Setting up WordPress security after installation. We break and protect WordPress with our own hands. Determining installed components

Today on Nulled I read a pretty good article about improving website security on WordPress. Since the text on nulled is visible only to registered users with a certain number of posts, I will post the article on my blog for public use 😉 In general, I also invite everyone to read it and make their own suggestions and corrections (if, of course, there are any).

1. Before installation;
2. After installation;
3. Periodic checks and updates.

1. Before installation

1.1. We delete all unnecessary files:
readme.html, license.txt, hello.php, unnecessary themes and plugins.

1.2. Let's edit the wp-config.php file correctly:

define("DB_NAME", "wpdb"); // Instead of "wpdb" you need to come up with a strong name, for example, wp433Fd6HW
define("DB_USER", "wpuser"); // For example, UserFB56SKl
define("DB_PASSWORD", "strongpassword"); // There should be a strong password, for example, 'FE876!8e#fh#9fDfds9f'
define("DB_HOST", "localhost"); // In 99% of cases this value does not need to be changed
define("DB_CHARSET", "utf8"); define("DB_COLLATE", "");

Change the secret key from the default:

define("AUTH_KEY", "izmenite eto na unikalnuyu frazu");
define("SECURE_AUTH_KEY", "izmenite eto na unikalnuyu frazu");
define("LOGGED_IN_KEY", "izmenite eto na unikalnuyu frazu");
define("NONCE_KEY", "izmenite eto na unikalnuyu frazu");

to the generated one using the service

define("AUTH_KEY", "M.uFL(R Bw5UkRw%P&+>E*jJZBikz3-OV7sO*-_g*(9z,PnM,T&LPAE");
define("NONCE_KEY", "d2A~8NBb%2?+6`z)?nWoD0`f]-.gUOC);

Making tables more secure:

$table_prefix = "wp_4i32aK_"; // Use only letters, numbers and underscores to make your table_prefix unique. At least this will protect you from some public exploits.

1.3. Create a user and database for the blog in the MySQL console:
First, log in as root and create a database for the blog:

$ mysql -u root
mysql> CREATE database wpdb;

$ mysql -u root
mysql> CREATE database wp433Fd6HW;
Query OK, 1 row affected (0.00 sec)

Then we create a user: this account will only have access to the WordPress database. We can also be sure that the user is only accessed from the local server and not remotely.

mysql>
-> ON wpdb.*
-> TO "wpuser"@"localhost"
-> IDENTIFIED BY "strongpassword"; Query OK, 0 rows affected (0.01 sec)

In our example it will look like this:

mysql> GRANT SELECT,INSERT,UPDATE,DELETE,CREATE,DROP
-> ON wp433Fd6HW.*
-> TO "UserFB56SKl"@"localhost"
-> IDENTIFIED BY "FE876!8e#fh#9fDfds9f";
Query OK, 0 rows affected (0.01 sec)

1.4. Remove the meta block from your theme code
In the standard theme, a piece of code responsible for displaying the meta block:

Meta

• Valid XHTML


• XFN


• ">WordPress

2. After installation

2.1. Changing the default Administrator password
Change the Administrator password generated during installation

2.2. Removing the WordPress version

remove_action("wp_head", "wp_generator");

In the header.php file in the folder with your theme, delete the line:

" />

For WordPress version 2.8.4, find the implementation of the get_the_generator($type) function and change it:

function get_the_generator($type) (
$gen = "";
return apply_filters("get_the_generator_($type)", $gen, $type);
}

2.3. Empty index.php
Place an empty index.php file in the wp-includes/, wp-content/, /plugins/ folders

2.4. Changing the Admin username to something more unobvious
Change the name via the MySQL console:

wp $ mysql -u UserFB56SKl –p
mysql> use wp;
UPDATE wp_users SET user_login="adm" where user_login="admin";

In our example it will look like this:

wp $ mysql -u wpuser –p
mysql> use wp433Fd6HW;
UPDATE wp_4i32aK_users SET user_login="adm234Df" where user_login="admin";
Query OK, 1 row affected (0.01 sec) Rows matched: 1 Changed: 1 Warnings: 0

Or, if you don't want to mess around with queries, you can do the following:

1. Create a new account. The username must be unique;
2. Assign the new user the Administrator role;
3. Re-login as a new Administrator;
4. Delete the old Administrator account.

2.5. Creating new user roles
To do this, you must first install a plugin on your blog. This plugin will give you the opportunity to carefully and precisely set user rights. After activating the plugin, you first need to create a user for yourself. Remove all user rights and then carefully select only those rights that you need for daily activity (writing posts, moderating comments, etc.). Make sure that only the admin account has privileges to activate/deactivate plugins, upload files, manage options, switch themes, import, etc.
If your blog will be multi-user, then you need to think about what rights users really need and create your own roles based on this.
When creating roles, be careful when giving users rights such as: file upload, access to edit plugin source code, activate plugins, edit files/posts/pages, import, unfiltered HTML, as these roles give users greater powers.

2.6. Restricting access to the wp-content and wp-includes folders
Using the .htaccess file and special rules, we will prohibit everything except requests for images, CSS and JavaScript. The .htaccess files must be placed in the appropriate directories.

Order Allow, Deny
Deny from all

Allow from all

You can also add specific PHP files for certain templates and plugins.

