How to secure your wordpress blogs

[wlanboy]

Time to start the discussion about how to secure wordpress blogs.

There are some actions everyone should take to secure his wordpress blog:

1. Strong passwords
   I use openssl to generate passwords:
   
   openssl rand -base64 60
   
   Change the number of digits too.
    
   
2. Limit login attempts
   There is a plugin doing the job.
   It blocks the lightweight attacks. Because a botnet or someone using Tor does have a lot of IPs.
   Best feature: This plugin is sending you  email warnings if such attacks happen.
   
   Another plugin (thanks Abdussamad) to limit the number of login attemts: Fail2ban plugin.
   This plugin is creating log entries that can be catched by fail2ban.
    
3. Password protect wp-admin directory
   htaccess/htpasswd are your friends.
    
4. Never ever use common usernames
   No "admin", no "Admin", no "root", no "Administrator", not your nickname, not the domain name, well I guess you got it.
    
5. Add some filters
   Ensure that wordpress is not telling everyone that the user exists but the password was wrong:
   
   nano /wp-content/your-theme/functions.php
   add_filter('login_errors',create_function('$a', "return null;"));
   
   
6. Disable xml-rpc, if you do not need it
   Another filter:
   

   add_filter( 'xmlrpc_enabled', '__return_false' );

   Yup, xmlL-rpc is enabled by default since wordpress 3.5.
   And of course there is a plugin for that.
    
   
7. Rename wp-login.php
   Nice catch from eva.
   There is a plugin that is able to rename the permalinks of the wp-login.php.
   Nice way to let the attacker run/hit into empty space.
    
8. Update your wordpress instance and backup your database

On request the lighttpd and apache config for the password protection:

• lighttpd
  
  $HTTP["url"] == "/wp-login.php" {
  auth.backend = "htpasswd"
  auth.backend.htpasswd.userfile = "/etc/lighttpd/wordpress"
  auth.require = ("/wp-login.php" => (
  "method" => "basic",
  "realm" => "wordpress",
  "require" => "valid-user"
  ))
  }
  
  $HTTP["url"] =~ "^/wp-admin/" {
  auth.backend = "htpasswd"
  auth.backend.htpasswd.userfile = "/etc/lighttpd/wordpress"
  auth.require = ("/wp-admin" => (
  "method" => "basic",
  "realm" => "wordpress",
  "require" => "valid-user"
  ))
  }
  
  
  
• apache
  

  <Files wp-login.php>
    AuthName "Restricted Wordpress-Area"
    AuthType Basic
    AuthUserFile ~/wordpress
    Require valid-user
  </Files>
  
  # Deny access to important files
  <FilesMatch "(\.htaccess|\.htpasswd)">
    Order deny,allow
    Deny from all
  </FilesMatch>

• ngix
   
  
  

  location = /wp-login.php {
     auth_basic "Restricted Wordpress-Area";
     auth_basic_user_file /etc/nginx/wordpress;
  
     include /etc/nginx/conf.d/fastcgi.conf;
  }

 

[eva2000]

Some plugins that are handy

• Acunetix Wordpress Security Plugin. Check support forum for any issues.
• Sucuri Security Malware Scanner. Check support forum for any issues.
• Wordpress Firewall
  
• Disable XML-RPC - for Wordpress 3.5+ and higher security. XML-RPC Validation Tool <-- wlanboy thanks for heads up on that one

Acunetix is very handy to have

 

[wlanboy]

Added the config snipplets to secure wp-login.php too.

 

[eva2000]

Added the config snipplets to secure wp-login.php too.

Another plugin

• Rename wp-login.php
  

 

[drmike]

BTW: Hoping to see this as a living document with more grafted onto the original tutorial piece.   This is gold for those using/contemplating Wordpress.

 

[DalComp]

Softaculous nicely integrate Limit Login Attempts plugin with wordpress installations. Might save some seconds of your life.

