Harden your wordpress website

Harden your wordpress website

Harden your wordpress website

Web Security Site Audit WordPress

Web Security Site Audit WordPress

 

How to harden your wordpress website, to protect against attacks and malware.

This article will show you how to protect your website from 3rd party attacks.
Some of this can be done manually, and some of this can also be done via software and plugins.

If the process is able to be done manually, I will provide instructions.  If the process must be completed via software I will provide at least one source for the software.

 

 

 


 

 

Updating your WordPress site

It is advisable to always update your wordpress core and plugins.   This will help add essential updates to your wordpress installation, and help close vulnerabilities that hackers use to compromise your website.

Reference the manual way to do this;

Configuring Automatic Background Updates « WordPress Codex

There are also a variety of plugins that will automatically update your wordpress;

Reference more on plugins and recommended practices here for updating wordpress

List;

Harden WordPress

Remove WordPress version

Check if your WordPress version is being hidden from being displayed in the generator tag.

By default WordPress leaves it’s footprints on your site for the sake of tracking. That is how we know that WordPress is the World’s largest Blogging platform. However this opens some doors to hackers knowing about vulnerabilities that may be present in your wordpress core.   If you are not running the most current wordpress core version, then hackers can quickly narrow down previous vulnerabilities of the wordpress core.   If you are running the most up to date version of WordPress core, then you can ignore this tutorial completely, which is why we recommend that you have your wordpress site updated automatically.

There are many ways to get rid of the WordPress version number from your header.  However take note below that there is only one correct way to do this.

Some sites will recommend that you open your header.php file and get rid of this code:

[php]<meta name="generator" content="WordPress <?php bloginfo(‘version’); ?>" /> [/php]

Or others will recommend that you open your functions.php and add the following function:

[php]remove_action(<code class="string">’wp_head’</code>, <code class="string">’wp_generator’</code>); [/php]

 

This is only one part of the solution.  As a clever hacker who is well acquainted with WordPress will just go to your RSS feeds, and they will see the version on this page as neither fix above removes those codes from RSS feeds.

In order for you to completely remove your WordPress version number from both your head file and RSS feeds, you will need to add the following function to your functions.php file:

[php]function wpbeginner_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpbeginner_remove_version’); [/php]

By adding this version, you will remove the WordPress version number from all different areas on your site. Above is the right way to remove WordPress Version number.

Note: We still recommend that you update to the latest version of WordPress because that is the only guaranteed way to keep your blog protected.

As said in the beginning, we recommend that you keep your wordpress version up to date as a safer solution.  You may also find a method to remove your wordpress version via this firewall available on the plugins section or your wordpress dashboard or on wordpress.org, it is called SUCURI, learn more at  sucuri.net

Protect uploads directory

There is a great tutorial on how to protect your uploads directory at;

https://tomolivercv.wordpress.com/2011/07/24/protect-your-uploads-folder-with-htaccess/

From wordpress.org you can accomplish this by doing the following;

WP-Content/Uploads

Leaving the uploads directory accessible to the public can be a tragic mistake.  However, the uploads directory is the one directory that will almost need to be writable by the web server.   In order to prevent PHP execution in this directory, you can do this by placing an .htaccess at the root of /UPLOADS using:

[php]
</pre><pre># Kill PHP Execution
<Files *.php>
deny from all
</Files>
[/php]

Restrict wp-admin access

More on this can be found at wordpress.org

[php]
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
# BEGIN WordPress
[/php]

Restrict wp-includes access

More on this can be found at wordpress.org

[php]<br data-mce-bogus="1">
<pre># Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
# BEGIN WordPress
[/php]

You may find that hackers or unauthorized programs and 3rd parties are accessing your sessions.
I you have any doubt, you can change your security keys. Reference wordpress.org
You may also use SUCURI, learn more at  sucuri.net

 

 

Firewalls and audits

For a brief list of wordpress firewalls;

 

 For any other site vulnerabilities, Sucuri has an online survey that you can use to diagnose your website;  https://sitecheck.sucuri.net/

WPScans also offers a free security scan;  https://wpscans.com/

 

Other precautions

For other precautions you may want to check some of the following options.
 
2FA =  Two factor authentication; This employs a security solution that requires a random code generated from your phone to allow access to your site.   This is a combination of using your username/password as well as the random code.  Without the addition of the random code, a user is not permitted to use their password to login.
There are a lot of options for this, check wordpress.org for the best solution for you.
https://wordpress.org/search/2FA
You may also want to install a SSL certificate that will encrypt data that is transmitted over your website. 
https://wordpress.org/search/SSL+certificate
 
 

If you would like our team to manage your wordpress website, or do a one time website audit.
We can give you a custom solution that will work for you.

Call us at:  808-206-7399

Request a website security audit
Request a website security audit

Enter your keyword