2.7. Hiding the wp-content directory
Starting with WordPress 2.6, it became possible to move the wp-content directory.
Change the lines in wp-settings.php:

define("WP_CONTENT_DIR",$_SERVER["DOCUMENT_ROOT"]."/blog/wp-content");
define("WP_CONTENT_URL","http://domain.ru/blog/wp-content");

And to avoid problems with plugins:

define("WP_PLUGIN_DIR",$_SERVER["DOCUMENT_ROOT"]."/blog/wp-content/plugins");
define("WP_PLUGIN_URL","http://domain.ru/blog/wp-conten/plugins");

2.8. Restricting access to the wp-admin folder
If you have a static IP
This step is easy for a single-user blog, but can be a real headache for a multi-user blog. This trick only works if you have a static IP. The .htaccess file for the wp-admin directory must contain the following rules:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Example Access Control"
AuthType Basic

order deny,allow
deny from all
allow from a.b.c.d. #Your static IP

Place the file in the wp-admin directory and try to access this folder through a proxy. If everything works correctly, access will be denied. After that, try logging in from your IP.

Restricting access by password
It may be preferable to access the wp-admin folder with a password. This means that you can access the admin panel from anywhere. This is also an option if you have a dynamic IP.
The .htaccess file for the wp-admin directory must contain the following rules:

#The file.htpasswd is located outside the root directory of your blog

ErrorDocument 401 default
AuthUserFile /srv/www/user1/.htpasswd
AuthType Basic
AuthName "WordPress Dashboard"

require user adminuser #Create a secure username


require valid-user

Generate a password with the command:

$ htpasswd -cm .htpasswd adminuser

Or use the service to generate a password. Here is an example for user: admin , password: test

admin:$apr1$t3qLL...$uUmj9Wm/WbJk7YNza6ncM/

It is better to place the .htpasswd file in a directory above the blog root.

2.9. wp-config.php file
Option one: to protect your data, you need to move it to the folder above, WordPress will automatically check the directory above if it doesn’t find wp-config.php in its root.
If for some reason you cannot do what is described above, then there is another option. Namely, protect your wp-config.php using .htaccess:

# protect wpconfig.php

Order deny,allow
deny from all

2.10. Setting the correct permissions for files and folders
Basic rule:

1. For files - 644
2. For folders - 755

From the shell, these operations can be done using:

CD
find (your path) -type d -exec chmod 755 ‘()’ \
find (your path) -type f -exec chmod 644 ‘()’ \

2.11. SSL for admins
If your server supports SSL, then it is better to make access to the admin panel secure. To do this, in the wp-config.php file, remove the comments in the line:

define('FORCE_SSL_ADMIN', true);

2.12. Remove WordPress Log Output
In the functions.php file in the folder with your theme, add the line:

add_filter("login_errors",create_function("$a", "return null;"));

2.13. We prohibit indexing using Robots.txt
You can check the correctness at

2.14. Plugins for your safety
Login LockDown- Set the number of false logins
There are two solutions for this in the form of and plugins. Once the plugin is activated, it records all login attempts. The plugin allows you to prohibit a visitor from logging in for a certain time after the visitor has entered the password incorrectly several times.

Belavir– Monitoring changes in key php files

WPIDS– We determine the signs of implementation

WordPress Online Security Scanner– Scanning the blog for vulnerabilities

Akismit– Combating AIDS and SPAM

SpamBam– Determine whether the client is using a valid browser

3. Periodic checks and updates

3.1. Keep WordPress updated
3.2. Keep plugins updated
3.3. Stay tuned for security updates

3.4. Check the code of the theme and plugins you want to add for leaks
3.5. Fight spam
3.6. Regularly make a full backup of your blog database
3.7. Read development blogs
Small list:

Most people think that their WordPress website was secure just because it doesn't have any content worth hacking. Unfortunately, it is not. Websites are often hacked, for example to distribute spam. Or the core and theme files are filled with malicious code to infect and hack your site visitor's computers. It is possible that you only noticed the damage when Google or Yandex had already flagged your site or removed it from the index. Don't let this happen and consider my tips for the perfect wp-config.php.

There are many ways to protect your WordPress website from hacking. Optimization can be considered an important part of a good security strategy. Of course, the site won't turn into a Bank, but you've made it a little harder for hackers.

To optimize wp-config.php, so-called constants are used. WordPress has many constants that can be used. But what is a constant? PHP.net describes constants as follows:

A constant is an identifier (name) for a simple value. As the name suggests, this value cannot change during script execution (for magic constants that are not really anything other than constants). The constant is case sensitive by default. By convention, persistent identifiers are always in uppercase.PHP.net

Constants are built into the define() functions, and look like this: define("NAME_OF_THE_CONSTANT", value);

wp-config.php is a control file for WordPress. It loads before all other files because WordPress needs to set up a database connection. The necessary information is in the configuration file. When you change the value of a constant, or add a constant, you can also change the behavior of WordPress.

Before work: please create a backup copy of wp-config.php

Before you start editing the wp-config.php file, create backup copy this file. Your site will not work with incorrect or missing entries.

Important: Always update WordPress and plugins

You've probably heard this several times already. But this aspect is so important that I cannot repeat it often enough. Tons of sites have been hacked because WordPress or plugins were not updated. Updates are the best insurance against hacking!