 

[Abdussamad]

If you have root access to your server use fail2ban:

http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html

This is a more efficient solution that installing a large security plugin.

As far as hiding usernames goes that is a bad idea. Usernames are not secret information. So stop trying to hide them. If you use a strong password you will not have any problems.

 

[mikho]

Another thing to do to increase the security is to change the ID (in the database) of the admin user, the first user you create will be the administrator of your Wordpress blog and if a hacker are able to inject sql commands it will be easy to change the password to something the intruder knows and then login as an admin.

 

[JackDoan]

Another thing to do to increase the security is to change the ID (in the database) of the admin user, the first user you create will be the administrator of your Wordpress blog and if a hacker are able to inject sql commands it will be easy to change the password to something the intruder knows and then login as an admin.

But if they can inject SQL, why not just add their own user?

 

[wlanboy]

Updated my initial post.

BTW: Hoping to see this as a living document with more grafted onto the original tutorial piece.   This is gold for those using/contemplating Wordpress.

Of course.

Another plugin

• Rename wp-login.php
  

Added the plugin to the list. Good catch eva.

If you have root access to your server use fail2ban:

http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html

This is a more efficient solution that installing a large security plugin.

As far as hiding usernames goes that is a bad idea. Usernames are not secret information. So stop trying to hide them. If you use a strong password you will not have any problems.

I like fail2ban. It is a nice approache to ban ips without any database involved.
I have added it to the list as an option, because not everyone is able to install fail2ban (shared hosting).

Another thing to do to increase the security is to change the ID (in the database) of the admin user, the first user you create will be the administrator of your Wordpress blog and if a hacker are able to inject sql commands it will be easy to change the password to something the intruder knows and then login as an admin.

@see JackDoan.

But if they can inject SQL, why not just add their own user?

Yup if someone hase access to your database you will not worry about any login attempts.

But sometimes the SQL injection is limited.

 

[mikho]

Some plugins change the structure of some tables, not 100% sure that the user table ever changes but I get the feeling its "easier" to change the password then adding another user.


I mentioned it since I noticed it on this Wordpress plugin. http://wordpress.org/plugins/better-wp-security/

 

[peterw]

Some plugins change the structure of some tables


I mentioned it since I noticed it on this Wordpress plugin. http://wordpress.org/plugins/better-wp-security/

The plugin better-wp-security harms more than it servers. It killed my blog during the update of to version 3.0. Don't use it.

 

[mikho]

The plugin better-wp-security harms more than it servers. It killed my blog during the update of to version 3.0. Don't use it.

You need to check the compatibility before upgrading

 

[switsys]

The plugin better-wp-security harms more than it servers. /.../ Don't use it.

I strongly agree. I think this plug-in is a piece of sh**.

 

[VPSCorey]

I've asked Wordpress several times to randomize plugin directories on install and store them in the db that way drive by attacks through google can never work because each plugin across each install would have a randomized name.

They continue to blow off the suggestion which could have the greatest impact on how wordpress gets constantly owned.

 

[peterw]

I've asked Wordpress several times to randomize plugin directories on install and store them in the db that way drive by attacks through google can never work because each plugin across each install would have a randomized name.

Or the ability to change the folder name.

 

[eva2000]

What about email notification when plugin updates are available ? Found these 2 plugins

• http://wordpress.org/support/plugin/wp-updates-notifier
  
• http://wordpress.org/support/plugin/mail-on-update

 

[peterw]

Still thinking about using the auto updater: http://wordpress.org/plugins/automatic-updater/

 

[Abdussamad]

PSA: WordPress 3.7 is going to have automatic core updates:

http://make.wordpress.org/core/2013/08/28/core-updates-in-3-7/

 

[wlanboy]

PSA: WordPress 3.7 is going to have automatic core updates:

http://make.wordpress.org/core/2013/08/28/core-updates-in-3-7/

Thank you for pointing to this nice feature.