The main reason behind creating the website is to ensure your global reach. Your website is your online face isn’t it ?,your online store is often your first impression with your customers. If your site is not able to secure users information than it would be really hard for sustaining users over the period. Why would someone risk their hard earned money or privacy for just visiting your site or buying something which is already available at someone’s else site as well. Would nobody be interested to generally go through a business deal right ?
There are various forms of threats over internet arena, For instance, spreading malware to site visitors, stealing customer’s information, storing names and email addresses, stealing credit card details and other transaction information which is completely illegal and unethical.
Sending too much traffic to your website, for example, DDOS attack etc. If we are not able to secure our site then it will make a direct impact on business. Currently, WordPress is the best platform where we can create our website easily, however, WordPress sites have few vulnerabilities that need to be taken care of while developing it. So to ensure your site is secured, do take care of following 16 important tips that would enhance our security system on your portal and Secure WordPress Site.
16 Tricks for Secure WordPress Site:
- /robots.txt
- /.htaccess
- /wp-admin/.htaccess
- Password Protect WordPress Admin Folder
- /wp-content/uploads/.htaccess
- Use a strong password
- Change default WordPress admin username
- Lockdown your wp-admin URL from hackers
- Keep your source updated
- Using WordPress Firewall plugin to scan your code and internal speed of WordPress site
- Change Table Prefix
- /wp-config.php
- Hide WordPress Version in the Header Tag
- Remove the Footer Credit
- Remove the Generator Tag in the RSS Feed
- Folders & Files Permissions
Now we will see one by one tricks in detail.
1. /robots.txt :
DEVELOPMENT ENVIRONMENT:
User-agent: *
Disallow: /
LIVE ENVIRONMENT:
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*2. /.htaccess :
# Strong HTACCESS Protection
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files># Protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files># protect from SQL injection
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]# disable directory browsing
Options -Indexes
# Block access to “hidden” directories or files whose names begin with a period. This includes directories used by version control systems such as Subversion or Git.
<IfModule mod_rewrite.c>
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
</IfModule># Block access to backup and source files. These files may be left by some text/html editors and pose a great security danger when anyone can access them.
<FilesMatch "(\.(bak|config|dist|fla|inc|ini|log|psd|sh|sql|swp)|~)$">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>3. /wp-admin/.htaccess :
# Wp-admin should be accessed only by below mentioned IP addresses
# deny access to wp-admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from allNOTE: – Make sure admin-ajax.php call is working . Do not forgot to add server OWN IP Address.
4. Password Protect WordPress Admin Folder :
First, you need to create a .htpasswds file. You can easily create one by using: http://www.htaccesstools.com/htpasswd-generator/
Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be: home/user/.htpasswds/public_html/wp-admin/passwd/
Now in /wp-admin/.htaccess file put below code:
AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user PUT_YOUR_USERNAME_HERE
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>Note : Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.
5. /wp-content/uploads/.htaccess :
# Disable PHP & JS files Execution
<FilesMatch "\.(php|php\.)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<Files ~ "\.js$">
Order Allow,Deny
Deny from all
</Files>6. Use a strong password :
Minimum password recommendations:
– At least 8 characters total
– Mixture of upper and lower-case letters
– Numbers, punctuation or other non-alphanumeric characters
– Example weak password: secret
– Improved strong password: Z#hupsZ2M4!Z
7. Change default WordPress admin username :
Admin username is quite easy to guess and for the hacker, it will make their work easy. So it’s better to advise to change the admin username.
8. Lockdown your wp-admin URL from hackers :
NOTE: Make sure it is not conflicting with any other plug-in like, wordpress login form to anywhere.
9. Update everything WordPress :
To protect yourself from any known exploits to WordPress you should update everything related to WordPress:
Necessary updates to make:
– Update WordPress from Admin dashboard
– Update WordPress Theme
– Update WordPress Plug-ins
NOTE: Take care about update your customized plugin, because update will replace your customization in some cases.
10. Using WordPress Firewall plugin to scan your code and internal speed of WordPress site :
WordPress provides so many plugins which will help us to protect our site. They will protect our site from various attacks like not allowing to access our files, changing the database table name prefix which will hard to guess, scan source code and find the malware from it, change your admin access URL, etc. Below I have mentioned few of the plugin which will help us to protect our site.
1) https://wordpress.org/plugins/wordfence/
2) https://wordpress.org/plugins/exploit-scanner/
3) https://wordpress.org/plugins/tac/
4) https://wordpress.org/plugins/wp-security-scan/
5) https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
6) https://wordpress.org/plugins/wordpress-firewall-2/
7) https://it.wordpress.org/plugins/better-wp-security/
8) https://wordpress.org/plugins/bulletproof-security/
11. Change Table Prefix :
For existing site, you can change table prefix using https://wordpress.org/plugins/db-prefix-change/plug-in.
12. /wp-config.php :
- Use Secure Login via Encrypted Channel :
WordPress users who have SSL enabled for their domain (Talk to your host about this first. You won’t have this by default!) should use that encrypted channel to access WordPress Dashboard. You can force admin sessions over HTTPS by setting a FORCE_SSL_ADMIN variable in wp-config.php to true. Copy and paste the following into your wp-config.php file.
define('FORCE_SSL_ADMIN', true);- Disable File Editing (This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks):
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to log in since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins‘ and ‘edit_files‘ capabilities of all users. Copy and paste the following into your wp-config.php file.
define('DISALLOW_FILE_EDIT', true);13. Hide WordPress Version in the Header Tag :
Add the following line to the functions.php file AT THE TOP in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)
<?php remove_action('wp_head', 'wp_generator'); ?>
NOTE: Please confirm that it will hide below code from source as well else to remove the meta generator, open up wp-content/{name of the theme you are using}/header.php and delete the meta generator tag.
<meta name=”generator” content=”WordPress 2.7″ />
14. Remove the Footer Credit :
To remove the footer credit, open up wp-content/{name of the theme you are using}/footer.php and delete the link to WordPress.
15. Remove the Generator Tag in the RSS Feed :
WordPress also gives away which version you are using in the RSS feed with a generator tag like this:
<generator>http://wordpress.org/?v=2.7</generator>To remove the RSS generator, open up wp-includes/general-template.php and search for the function called the_generator (around line 1858) and comment it out.OR Add below code in theme’s functions.php file,
function remove_wp_version_rss() { return ''; }
add_filter('the_generator','remove_wp_version_rss');16. Folders & Files Permissions :
chown /path/to/your/wordpress/install/public_html/ apache:apache -R * # Let Apache be ownerAfter the setup you should tighten the access rights, according to Hardening WordPress (http://codex.wordpress.org/Hardening_WordPress) all files except for wp-content should be writeable by your user account only. wp-content must be writable by Apache too.
chown <username>:<username> -R * # Let your useraccount be ownerchown apache:apache wp-content # Let apache be owner of wp-contentIMPORTANT:
– Based on requirement/used plug-in, theme cache, upload folder (if any) permission may vary to either 755 or 777.
– To avoid any security issue, try to avoid 777 permission for any folder/file.