Security situation:

Security experts Sucuri are now being warned about a security flaw in the popular Jetpack plugin for WordPress. Malicious code can be implemented using the shortcode-embedding-function. Automattic will indeed respond soon and release a new version.

How to close the security gap for now:

If you use , you are not in danger. There's a big 6G firewall that can fend off this type of attack.

Preparation:

For all subsequent work, you will need the program, as well as an HTML editor. wp-config.php is downloaded to the desktop, edited in an HTML editor, and uploaded back to the server.

1 – Use security keys

Security keys in WordPress are critical, like encrypting things like login information in cookies. Even if in your wp-config.php already exist, replacing them after a while cannot harm. When the keys change, all users are logged out of their sites. You will then be able to log in again using your username and password.

However, if the site has already been hacked, you must first remove the malicious code from your site. Guidance on this can be found in the additional information on this aspect. After that, visit the WordPress security key generator and copy the new set. Replace the old part with new ones - view screenshot:

If you haven't implemented security keys yet, now is a good time to do so.

Additional Information:

2 – forced use of HTTPS

An SSL certificate encrypts the connection between your site and visitor browsers. HTTPS makes it impossible for hackers to trap and steal personal data. If you already have an SSL certificate for your site, you can force it to use HTTPS instead of HTTP. This increases the security of your site significantly. If you don't have an SSL certificate, you should nevertheless seriously consider using one.

You don't have to be afraid of large expenses, because...

The following entries should be used when your site is already using SSL. The top login is for secure login, while the bottom one forces the browser to use SSL only.

In every WordPress installation, you can edit the theme and plugin files directly in the admin area. In the “Appearance” and “Plugins” menu items you will find the corresponding editor for each file. This editor is very dangerous if it falls into the hands of hackers. Data may be destroyed and viruses, trojans, spam and other malware may be added. But the editor is also important for the website administrator. The only mistake, one semicolon is missing is all it takes for the proverbial white pages to show up and nothing else will work.

3 – Changing the database prefix

The database prefix is ​​also known as a table prefix. This prefix is ​​used as an extension to every database table generated by WordPress. Here's the standard wp_. This standard must be changed to something else. The more mysterious, the better. Don't worry; You don't need to remember what you entered here. This value is placed once.

Thinking about this reduces the possibility of SQL injection down to zero. But it's possible. So, change the value before installing WordPress. Use something like fdf2a7r_, For example.

Attention: If you change the value of an existing WordPress installation, the website will not be accessible!

If you want to change the table prefix of an existing WordPress site, the Acunetix WP Security plugin can help you. It allows you to change the value easily and all you have to do is log in again. However, you should still create a backup beforehand.

4 – Turn off plugin editors and themes

Changes to the theme or plugin files are usually made using (S)FTP as it is much more secure. So editors should be turned off. One line in wp-config.php is enough to safely disable both editors:

5 – Move wp-config.php

wp-config.php is the heart of your website. All relevant data, including database passwords, is entered there. This is why it is extremely important to keep this file as secure as possible. There are two approaches for this. The first access block using the .htaccess file. The second approach moves the file to another location where the hacker will not expect it.

• Moving this can be problematic if the site is on a sub-domain and you are using cheap shared hosting.
• This can also get tough if you have a lot of websites in user directories. If none of the points apply to you, you can move the file.

If you have configured the path to WP-config.php correctly, your site should work.

6 – forces the use of FTPS

If your web host has enabled File Transfer Protocol Secure (FTPS), you can force the use of FTPS for file transfers. It will encrypt the communication between the visitor and the server. Now, it is impossible to access data on the server from an insecure protocol. FTP is insecure because access to information is transmitted to the server in unencrypted form. Therefore, if possible, only use a secure connection via FTPS. Your web host can tell you if an FTPS connection is possible.

Forcing the use of FTPS is simple:

7 – forced use of SFTP

Instead of the FTPS protocol, some hosters have enabled the SFTP protocol for data transfer. Here the communication between the FTP user program and the server is also encrypted. The following line of code allows you to force the use of SFTP:

8 – Disable debug mode

If you have enabled WordPress debug mode for development purposes, it is vital to turn it off. In some cases, active debugging mode can transmit sensitive data that can help hackers do their job. This is why debugging mode is extremely dangerous on a live system. I made this small, stupid mistake; people forget things quickly. That's why you should take action quickly to check. Disable debug mode:

9 – Turn off PHP error indication

If for some reason you need debug mode to be enabled, I recommend turning off the public display of error messages. Corresponding error messages may also be written to a log, which is not accessible to the general public. This is a much safer, and more elegant option. This constant is required to exit WordPress error mode and also prevent the error from being displayed to third parties:

10 – Enable automatic update feature

As I mentioned earlier, immediately updating your WordPress core and all plugins is critical to keeping your system secure. With every new version of WordPress released, the security holes of its predecessors are exposed on the Internet. This gives a hacker a strong foundation to be able to hack your site. Therefore, these deficiencies must be addressed as quickly as possible.

Such as WordPress version 3.7, have smaller security updates and are carried out automatically. However, this is not the case for the initial versions of major updates. Major versions still need to be updated manually. However, enabling automatic updates for all versions of WP is very easy:

By the way, this can also be updated automatically using plugins. However, it does involve a bit of work. This requires creating a plugin:

This plugin should be moved to the folder /wp-content/mu-plugins/. If the folder doesn't exist, just create it. The /mu-plugins/ folder contains “used” plugins. Its contents are loaded by everyone with other plugins.

