Nowadays we can easily setup a blog and start our journey as a blogger and all thanks to wordpress for providing such a wonderful platform for blogging. More than 54% websites are using WordPress and majority installations are quite vulnerable due to improper configuration. Now do we need to become a security expert to secure our wordpress installation? The answer is “NO”, we simply need to follow some steps which would provide sufficient security though it doesn’t mean that the security can’t be breached; reason behind vulnerability may be present in any component of the website or webserver which in turn can cause an attack.
So following are the steps to be followed:
The most important file of the WordPress installation is the wp-config.php which needs to be protected at any cost.
- File Permission: Permission may be changed to 400 or 440.
- .htaccess Protection: This provides a protection from SymLink attacks.
</pre> <pre><files wp-config.php> order allow,deny deny from all </files></pre> <pre>
Protect wp-admin folder
- Password Protection to Directories: These days every hosting company provides an option to protect any directory through a password. This will result in a alert window to enter a username and password.
- IP Specific Access: Blog administrators and authors actually require to wp-admin for adding content and changing settings. If we could allow access to only selected IP’s then there is a great chance of reducing various threats. The following piece of code needs to be entered in the .htaccess file in the wp-admin directory:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist Shubhamoy's IP address allow from xx.xx.xx.xxx # whitelist Siddhant's IP address allow from xx.xx.xx.xxx # whitelist Sachin's IP address allow from xx.xx.xx.xxx # whitelist Mahima's IP address allow from xx.xx.xx.xxx # whitelist Work IP address allow from xx.xx.xx.xxx </LIMIT>
Disable Directory Listing
We simply need to add “Options -Indexes” without the quotes in the .htaccess file which would restrict from accessing the directories. Even directory listing can be easily disabled from CPanel or other hosting control panels.
Disable File (Theme or Plugin) Editing
We always don’t require to edit our themes or plugins. So if we disable this feature then even if someone breaches into the admin area can’t do anything malicious like injecting some scripts like shells. Insert the following code into wp-config.php.
The above methods should be sufficient to have a secured environment though try the following methods for plugging the loopholes:
- Update WordPress Regularly
- Delete unused themes and plugins
- Always backup the database at regular interval
- Rename the table prefix from wp_ to something different
- Remove the user admin and create a new user
- Plugins play a key role. So decide carefully before installing one.
- Set the following permissions
- Directories: 755
- Files: 644
- Theme Files: 666