Securing WordPress Installation

Nowadays we can easily setup a blog and start our journey as a blogger and all thanks to wordpress for providing such a wonderful platform for blogging. More than 54% websites are using WordPress and majority installations are quite vulnerable due to improper configuration. Now do we need to become a security expert to secure our wordpress installation? The answer is “NO”, we simply need to follow some steps which would provide sufficient security though it doesn’t mean that the security can’t be breached; reason behind vulnerability may be present in any component of the website or webserver which in turn can cause an attack.

So following are the steps to be followed:

Protecting wp-config.php

The most important file of the WordPress installation is the wp-config.php which needs to be protected at any cost.

File Permission: Permission may be changed to 400 or 440.
.htaccess Protection: This provides a protection from SymLink attacks.

</pre>
<pre>&lt;files wp-config.php&gt;
order allow,deny
deny from all
&lt;/files&gt;</pre>
<pre>

Protect wp-admin folder

The first and foremost thing someone does after obtaining the username and password is logging in into the admin panel. So adding a layer of security to this folder is quite beneficial.

Password Protection to Directories: These days every hosting company provides an option to protect any directory through a password. This will result in a alert window to enter a username and password.
IP Specific Access: Blog administrators and authors actually require to wp-admin for adding content and changing settings. If we could allow access to only selected IP’s then there is a great chance of reducing various threats. The following piece of code needs to be entered in the .htaccess file in the wp-admin directory:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Shubhamoy's IP address
allow from xx.xx.xx.xxx
# whitelist Siddhant's IP address
allow from xx.xx.xx.xxx
# whitelist Sachin's IP address
allow from xx.xx.xx.xxx
# whitelist Mahima's IP address
allow from xx.xx.xx.xxx
# whitelist Work IP address
allow from xx.xx.xx.xxx
</LIMIT>

Disable Directory Listing

We simply need to add “Options -Indexes” without the quotes in the .htaccess file which would restrict from accessing the directories. Even directory listing can be easily disabled from CPanel or other hosting control panels.

Disable File (Theme or Plugin) Editing

We always don’t require to edit our themes or plugins. So if we disable this feature then even if someone breaches into the admin area can’t do anything malicious like injecting some scripts like shells. Insert the following code into wp-config.php.

define('DISALLOW_FILE_EDIT', TRUE);

The above methods should be sufficient to have a secured environment though try the following methods for plugging the loopholes:

Update WordPress Regularly
Delete unused themes and plugins
Always backup the database at regular interval
Rename the table prefix from wp_ to something different
Remove the user admin and create a new user
Plugins play a key role. So decide carefully before installing one.
Set the following permissions

Directories: 755
Files: 644
Theme Files: 666

Finally I would like to say that if the above methods are carefully implemented to secure the installation. Please read this article Hardening WordPress for a much better understanding of securing WordPress.

Leave a Reply Cancel reply