Automatic theme updating can be done in the same way. To do this, the plugin must be extended with the following line:

Please get information about these automated plugins in advance, and only use the code if you know exactly what it does. Of course, the two filters are only able to support plugins and themes up to now that come from the official WordPress release. Themes and plugins from another source will of course not be updated.

Additional Information:

Conclusion

All of these aspects together will increase the security of your WordPress greatly and should be part of a good security strategy. The fact that WordPress is the world's most popular content management system attracts many hackers. The situation can be compared to a Windows OS computer. On a Windows operating system, install antivirus software, and WordPress takes a little manual work. But the safety gain is definitely worth it.

• Translation

The administrative area of ​​any web application has long become a favorite target for hackers, and its security is of great concern to developers. This also applies to WordPress - when installing a new blog, the system creates an administrator account with a unique randomly generated password in real time, which blocks everyone’s access to the system settings, controlling it using the authorization page.

This article is focused on strengthening the security of WordPress - both the admin panel and the blog settings, meaning the entire contents of the folder "wp-admin", which is only displayed after authorization. We deliberately emphasized the phrase " after authorization" - you must clearly understand that only one simple request separates the “evil hacker” from the admin of your entire blog or website! And the latter is protected only as strong as the password you have chosen.

To make the task of hackers much more difficult, we offer a set of operations that you can perform manually. These solutions do not guarantee 100% protection, but with their help you will significantly improve the security of your blog.

1. Rename the wordpress folder.

Since version 2.6, it has become possible to change the folder path wp-content. Unfortunately this is still not applicable to the folder wp-admin. Security-conscious bloggers accepted this and began to hope that this would be possible in future versions. Until this happens, we suggest using the following alternative solution to the problem. After unpacking the archive with WordPress files, you will see the “WordPress” folder - rename the folder (ideally to something unclear like " wordpress_live_Ts6K" ) and then configure the file accordingly wp-config.php, which is located in the root directory.
What will this change give us?

• Firstly, all WordPress files will not be mixed with other files in the root of the site, thus increasing the clarity of the root level.
• Secondly, multiple copies of WordPress can be installed in parallel in folders with different names, eliminating their interaction, making it ideal for testing
• The third advantage directly concerns security: the administrative area (and the entire blog as a whole) is no longer located in the root folder and in order to carry out any hacking actions, you will first need to find it. This is problematic for people, but as for bots, it’s a matter of time.

Several installed versions in the root directory - it's possible!

Note: If the WordPress system files are no longer in the root directory, and the installation folder name is changed according to the recommendations described above, the blog will still be available at wp-config.ru. Why? Go to the “General settings” section of your blog and enter the real blog address on the server in the “WordPress address (URL)” field, as shown in the example:

The blog address should be beautiful and unobtrusive

This will allow the blog to be displayed at a nice virtual address.

2. Improve the wp-config.php file

WordPress Configuration File wp-config.php contains some site settings and information for accessing the database. There are also other security-related settings (they are presented in the list below). If there are no such values ​​in this file, or only default ones, you need to add or change them accordingly:

• Security Keys: As of version 2.7, WordPress has four security keys that must be set correctly. WordPress saves you from having to come up with these lines yourself, automatically generating correct keys from a security point of view. You just need to paste the keys into the appropriate lines of the file wp-config.php. These keys are mandatory to ensure the security of your blog.
• The table prefix of a newly installed WordPress blog should not be standard "wp_" The more complex the prefix value, the less likely it is that unauthorized access to tables in your MySQL database will occur. Badly: $table_prefix = "wp_"; . Much better: $table_prefix = "wp4FZ52Y_"; Don't be afraid to forget this value - you only need to enter it once, you won't need it again.
• If available on your server SSL encryption, it is recommended to enable it to protect the administrative zone. This can be done by adding the following command to the wp-config.php file: define("FORCE_SSL_ADMIN", true);

You can also adjust other system settings in the configuration file. A clear and comprehensive list of available settings is available on the page Code

Don't neglect to install the correct security keys!

3. Move the wp-config.php file

Also since version 2.6, WordPress allows you to move a file wp-config.php to the highest level. Because this file contains much more important information than any other, and because it is always much more difficult to access the root folder of the server, it makes sense to store it in a directory other than the rest of the files. WortdPress will automatically look to the highest folder when searching for a file wp-config.php. Any attempts by users to configure the path themselves are useless.

4. Protect the wp-config.php file

Not all ISP servers will allow you to transfer data to higher levels than the root directory. In other words, not everyone has enough rights to complete the previous step. Or for other reasons: for example, if you have several blogs, with a certain folder structure you will not be able to put all the files in the root, since their names will be the same for each of the blogs. In this case we can deny access to the file wp-config.php externally using a file .htaccess. Here's the code for this:

# protect wpconfig.php
Order deny,allow deny from all

It is very important to make sure that the file .htaccess is in the same directory as the file wp-config.php.

5. Remove the administrator account.

During the installation process, WordPress creates an administrator account with the username “admin” by default. On the one hand, this is quite logical, on the other hand, a user with a well-known nickname, i.e. ID - 1, which has administrative rights, is a completely predictable target for hackers with their password guessing programs. This is our advice:

• Create another user with administrative rights and your nickname.
• End your work session.
• Log in with a new account.
• Delete your account" admin".

