How to harden wordpress
[huge_it_share]Almost 75% of websites and blogs are built in wordpress which is the mostly used CMS(Content Management System) . But unfortunately websites that use wordpress are mostly prone to attacks and vulnerabilities .So lets see how we can harden wordpress to resist the attacks .
As we know wordpress is a free tool .So anyone can try installing it .The same thing is the reason for most of the wordpress attack since anyone can install it everyone know the basic settings that we are going to use in our wordpress including the hackers .This is one of the main reasons hackers get into the because they know the default settings we are going to use .So one main thing we should do is change everything as possible from default settings in wordpress .Here I will be pointing some of the main things you can do to protect your wordpress sites .
Changing the default user
Never use “admin” as the username of your wordpress account .Whenever a hacker is going to try finding out your login the first thing he is going to try as username is “admin” .Why make it simple for him ?
Using complex passwords
Never use dictionary based words as your password .If you use those trust me you will be hacked .Always use complex patterns that include numbers,uppercase letters and special character combination .
Updating wordpress and plugins
Always update wordpress to latest .Whenever you update wordpress you don’t seem much of difference in appearance or option so what are they giving you in these updates ? Have you ever thought about that ? These updates provides us patches for the latest vulnerabilities plus some addition new functions .So make sure you update the wordpress to the latest .
Same goes with the case of plugins .Update them to the latest as soon as an update comes .Also try not to install a plugin whose last update was an year ago .If the plugin providers don’t push out regular updates consider the plugin as not worthy .
The above three points are a must do .Now to enhance the security further please see the remaining points :
Two step verification
You can add a two step verification for your admin login .That is after you enter the login details a code will be send to your phone or an email to your registered mail id .So after only entering the code ,you will be able to login to wordpres dashboard .There are many plugins that provide this .
Removing unused plugins and themes
Currently your wordpress might be having 5 or 6 themes or more installed in it .But you will be using just one theme .The same goes in the case of plugins .There will be many plugins that you don’t use but installed in your wordpress .Who knows ,there might be vulnerability in the plugin that you don’t use but installed in your wordpress .So just deactivating wont work remove them .
Install plugins that act as firewall against attacks on to your wordpress site .Wordfence is one such plugin that is widely used and also freely available .These plugins helps us to create custom rules that prevent attacks and block IP addresses from which the attacks are coming .
Changing “wp_” Database Table Prefix
By default wordpress installation sets each table with the prefix “wp_” .So keeping them the same is kind of vulnerability .For example if they can alter the data of wp_options table then they can set your wordpress site to to redirect to another and same is the case with the other tables .
First of all open your wp-config.php file and change table prefix line from “wp_” to “wp453_” or something different . You can now change the all database table names by using phpMyadmin .In phpMyadmin go to SQL tab and run the following commands :
RENAME table `wp_commentmeta` TO `wp453_commentmeta`;
RENAME table `wp_comments` TO `wp453__comments`; RENAME table `wp_links` TO `wp453_links`; RENAME table `wp_options` TO `wp453_options`; RENAME table `wp_postmeta` TO `wp453_postmeta`; RENAME table `wp_posts` TO `wp453_posts`; RENAME table `wp_terms` TO `wp453_terms`; RENAME table `wp_termmeta` TO `wp453_termmeta`; RENAME table `wp_term_relationships` TO `wp453_term_relationships`; RENAME table `wp_term_taxonomy` TO `wp453_term_taxonomy`; RENAME table `wp_usermeta` TO `wp453_usermeta`; RENAME table `wp_users` TO `wp453_users`;
Change Default Login URL
Changing default login is an important hack that ensures security .For example currently by going to www.yourwebsite.com/wp-admin we can see the login page .So the hacker can also do the same and try different combinations .He may or may not succeed ,but why take a chance ? There are many free and paid plugins that can help you with this so do give it a shot .
Disable Directory Listings
Disabling Directory listings can help you prevent FPD (Full Path Disclosure) vulnerability. You can do this by adding this one line of code in your .htaccess file.
Disable PHP Execution
Most of the infections that are injected in wordpress are php files .So blocking unwanted execution of php files can be really good safety measure .You can do this by adding the following line in .htaccess :
<Files *.php> deny from all </Files>
As you know wp-config.php is the main configuration file in a wordpress .We specify the database and many other details in this config file .So it is important that we prevent it from any unauthorized changes .You can do this by adding the following line of code in .htaccess :
<files wp-config.php> order allow,deny deny from all </files>
Have me missed out something ? Then do let us know in comments .Also let us know if these hardening steps helped you 🙂
We will help you in securing the wordress in our Server Management plans. You can Contact us for any assistance.