Security, WordPress

Securing WordPress Sites


Tweet about this on TwitterShare on FacebookShare on LinkedInEmail this to someone

When performing a self-installation of WordPress, there are easy steps that can be taken to help protect against an attack.  Many of the cases our Abuse Department deals with on a daily basis are the result of malicious WordPress attacks. Securing WordPress will make it much harder for malware to gain access.

Securing WordPress

If malware cannot read a certain file or directory, it is more likely to move on to the next victim. Each step included below can be performed on any of the pair Networks Shared or Dedicated Hosting servers.

Keep WordPress Up to Date

The first step in securing WordPress sites is always keeping the software up to date. This includes all themes and plugins installed, whether active or inactive. The longer a version of software has been available, the more likely it is that malware has found a way to infiltrate it.

If an plugin has not released a new version within 6 months, it’s likely no longer safe to use and should be updated or otherwise uninstalled. If your WordPress was installed using pairSIM, you will be notified when new updates are available upon logging in to the Account Control Center.

Limit Access

The wp-config.php file holds the WordPress database login and password. Read access should only be granted to the account owner.

pair Networks recommends setting this file to 600 permissions once the initial installation has completed. This can be done through the Account Control Center, SSH or FTP. If your account is from before June 2011, you will need to enable suEXEC first. You may also add the following line of code to the .htaccess file to restrict it from being viewed.


order allow,deny
deny from all
This code should be added to the top of the file before the line # BEGIN WordPress.
The following directories should have no more than 755 file permissions,
wp-admin
wp-includes
wp-content
wp-content/themes
wp-content/plugins

Assigning server-side password protection through .htaccess to the wp-admin section of the WordPress can provide a second layer of protection against intrusion.

 
To restrict malicious scripts from writing or gaining access to important WordPress directories, the following code may be added to the .htaccess file,


# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

 

This code should be added to the top of the file before the line # BEGIN WordPress.

Passwords

Always follow strong password guidelines when configuring administrative users in WordPress. This includes a password which is at least 8 characters long, contains both upper and lower case letters, at least one number, and one unique character. Never use dictionary words, names, or special dates in your password.

 

Monitor files for changes

There are a number of excellent plugins available for Securing WordPress installations. The following plugins will monitor WordPress Core Files for potential changes. We personally recommend
Wordfence
While we are not affiliated with the Wordfence, our Abuse Team has worked with many Wordfence data reports, and they are extremely reliable.

Securing WordPress installations by following these few simple steps will help prevent future malware attacks. It’s also important to remember that regular security measures such as routine backups, are also vital to ensuring the stability of your site.