Secure WordPress

There are many really great articles on the internet about how best to secure WordPress, comparisons between plugins, and advice on what steps can be taken when a WordPress instance has been “hacked” or defaced, or worse.  There are even some really leading edge companies out there such as Sucuri who specialise in security and cleaning up WordPress for you in the event of a problem or breach.  Most of them come at a cost, and are usually only instigated by website owners and managers after the fact.  In our experience we are only ever engaged when there is a problem.  Occasionally we do get asked to proactively secure a WordPress instance, or to perform a review, or perhaps conduct some penetration or security testing against a website.

Act first, prevent now

The best time to implement security measures is as early as possible.  Take proactive steps from the very first day your WordPress based website is installed and then maintain the security from that day forwards.  There are a number of tools, plugins and utilities, all of which are free, that you can add to your arsenal for trying to prevent any damage to your website.  This in no way guarantees protection, but does significantly increase your chances of detection, prevention and cure.

Here we give a brief overview on some of the steps we take when creating new self-hosted instances of WordPress.  These steps are performed as a matter of course for all our customer websites running WordPress – we’ve created our own distribution which we add or enhance as often as required, reducing our maintenance time and speeding up website deployment capabilities for our customers.  We go the extra mile to protect our customers websites and also to reduce the need for us to get involved quite as often.

Installing WordPress

We always update our custom distribution with the latest tarball or updates direct from wordpress.org/latest.tar.gz and then carry out our additional actions and maintenance on top of this.  Whilst WordPress has a very, very easy installation and setup process, there are further steps which can help you secure your site, whilst keeping it running smoothly and notifying you of any updates that might be required early on.

Of course we always recommend wherever possible to maintain the latest and greatest version of the software and plugins available, and immediately upgrade whenever there are security based releases or patches.  This also extends to themes, of course.

Base installation security

Depending on your web hosting platform, you should be able to get up and running quickly by un-tarring the software distribution from WordPress, moving the software to the right directory according to your requirements and updating the ownership of all files and directories as appropriate (usually if you are un-tarring as root).  Sometimes you may also need to change the permissions on the wp-content folder so that any resulting additional directories, plugins, uploads and suchlike can be created.  The web hosting platform that we have created for our customers does not require any additional configuration and can be used straight away 🙂

So the initial steps that we usually take are :

1. Remove the readme.html file from the root installation of WordPress.  This can expose the WordPress version and gives a little more information to potential intruders than is necessary.

2. Add the option define('DISALLOW_FILE_EDIT',true); to wp-config.php – this prevents themes and plugins from being edited through the WordPress interface and adds another layer of security, especially if you use a lot of plugins; any one of them could contain a bug which allows a change to be made.  This option removes that capability.

3. Rename your database prefix – in wp-config.php, change the default wp_ to be something else.

4. Ensure that you generate and insert a new authentication unique key and salt from https://api.wordpress.org/secret-key/1.1/salt/

5. Generate your WordPress database with a strong and unique password.  We use pwgen on Linux to generate strong passwords of at least 10 characters with special characters, completely random generation and no vowels enabled (pwgen -y -s -v 10)

6. Create wp-content/uploads/index.php – touching the file will be enough to stop the directory being browsable.

7. Optionally, if you are experienced and especially paranoid about security, only run your website over SSL and use HTTPS for your server.  You can get free SSL certificates from your website from www.startssl.com.

Web based installation process

As you start the initial configuration and install process for your new website, there are some additional items which you can take note of as “best practice” to secure your WordPress instance.

1. Don’t stick with the default “admin” username for the administrator account.  Choose something else.  This will mitigate the risk of someone trying a brute force attack to guess your password for the default admin username.

2. Ensure you use a strong password for your administrator account (use pwgen again for this if you have it)

3. As WordPress itself says “That’s it !”.  Well, yes, your WordPress instance is now installed, configured and you can log in.  But it doesn’t stop there.  Let’s get straight to the plugins so that you can further secure your website.

Installing plugins

As mentioned earlier, we have a base set of plugins which we include in our WordPress distribution and then install any others as required.  Some deal with security, some with maintenance, and some are just plain useful.  We also make a point of Trashing the demo comment, page, post and all the default WordPress links, so we have a clean base to start with.

Here’s the list with an explanation of each one.

1. Akismet – Comment spam protection plugin.  It comes by default with WordPress and is free for non-commercial sites.  You can even name your own price according to how useful you think automatically dealing with comment spam is to your website.  It’s easy to sign up for, only requires a key to become active and sits there in the background doing it’s thing.

2. BackupBuddy – An all-in-one solution for backing up your WordPress instance.  It’s a paid-for plugin, but we offer it to all our customers as standard.  We have backed-up, moved and restored many websites with this excellent, well and regularly maintained plugin.  It also supports backups to Dropbox, Amazon S3, Rackspace cloud, FTP server, email or direct download as soon as they have finished.

