Secure WordPress : How to lock down your WordPress site

Most of these techniques are easy to implement for a beginner or recover from if something goes wrong.

1. Delete the Admin login
The default Admin login and privileges makes an easy target for any exploit. You should delete this user account right away. The steps:

1. Login with the default Admin account
2. Create a new user with a unique name with Admin privileges
3. Login with “new” user and delete the Admin user.

Note: This step can also be quickly done on a fresh install by changing the default user name to something other than “Admin”.

2. Change your WordPress Nickname
Bots will scrape your sites posts looking for author tags and then use the names it find as your login username, this is a very effective attack vector for guessing through brute force. In your WP admin click your Profile or Users and add a Nickname (or First Name) and then select “Display name publicly as” something different from your actual login username!

3. Get some WordPress security keys
WordPress has implemented encrypted security keys for information stored in your cookies.
These keys go into your wp-config.php and you can find a random number key generator on the official site here . Hit refresh on your browser to get new keys and copy/paste the whole thing into your wp-config.php.

4. Move wp-config up one directory and lock it down
The wp-config.php file contains all your WordPress database credentials, you can move this file up one directory on your server, outside the web root which can protect it from any browser based attacks. It it also a good idea to change the permissions on it to 600.

5. Limit login attempts
Plugin use for security can be an afterthought, and relying on something to protect what is already insecure is bad practice. The plugin Limit Login Attempts on the other hand is very useful as it prevents too many failed logins to your site and locks out brute force attacks. It can even log IP’s that are failing to get in.

6. Check your file and directory permissions
File and directory permissions can be tricky depending on the host. In the majority of cases you want to have files set to 644 or 640 and folders set to 755 or 750. You should never have to set anything to .777 unless your host has been mis-configured, EVER! The golden rule with permissions is to set them as low as you can while keeping the site in working order.

7. Hide version info
Hiding the WP version info is a small step to prevent bots from crawling your site, it does not prevent fingerprinting, but every little bit helps. In your theme’s functions.php add the following:

// remove version info from head and feeds
function complete_version_removal() {
return '';
add_filter('the_generator', 'complete_version_removal');

8. Don’t allow search bots to browse your directories
Google search can crawl unwanted urls and expose them to hackers. It’s best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site’s root folder and is just a text file.

User-agent: *

Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-

9. Disable user registration.
Yes you can disable user registration in the Admin, so if your running a small blog or CMS and don’t have multiple people sharing, go ahead and disable user registration completely under your General settings.

10. Basic .htaccess Rules
Some basic rules that you can add to your root .htaccess file, more advanced rules are covered in the advanced guide as messing around here can break your site, but these won’t do much other than protect you.

# limit indexing of directories
Options All -Indexes

#protect the htaccess file,
<files .htaccess>
order allow,deny
deny from all

#disable the server signature
ServerSignature Off

#limit file uploads to 10mb
LimitRequestBody 10240000

#protect wpconfig.php.
#If you followed step 4 this is not necessary.
<files wp-config.php>
order allow,deny
deny from all

11. Delete the readme and any unnecessary files.
WordPress has a default readme.html, and many plugins and themes also come with one. It’s best to just delete them as they can be used for fingerprinting or general snooping and often contain version info. Also keep your folders clean of any junk files.

Source :

You may also like...