If you do not have a new blog and under the account admin If you have already published posts or comments, then from the proposed options at the time of deletion, select “Link all posts and links to:” and select the name of the new user:

Note: Ideally, it is desirable that the new user's login is different from the username displayed in posts, so that no one recognizes your login.

6. Choose a strong password.

The likelihood and frequency of potential attacks directly depends on the popularity of the blog. And it is advisable to be sure until this moment that there are no weak links in the security chain left on your site.

Most often, passwords are the weakest link in this chain. Why? The way most users choose a password is often thoughtless and careless. Many studies have shown that most passwords are single-syllable existing words, typed in lowercase letters, which are not difficult to guess. Password guessing programs even have lists of the most commonly used passwords.

WordPress has implemented an intuitive indicator of the strength of the password you are typing, which shows its level of complexity in color:

7. Protect the “wp-admin” folder.

Following the adage “two heads are better than one,” there is a way to double the security of the administrative area. Security is regulated by file .htaccess, which should be in the folder "wp-admin" along with the file .htpasswd, which stores the user's login and password. After accessing the folder, you will need to enter your username and password, but the difference is that in this case, authorization is controlled on the server side, and not by WordPress itself.

To easily and quickly generate files .htaccess And .htpasswd, use this service .

8. Disable displaying errors on the login page.

The WordPress login page is the door to the administrative area of ​​your blog, which becomes accessible after error-free verification. Each user has an infinite number of login attempts, and each time, by default, helpful WordPress indicates exactly what the error was. That is, if the entered login turns out to be incorrect, WordPress will say so. This is convenient for the user, but also for the hacker.

It’s easy to guess how quickly the probability of selecting a login/password combination decreases when the system indicates what exactly was entered incorrectly. A simple line of code will help solve this problem, just add it to the file functions.php your topic:

Add_filter("login_errors",create_function("$a", "return null;"));

Original/changed appearance of the login page.

9. Limit the number of failed login attempts.

WordPress does not keep statistics on authorizations, both successful and unsuccessful. This is very inconvenient for the administrator, since he has no way to see whether there have been attempts at unauthorized access in order to take any measures if they become more frequent. We offer two solutions: plugins

I would like to note that recently, I have received fewer requests regarding security settings, eliminating threats and viruses. And fewer similar topics were created on the forums.

Either the quality of the code has stabilized, or site owners have increased their responsibility. I hope both factors were at play.

However, the threat of infection is always present, so the protection of your site should be given due attention.

The reasons for hacking in practice come down to two things:

• abandoned and unsupported plugins- you always need to install updates;
• related to passwords and rights— you need to set it up correctly once and stick to it;

Every website is susceptible to hacking, so the only way to truly protect yourself is to create a backup.

Seriously.

Set up backup creation! Maybe using a plugin, or directly on your hosting..

Literally, just recently I broke my media files as a result of stupid experiments, but with a copy available, I was able to restore the database in a couple of minutes.

How to set up a schedule depends on what and how often changes specifically on your site.

Don't include unnecessary code

WordPress is highly flexible and expandable. This is a wonderful opportunity. But on the other hand, enterprising and not very tech-savvy website owners can very quickly overload their website with unnecessary code.

Firstly, this is a hit to site performance. .
Secondly, it puts Your site's security is at risk virus infection and increases the likelihood of hacking.
Thirdly, you just need more time for its administration and support. When you install a new plugin or functionality for a theme, evaluate its real need.

Good questions might be:

• How can I opt out of this new plugin? Perhaps you will see alternative options, or no need to use it at all.
• What do I actually need this plugin for? What benefits will I get from using it?

For a fully functional website, it is enough to have about ten of the most necessary plugins (which includes an SEO plugin, a site protection plugin, a caching plugin, antispam, a contact form, and there may be several specific plugins for the structure of your site or its content).
If there are 30-50 plugins installed on your site, then you are clearly doing something wrong.

Also, it is not enough to simply deactivate unused plugins; it is best to remove them completely. Along with unused themes.

Follow a simple but effective principle:

Less code, less problems.

Do not give other participants rights that exceed their responsibilities

Let's get this straight. No one is as responsible for the security of your site as you are.
If you give your accounts or administrative roles to someone you trust, you are significantly compromising the security of your site. I'm not saying that a person to whom you have granted elevated rights will happily hack your site, but he may facilitate this without any intent. Think about the fact that his computer may not be as protected as yours (for example, a working antivirus is not installed), and all your efforts to protect the site will go to waste.

Limit the roles you give people. If you just want a person to publish an article, you don't need an administrator account at all.
But there are times when you really need to grant full rights. For example, you asked a freelancer to change the code on the site.
In this case, immediately after finishing the work, generate a new strong password and also create a new secret key for WordPress to completely clear the working cookies.

Update your site and plugins

At the beginning of this article I already noted this problem as the main source of threat to the operation of the site.

Every day, millions of websites are attacked. This allows developers to quickly find dangerous vulnerabilities and fix them in future updates. But if you ignore this rule, any day you can become a victim of hacking.
In most cases, updates happen smoothly, you just need to look at the change page, where the author can indicate some important notes regarding improvements, bug fixes and vulnerabilities.

If you have more than 30-50 plugins installed, then the update process does not take much time, and usually happens 2-3 times a month. Fair price for a good night's sleep.

