• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

HANDS ON WORDPRESS

Making a Living with WordPress

  • Home
  • Blog
  • About
    • About Hands On WordPress
  • The Austin WordPress Community
  • Contact
  • Show Search
Hide Search
You are here: Home / WordPress / WordPress Security Revisited

WordPress Security Revisited

sandibatik · August 13, 2011 · Leave a Comment

A Redux of WordPress Security Tips First Addressed In May 9, 2011 Meetup

Locking Down Your Site

wordpress-security

 

 

 

It is important to note that even implementing all the Tips and Tricks in this post, there is no guarantee that your site will remain 100% safe.

Maintaining best security practices for your site decreases the chance of a casual hack tremendously and discourages those code-crackers from targeting your blog.

New exploits are discovered every so often, and when a fix has not yet been made available, everyone is at risk.

However, by implementing all or some of the tips here, at the very least it should give you peace of mind that you are not leaving your Information-House unlocked

Hiding WordPress Version in the Header Tag

Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software.

How is this possible?  Well, since version 2.5 WordPress has added the feature that generates this code.

Here is the “Hide WordPress Version Work Around”

Add the following line to the functions.php file in your theme directory (Create a blank PHP file with this name if your theme doesn’t already have one):

<?php remove_action('wp_head', 'wp_generator'); ?>

We usually recommend the plugin Better WP Security  to our clients because is easy to use and configure, and does many of the security functions for you.

Proper WordPress Installation

Change The Default “Admin” Username

The problem is that 
a Brute Force Attack is one of the easiest ways to break a password.

The method is simple: try as many different passwords as possible until the right one is found.

Users of the Brute Force method use dictionaries, which give them a lot of password combinations.

Knowing your username makes it easier for them to guess the right combination.

This is why you should always change the default “admin” username to something harder to guess.

Versions of WordPress starting with 3.0 let you choose your desired username by default, so there should be no excuse for not doing it right. If you have a site that was created with an older version use, Admin renamer extended.

Pick Secure Password for Admin

Changing your admin username to something else is not a guarantee that people will not be able to guess it.

For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.
With that assumption, you should pick secure password for your WordPress login. Be sure to combine upper and lowercase characters and numbers.

You can change your password after your site is installed. You may even want to to change it on a regular basis.

We usually recommend the plugin WP Security Scan  to our clients because it has a password generator.

Another good Password Generator is WP Password Generator, which gives all users and easy way to create strong passwords.

Only Use Your Admin Account for Admin Purposes

It is easy to create new users in WordPress, so there is no excuse for not creating an author or editor account for yourself. Get into the habit of logging in with that account. That way, if you are in some Internet Cafe, or on a public wireless network, and someone siphoning network traffic gets your password, there is only limited damage they can do.

Safe your administrative functions, such as updating plugins or adding users for when you know you are on a secure network.

Populate wp-config.php Properly

Go through each line in wp-config.php, not only the first block for database configuration.

Use WordPress secret key generation tool to generate random salts for WordPress cookies.

These keys are used to insure better encryption of information stored in WordPress user’s cookies.

There is an automatic generator for these at: https://api.wordpress.org/secret-key/1.1/salt/

You also want to modify the WordPress table prefix to something other than wp_.

Adding random characters and numbers to the end of wp, such as wpRbX3i_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.

Prevent Directory Browsing

By default, most hosts allow directory listing.

Because there are a standard set of directories in a WordPress installation, the hacker can go directly to the directory inside your site and see all of the files in that directory.

This is definitely a security risk, because a hacker could see the last time that files were modified and access them.

This is a simple but important problem to fix. You have three options:

  1. Place an empty file in each directory with the name INDEX.HTML or INDEX.PHP
  2. If you are using an Apache webserver, modify your .htaccess file
  3. Use a Security plugin (see the end of the series for suggestions)

 …and why do we have to think about security as a process rather than a check-list task?

The Mind of a Hacker

Mind of a hacker

 

 

 

 

 

 

Most often hacking is a crime of opportunity – like an open gate or unlocked car door. In general the hacking process involves three steps:

  1. Find a point of entry
  2. Compare the website / server information to know vulnerabilities
  3. Have fun

The hacker doesn’t even have to know what he or she is doing.

There are many programs that can be found on hacker sites that go through this process automatically.

These are popular with novice, juvenile, or dilettante hackers. Because they often don’t require any sophisticated understanding to operate, the people who use them are held in very low regard by the “real” hacker community, and are referred to by the derrogitory term “script kiddies.”

That does not mean they can’t do some very real damage to your website.

The important point to understand is that these individuals are not targeting your website – you are just one of thousands.

It is strictly a numbers game, and some day yours may come up.

 

 

 

 

Filed Under: WordPress Tagged With: WordPress Security.Brute Force Attack, wp-config.php

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

About Sandi Batik

About Sandi Batik

Introverted Freelancer, WordPress trainer, consultant, curricula developer, author, unapologetic geek, unrepentant capitalist, lucky enough to do what I love … more about me about About Sandi Batik

  • Twitter

Search

Introverted Freelancer

Traits of Successful Introverted Freelancers

Traits of Successful Introverted Freelancers

2017 Business Check-up Workshop

2017 Business Check-up Workshop

Expanding Your Business With Automated Marketing Funnels

Expanding Your Business With Automated Marketing Funnels

How to Use Permission Marketing to Build Your WordPress Business

How to Use Permission Marketing to Build Your WordPress Business

How Much Should I Charge for Building or Designing a WordPress Website?

How Much Should I Charge for Building or Designing a WordPress Website?

Project Management

Keeping Scope Creep From Killing Your Schedule and Profit Margin

Keeping Scope Creep From Killing Your Schedule and Profit Margin

Project Management for WordPress Freelancers

Project Management for WordPress Freelancers

WordPress

Securing and Maintaining Your WordPress Site

Securing and Maintaining Your WordPress Site

How The WordPress Media Library Works — 2018

How The WordPress Media Library Works — 2018

How To Build an Information Structure for Your WordPress Site

How To Build an Information Structure for Your WordPress Site

How WordPress Themes Really Work

How WordPress Themes Really Work

How to Create and Manage eMail Newsletters from Your WordPress Site

How to Create and Manage eMail Newsletters from Your WordPress Site

How to Secure and Maintain Your WordPress Site

How to Secure and Maintain Your WordPress Site

Copyright © 2010-2023 Hands On WordPress · All Rights Reserved