3. Block Bad Queries – This is a basic plugin which involved creating wp-content/plugins/blockbadqueries.php yourself with the following code :

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
if (strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 400 Bad Request");
@header("Status: 400 Bad Request");
@header("Connection: Close");
@exit;
}
?>

This will then appear in your plugins panel and can be activated.

4. Broken Link Checker – A great little plugin which emails you when it detects broken links in your pages or WordPress configuration allowing you to fix, remove, or update them quickly and easily.

5. Easy Theme and Plugin Upgrades – This handy plugin adds the capability to upgrade existing plugins, which is very useful if using “premium” themes which might only be available for download rather than through the WordPress plugins interface.  This plugin allows you to directly upgrade existing plugins, whilst also creating a backup of the old one, for easy rollback or restore in the event of a problem.

6. JetPack by WordPress.com – A suite of free plugins, including site statistics, layout enhancements, social media integration, gallery functionality improvements and many more.

7. Quick Cache – If you are running a WordPress instance you definitely need to have some sort of caching.  There are a number of plugins out there to perform this function, all the way up to integrating with content delivery networks (CDN) for large scale sites.  The Quick Cache plugin, once installed, only needs a single option – to turn it on and save, and it will do the rest of the work for you.  Great for small to medium sized WordPress websites.

8. Secure WordPress – A plugin from the same people who brought us WebsiteDefender which we have blogged about extensively in the past.  This enables a number of security options, removes version information and changes failed login functionality.

9. TimThumb Vulnerability Scanner – This little plugin focuses on a single PHP image thumbnail generator which historically had a number of vulnerabilities.  This plugin scans for instances of the TimThumb script and if it finds one, offers the ability to replace it with the latest.  Quite a few custom templates use TimThumb so it’s always a good plugin to have just in case.

10. Ultimate Security Checker – We particularly like this plugin as it gives you a “score” on the top admin menu bar when you are logged into WordPress – then you can immediately see how your website is performing security-wise, and allows you to take a number of actions from the interface.

11. WordPress Firewall 2 – A firewall plugin which detects and prevents malicious attacks, with an optional notification email if you so desire.  Please note that if you use the WP Remote plugin for remote management and maintenance of your website, you will need to add the following IP addresses to the plugin whitelisted IP’s configuration which includes the Amazon AWS cloud servers that they use :

107.22.153.142
107.22.229.204

12. WordPress Sentinel – This is a superb plugin which takes a snapshot of your WordPress instance, files, configuration, and immediately alerts you if anything has changed.  It can get a little annoying if you make a lot of changes or plugin installs, so for this reason we recommend that you leave this one for last and snapshot everything new.  Then you will be warned if anything changes in the future, and are given the opportunity to see the differences between old and new.

13. WP-Notify – Get early notification of any software that is out of date with this handy plugin which simply sends you an email advising when a new version is available – which may potentially be a security update !  Either way it’s great to get the latest and greatest.

14. WP Remote – We mentioned this earlier – it’s a free service that allows you to monitor, upgrade and update your website from their application dashboard.  Read our earlier blogs on Manage WP and the extortionate charges they imply for almost the same service to see why we opted for, and support this excellent free service from Human Made.

15. WP Security Scan – Another plugin from the WebsiteDefender folks – it helps you rename your database if you forgot to do so in the earlier step, provides a strong password generator and gives additional security recommendations.

Update your operating system

Whether you run your own virtual private server, or are hosted by a company, there are a couple of things you can do to ensure that your WordPress instance, web server and website software interpreter (PHP, Perl etc) are not giving out more than necessary information.  You can ask your hosting provider to do many things and most of us are very open to suggestions – improving security for one person means potentially improved security for everyone.  So it’s always worth asking the question.  And of course a fundamental item is to ensure that your web server host itself is up to date and that all versions of the software running on the system are up to date, too.

In the case of WordPress, there are two things we always do on new servers we deploy, or when we are making security changes for customers who want to proactively be more secure :

1. Disable PHP version report.  This is an easy fix – in php.ini simply disable the expose_php option :

expose_php = Off

2. Disable HTTP version report.  This is also an easy fix – in Apache httpd.conf, change the ServerTokens value :

ServerTokens Prod

These both reduce the information provided to the minimum.

Additional services

Remember there are other services out there to protect you from the nasties on the net and give you the option to scan your site remotely – we still recommend the WebsiteDefender services and monitoring that is possible.  Take a look through our previous blogs for more information or pay a visit to their site to check it out yourself.

We also recently implemented Monitis for all our website, system and server monitoring, which we highly recommend as a scalable solution.  This monitors services for us remotely, notifies in the event of a problem, and also tracks and trends uptime, with configurable options for any customers who really need SLA monitoring and other reporting capabilities.

Why not contact us to see if we can help secure your systems ?  We don’t only deal with WordPress, and have a great deal of experience and knowledge in many other areas as outlined in our services.  We also offer monthly plans for maintenance and management giving you our commitment and peace of mind that we will be active in our response to you, whatever the situation.

 

Share this :
Facebook Twitter Email Linkedin Stumbleupon Digg Delicious Reddit Tumblr Posterous

Tagged on:     

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.