacks are performed with dictionnaries of the most common passwords. 
You need to use a complex string of characters to prevent your password to be hijacked. 
You shouldn't use any easy personal information such as birth date, or anything about you which is public or known. 

5) Change your database prefix (wp_) 

By using the common MySQL databases prefix for Wordpress, hackers are fully aware of your database structure which make easier to inject strings and hack your website. 

You should therefore need to change your prefix in your database by doing the following : 

*Please note that before doing this step, it is warmly recommanded to perform a full cPanel backup*
At HostStage, on shared web hosting and reseller web hosting, and also dedicated servers / linux VPS with the cPremote option, we take a nightly backup of your website which you can recover from your cPanel directly.

a) Open any FTP client, or your cPanel file viewer and edit wp-config.php file : 

$table_prefix  'wp_';

And change it to : 

$table_prefix  'randomsprefix_';

b) Open your cPanel, and go into PHPmyAdmin and select your wordpress database. 
Go to the SQL tab and type the following : 

RENAME table `wp_commentmeta` TO `randomsprefix_commentmeta`;
RENAME table `wp_comments` TO `randomsprefix_comments`;
RENAME table `wp_links` TO `randomsprefix_links`;
RENAME table `wp_options` TO `randomsprefix_options`;
RENAME table `wp_postmeta` TO `randomsprefix_postmeta`;
RENAME table `wp_posts` TO `randomsprefix_posts`;
RENAME table `wp_terms` TO `randomsprefix_terms`;
RENAME table `wp_term_relationships` TO `randomsprefix_term_relationships`;
RENAME table `wp_term_taxonomy` TO `randomsprefix_term_taxonomy`;
RENAME table `wp_usermeta` TO `randomsprefix_usermeta`;
RENAME table `wp_users` TO `randomsprefix_users`;

And then : 

SELECT * FROM `randomsprefix_options` WHERE `option_name` LIKE '%wp_%'
SELECT * FROM `randomsprefix_usermeta` WHERE `meta_key` LIKE '%wp_%'

And you are done! Of course, if you are currently installing wordpress, you can customize it right away. 


6) Install the WP-Security scan plugin. It is widely recognized as a great security plugin for your wordpress website. 
It will scan your website for malicious code and will assist you into solving it. 
This plugin would also remove your Wordpress version from your head section of your website and protect you from being found by hackers typing footprints in Google. 
Wp security scan will also detect your files permission and assist you into making them secured. 

7) For Linux VPS and Dedicated server users don't use the PHP handlers DSO alone, instead use SuPHP + SuExec and double check the files permissions. 


8) Change your Wordpress encryption keys in your wp-config.php file. 


Go to the link below : http://api.wordpress.org/secret-key/1.1/

and replace the key on your wp-config.php file by the ones generated by the link provided. 
It will increase your encryption level for your database stored passwords and also the cookies encryption. 

9) Create a file named robots.txt in your public_html folder or your default wordpress directory and add the following : 
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

 

It would prevent google from indexing the hidden part of your websites which needs to stay hidden. If you are using plugins with exploits (such as Revslider), it would deindex their footprints. 


10) The last step would be securing the access to certain area of your websites such as the wp-config.php file and also the wp-include folder. 
You would need to access your public_html directory (or the default wordpress installation directory) and append to the .htacess file the following content


#htaccess file protection
order allow,deny
deny from all
satisfy all

# Block the include-only files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Block the wp-config
<files wp-config.php>
order allow,deny
deny from all
</files>

# SQL Injection Patch
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]



That's it! Following these 10 steps would protect from 99% of the exploits possible toward your wordpress based website. Most of the steps are easy to set up and shall not be neglicted. 






Was this answer helpful?

« Back

Start typing and press Enter to search