It happens that lazy beginner developers edit plugin files directly and updating them becomes difficult. But this cannot be avoided one way or another.

The same problem occurs with premium themes, which include additional premium plugins like Visual composer, Revolution slider, Layer slider, and so on.

Owners customize the site, get it to work the way they want, and are understandably afraid to update it.
In practice, after six months or a year, such sites begin to fall apart: something has been updated, something has not, conflicts arise, brakes, etc.

This is a common situation, so pay attention to two things:

• make a child theme— a matter of minutes, but helps to easily update in the future;
• try your best don't edit a lot of code in the theme— if this is necessary, maybe it would be better to write additional functionality?

It’s easier, of course, to fix the code directly in the theme, but you lose in updates. Protecting yourself in this regard is a higher priority.

Set strong passwords

Strong passwords help you avoid a brute-force attack, that is, someone guessing your password. If your password contains only 3-4 characters, and you are using login admin, then your site can be hacked in less than 1 minute! Think about it.

5-6 characters in a password is also not enough; a good password starts with 8 characters. Also, it is very important not to use simple words from the dictionary, but to use a combination of letters in different cases, numbers, punctuation marks and special characters.

Of course, such a password is not easy to come up with, much less remember and use. Here automated applications will come to your aid: 1password, keepass, lastpass. Pick one and let them take care of storing your passwords.

Use trusted sources

If you download add-ons from third-party sites, especially on all kinds of warezniks and free torrents, then you greatly jeopardize the operation of your site.

Even if you visit the page of the plugin or theme you need, and it seems to you that its author can be trusted, in fact this is not the case. Why?

Because the code of this plugin has not been tested in any way for functionality and vulnerabilities, as is done by the development team and community on the site https://wordpress.org/plugins/, and most likely, it may contain risky code even without any intent on the part of its author .

As a measure to improve WordPress security install plugins and themes from the official repository, or from the repositories of very large companies, in whose integrity and reputation you are confident.

Enable antivirus on your computer

Without a good antivirus, safe work on a computer is probably unthinkable. I won't recommend one of these, but a good rule of thumb is to use a reputable brand, and preferably a full-service one.
A good antivirus independently updates its code and anti-virus databases, so you will practically not need to monitor its operation.

Do not enter passwords in public Wi-Fi areas

In public places where there is Wi-Fi, anyone can intercept traffic, and if it is not encrypted, an attacker can easily obtain your information.

Use an encrypted transmission method. Create and configure SSL certificates for your website, you will have peace of mind knowing that you have protected your website and the data of your users.

Protected files and system directories

• Correct permissions on files and directories

Set permissions to 644 for files, and 755 for directories, that is, the entry is available only to the owner - you. This reduces the risk of potential threats, especially on shared hosting.
You can manually change rights through the hosting control panel, or through an ftp client.

If you have shell access, you can assign permissions using two commands.

For catalogs:

Find /path_to_your_wordpress_folder/ -type d -exec chmod 755 () ;

For files:

Find /path_to_your_wordpress_folder/ -type f -exec chmod 644 () ;

• Protecting important files and directories - (wp-admin/, wp-config.php, wp-login.php, wp-includes)

Protect /wp-admin/.
The management console of your site opens at this address.

On some hosting sites, you can create a password for this folder directly in the control panel

Or you can do it manually.
To do this, you need to use the htpasswd file generator, then copy the resulting file to your server, for example in the directory above your wordpress installation.

The final step is to create or open a .htaccess file in the root folder of your site, and enter the following code into it:

AuthName "Wordpress Console" AuthUserFile /path_to_your_file/htpasswd AuthGroupFile /dev/null AuthType basic require user username

Replace the required values.

Protecting the wp-login.php file.

If you need to restrict login by IP addresses, enter the following directives in the .htacesss file:

Order deny,allow Deny from all Allow from xxx.xxx.xxx.xxx

Thus, first you deny access from all sources, then you open access only for specific ips. The order is important.

Protecting the wp-config.php file.

Move this file from your wordpress root folder to a folder higher up. Set file permissions to 400 or 440, so only read permissions will be available for you and your server.

If you cannot transfer the file, include the following code at the very top of .htaccess, which will completely disable access to wp-config.php:

Order allow, deny deny from all

Protection wp-includes/.

To further enhance WordPress security, you can restrict execution
scripts in the wp-includes/ folder. Add the following code to .htaccess:

RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - RewriteRule !^wp-includes/ - RewriteRule ^wp-includes/[^/]+.php$ - RewriteRule ^wp-includes/js/tinymce/langs/.+ .php - RewriteRule ^wp-includes/theme-compat/ -

If you have multisite mode, comment out the line

"RewriteRule ^wp-includes/[^/]+.php$ - "

Do not allow search robots to process service pages

Check your robots.txt file.

User-agent: * Disallow: /feed/ Disallow: /trackback/ Disallow: /wp-admin/ Disallow: /wp-content/ Disallow: /wp-includes/ Disallow: /xmlrpc.php Disallow: /wp-

These are all WordPress service folders that the search engine should not index.

Hide your WordPress version from potential hackers

Version information is in the header and in the RSS feeds:

To remove it from there, you need to include the following code in the functions.php file of the active theme:

Function wp_remove_version() ( return ""; ) add_filter("the_generator", "wp_remove_version");

Change the administrator account name

By default, WordPress creates an account under the name admin, which makes it easier to hack using a brute-force attack. You definitely need to change it.

