amuck-landowner

How to secure your wordpress blogs

wlanboy

Content Contributer
Time to start the discussion about how to secure wordpress blogs.

There are some actions everyone should take to secure his wordpress blog:

  1. Strong passwords
    I use openssl to generate passwords:

    openssl rand -base64 60

    Change the number of digits too.
     
  2. Limit login attempts
    There is a plugin doing the job.
    It blocks the lightweight attacks. Because a botnet or someone using Tor does have a lot of IPs.
    Best feature: This plugin is sending you  email warnings if such attacks happen.
    wordpress1.png
    Another plugin (thanks Abdussamad) to limit the number of login attemts: Fail2ban plugin.
    This plugin is creating log entries that can be catched by fail2ban.
     
  3. Password protect wp-admin directory
    htaccess/htpasswd are your friends.
     
  4. Never ever use common usernames
    No "admin", no "Admin", no "root", no "Administrator", not your nickname, not the domain name, well I guess you got it.
     
  5. Add some filters
    Ensure that wordpress is not telling everyone that the user exists but the password was wrong:

    nano /wp-content/your-theme/functions.php
    add_filter('login_errors',create_function('$a', "return null;"));

  6. Disable xml-rpc, if you do not need it
    Another filter:
    Code:
    add_filter( 'xmlrpc_enabled', '__return_false' );
    Yup, xmlL-rpc is enabled by default since wordpress 3.5.
    And of course there is a plugin for that.
     
  7. Rename wp-login.php
    Nice catch from eva.
    There is a plugin that is able to rename the permalinks of the wp-login.php.
    Nice way to let the attacker run/hit into empty space.
     
  8. Update your wordpress instance and backup your database

On request the lighttpd and apache config for the password protection:

  • lighttpd

    $HTTP["url"] == "/wp-login.php" {
    auth.backend = "htpasswd"
    auth.backend.htpasswd.userfile = "/etc/lighttpd/wordpress"
    auth.require = ("/wp-login.php" => (
    "method" => "basic",
    "realm" => "wordpress",
    "require" => "valid-user"
    ))
    }

    $HTTP["url"] =~ "^/wp-admin/" {
    auth.backend = "htpasswd"
    auth.backend.htpasswd.userfile = "/etc/lighttpd/wordpress"
    auth.require = ("/wp-admin" => (
    "method" => "basic",
    "realm" => "wordpress",
    "require" => "valid-user"
    ))
    }


  • apache
    Code:
    <Files wp-login.php>
      AuthName "Restricted Wordpress-Area"
      AuthType Basic
      AuthUserFile ~/wordpress
      Require valid-user
    </Files>
    
    # Deny access to important files
    <FilesMatch "(\.htaccess|\.htpasswd)">
      Order deny,allow
      Deny from all
    </FilesMatch>
  • ngix
     

    Code:
    location = /wp-login.php {
       auth_basic "Restricted Wordpress-Area";
       auth_basic_user_file /etc/nginx/wordpress;
    
       include /etc/nginx/conf.d/fastcgi.conf;
    }
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
BTW: Hoping to see this as a living document with more grafted onto the original tutorial piece.   This is gold for those using/contemplating Wordpress.
 

DalComp

New Member
Softaculous nicely integrate Limit Login Attempts plugin with wordpress installations. Might save some seconds of your life. :D
 

mikho

Not to be taken seriously, ever!
Another thing to do to increase the security is to change the ID (in the database) of the admin user, the first user you create will be the administrator of your Wordpress blog and if a hacker are able to inject sql commands it will be easy to change the password to something the intruder knows and then login as an admin.
 

JackDoan

New Member
Another thing to do to increase the security is to change the ID (in the database) of the admin user, the first user you create will be the administrator of your Wordpress blog and if a hacker are able to inject sql commands it will be easy to change the password to something the intruder knows and then login as an admin.
But if they can inject SQL, why not just add their own user?
 

wlanboy

Content Contributer
Updated my initial post.

BTW: Hoping to see this as a living document with more grafted onto the original tutorial piece.   This is gold for those using/contemplating Wordpress.
Of course.

Added the plugin to the list. Good catch eva.

If you have root access to your server use fail2ban:

http://abdussamad.com/archives/616-Stop-Brute-Force-WordPress-Login-Attempts-with-Fail2Ban.html

This is a more efficient solution that installing a large security plugin.

As far as hiding usernames goes that is a bad idea. Usernames are not secret information. So stop trying to hide them. If you use a strong password you will not have any problems.
I like fail2ban. It is a nice approache to ban ips without any database involved.
I have added it to the list as an option, because not everyone is able to install fail2ban (shared hosting).

Another thing to do to increase the security is to change the ID (in the database) of the admin user, the first user you create will be the administrator of your Wordpress blog and if a hacker are able to inject sql commands it will be easy to change the password to something the intruder knows and then login as an admin.
@see JackDoan.

But if they can inject SQL, why not just add their own user?
Yup if someone hase access to your database you will not worry about any login attempts.

But sometimes the SQL injection is limited.
 

VPSCorey

New Member
Verified Provider
I've asked Wordpress several times to randomize plugin directories on install and store them in the db that way drive by attacks through google can never work because each plugin across each install would have a randomized name.

They continue to blow off the suggestion which could have the greatest impact on how wordpress gets constantly owned.
 

peterw

New Member
I've asked Wordpress several times to randomize plugin directories on install and store them in the db that way drive by attacks through google can never work because each plugin across each install would have a randomized name.
Or the ability to change the folder name.
 
Top
amuck-landowner