To do this, go to your database using the application phpmyadmin, find the table wp_users(prefix may vary), there will be entries with credentials. Open the admin user account for editing.

In field user_login change the value admin to your new preferred login and click Go.

Change the database prefix

If you installed the CMS from your hosting control panel, there is a high chance that the site already has a changed prefix. There are also ready-made plugins for this, but you can also do it manually.

1. Make a backup of your database using phpmyadmin;
2. Open the file in a simple text editor and replace the "wp_" prefix with the value of your new prefix;
3. Deactivate all your plugins;
4. Delete the old database and import the one with the new prefix;
5. Change the database settings in the wp-config.php file to use the new prefix;
6. Activate the necessary plugins;
7. Update CNC/Permalinks.

Enable SSL on your website

If you received an SSL certificate, enable SSL support in the wp- file
config.php:

Define("FORCE_SSL_LOGIN", true); define("FORCE_SSL_ADMIN", true);

This site has a certificate from Cloudflare, which is issued free of charge, but you need to connect and configure this service.

Limit the number of login attempts

If you notice an active brute-force attack in your server logs, you can prevent it by limiting the number of login attempts using the Limit Login Attempts plugin.

The plugin has not been updated for 2 years, but has gone through a million installations and received good reviews of its performance, including with current versions of WordPress.

Prevent editing plugin and theme files in the management console

If you do not use file editing from the admin panel, you can disable this functionality in order to increase site security. Write the following line to the wp-config.php file:

Define("DISALLOW_FILE_EDIT", true);

If your site is hacked

1. Disable the site
2. Notify your service provider, other sites may be infected
3. Make a backup of the site
4. Change all passwords in wp-config.php file
5. Reinstall WordPress, this will replace the engine files with fresh copies
6. Reinstall themes and plugins again to ensure there is no malicious code left behind.
7. You can also use available plugins to search for potential malicious code.

Remember, if hackers stole your password and entered the site, then even after you change the password, they can still remain in the system because working cookies are in effect. To disable them, you need to create a new secret key. Open

WordPress security issues have always provided a lot of food for thought. Although most of the recent updates to this CMS have been related to security, there are many ways to enhance security that are available to even the least technically savvy users, even without plugins.

Here are some suggestions on how to improve information security for a WordPress site.

The platform developers offer their own list of measures to ensure the protection of WordPress sites, which we recommend that you familiarize yourself with. Of course, some of these recommendations will be repeated below, but a few extra practical tips and instructions can't hurt when it comes to data security.

Create a separate account with editor rights

When you write or edit blog posts, the "author name" appears in the lower left corner of the browser when you hover over the author name in the post. If your author name is the same as the administrator name, you have done half the work for hackers to successfully hack your site.

The fix is ​​simple: create a new user who has only editor rights, and log in under this name when you are going to publish or edit something on the blog. This name will appear on all your posts; and hackers will waste a lot of time trying to hack your blog under a username with supposed administrator rights, which in fact only allows you to write and edit posts.

In addition, special security plugins for WordPress limit attempts to access the site under a specific login and report attempts of unauthorized entry to a specified email. This way you will find out whether hacking attempts were made using the real administrator login, and you will be able to pay attention to the security of the WordPress site before attackers guess the password.

Don't use simple passwords

Remember the simple word COURT - Complex, Unique, Long. This is where tools like 1Password or LastPass come into play, generating passwords of a length you set. Depending on the level of protection you want, select the password length in characters (20 characters is usually enough) and include rarely used characters such as # or *.

"123456" is not a password. “qwerty” is equivalent to writing its PIN code on a bank card. Even “starwars” was included in the list of the 25 most common passwords of 2015. Remember, you are not as unique as you think.

Add two-factor authentication

Even if you don't use the username admin and set a strong, randomly generated password, brute force attacks remain a problem. To reduce the risk of such intrusion, methods like two-factor authentication are key.

Yes, two-factor authentication is a hassle. But now this is your Fort Knox. Its essence for protecting a WordPress site lies, as the name suggests, in two forms of authorization. Today it is a standard that improves the security of your access points. You already use two-factor authentication for Gmail and Paypal (at least you should). So why not add WordPress to the list?

There is a special Google Authenticator plugin to implement the tool. An alternative option with a slightly different approach and the same result is Rublon Plugin.

Use the principle of least privilege
The WordPress.org team has put together an excellent article in the WordPress code governing User Roles and Permissions. Be sure to read this document, which directly addresses this step.

The principle of least privilege is very simple - give access only to:

- those who need it;

- when you need it;

- for the period of time that is needed.

If someone needs administrative rights to change a configuration, grant them, but deny access immediately after completing the task.

The good news is that these steps won't take much of your time.

Contrary to popular belief, not every user accessing your WordPress site needs to be given administrator rights. Give people sufficient access rights to perform their tasks and you will greatly reduce the security risk of your WordPress site.

For this kind of setup wordpress security there is a plugin: Google Authenticator. An alternative that uses a slightly different approach for the same purpose is a plugin

Hide wp-config.php and .htaccess files

This is relatively easy to do, but errors in the procedure can render your site inaccessible. Create a backup copy, and only then proceed with changes.

Go to Tools => File Editor to edit the .htaccess file. To increase the level of security and protection of the wp-cnofig.php file, you need to add the following code to the .htaccess file:

It will block unauthorized access to the wp-config.php file. Similar code can be used to protect the .htaccess file itself: order allow, deny deny from all

You can make these changes yourself, there is nothing complicated here.

Use WordPress security keys for authentication

Authentication keys and salt keys work in conjunction with each other to protect your cookies and passwords while transmitting data between your browser and the web server. These authentication keys are built on a set of random variables. They increase the security (encryption) of information in cookies.

To change them in the wp-config.php file, simply get a new set of keys here - https://api.wordpress.org/secret-key/1.1/salt/ - and add it to the file. When you refresh the specified page, the keys change, so you will receive a new set each time.

Disable file editing

The easiest way to change your files is to access the WordPress menu item “Appearance => Editor”. To increase your level of protection, you need disable ability to edit files via the console. Open the wp-config.php file and add the line

Define("DISALLOW_FILE_EDIT", true);

You will still be able to make changes to templates via FTP access, but now no one will be able to change them using tools in the WordPress console.

Limit the number of login attempts

The target of key guessing attacks is the login form on the site. The All in One WP Security & Firewall plugin allows you to change the default path (/wp-admin/) to this input form. In addition, using special plugins you can limit the number of input attempts from a specific IP address.

Selective use of the XML-RPC interface

XML-RPC is an application programming interface (API) that is used everywhere. It is accessed by a huge number of plugins and themes, so less technical users need to be especially careful when experimenting with this tool.

Although a practical step, disabling XML-RPC can be costly. That is why it is not recommended to disable it completely, but to pay closer attention to which programs are trying to access this interface and how. There are many plugins that help with selective implementation and disabling of XML-RPC.

WordPress Hosting and Security

Website owners often complain that their hosting companies do not help protect their website from hacking or do not understand anything at all about securing websites on the WordPress platform.

Hosting companies simply see your site differently. There are no clear rules for choosing a WordPress hosting, but it is really important when it comes to measures to improve protection against unauthorized access.

Literally every article about choosing a hosting begins with the words that cheap does not mean the best. The cheapest tariff plans will not help protect you from hacker attacks. Such packages include minimal resource protection, such as a pre-installed website firewall.

Shared hosting means that the server on which your resource is located is also home to other sites. They may have their own security issues that affect the security of your site.

Wherein WordPress security , is probably one of the main advantages that hosting companies offer in specialized WordPress plans.

This typically includes backups, a backup firewall, file scanning for malware, protection against, and automatic WordPress updates. Moreover, all this is offered, as a rule, at a very reasonable cost.

Don't forget about your hosting account

One of the biggest hosting problems is related to account configuration for the site owner. The user can install and configure as many sites as he wants, which contributes to the emergence of a “free canteen” for malware in the system environment.

The problem is relevant because in many cases a web resource can be hacked using a method known as cross-site infection, where the attack vector is a neighboring site. The attacker overcomes the protection of the north and then begins to penetrate neighboring sites located on this server.

The best way to protect against this type of hacking is to create two accounts. You use one of them as a working environment and host only active sites on it, and the second one as an intermediate environment on which you store everything else.

Stay up to date with the latest updates

Keeping things fresh is easy to talk about. But for website owners this means daily painstaking work. Our websites are complex creatures. There are dozens of events happening on them at any given time, so sometimes it can be difficult to make instant changes.

Recent research has shown that 56% of WordPress installations are using outdated versions of the platform.

Updates should concern not only the core of the platform. The mentioned study also states that a large number of hacker attacks use outdated, vulnerable versions of plugins.

How to Choose Secure Plugins and Themes for WordPress

Most users prefer to install plugins and themes indiscriminately on their websites. This is stupid unless you are installing on a test server for the sole purpose of testing the functionality of a particular theme or plugin.

Most plugins and a lot of themes are free. And if the authors support their products for fun, and not as part of some serious business model, it is unlikely that they spent much time checking the vulnerabilities and security of these products.

How to choose the right plugin for wordpress

As mentioned above, free themes and plugins are a potential threat to website security. When adding these elements to your site, be sure to check their rating, for example on WordPress.org.

But just five stars will not say anything about the reliability of the plugin; depending on the niche, it should have a certain number of reviews. If enough people think it's a great product and take the time to evaluate it, you can try it out on your own site.

Another thing you should check is the relevance of the plugin or theme. If there have been no updates in the last two years, WordPress will report this. Lack of updates doesn't necessarily mean the plugin is bad.

Perhaps the author simply did not need to make corrections to the working program. However, it is not recommended to install plugins that have not been updated for a long time. The rating will tell you about the performance of the selected element and its compatibility with the current version of WordPress. All this information can be seen on the plugin page on WordPress.org.

Conclusion

If you have read this article to the end, then you simply must take additional measures to protect your WordPress site. Add checking the security of your resource to your list of daily actions. It should become the same daily routine of any website owner as the regular addition of new publications and pages.

Don’t forget about regularly creating backups, for which the platform has many reliable plugins. True, they are not part of the information security policy; these are rather administrative and service tasks.

We have provided a far from complete list of what can be done to protect your site from hacking. But we hope that our practical advice will help ensure at least the first level of information security for your resource.

Remember WordPress security is never absolute.

So, making life difficult for hackers is our job as website owners.