Why you should care about WordPress security?

Each month you can listen about vulnerabilities in some WordPress plugin or other WordPress related stuff.

Do you know about last news?

Here is list of 5 vulnerabilities discovered during last months:

 

No one wants to have hacked WordPress site. You need to keep WordPress updated with last versions.

But in basic WordPress installation you have still lots of weak spots which could be exploited by ugly people.

I can tell you now which things these are and what to do with them.

Basic WordPress hardening

 1. Make sure you use HTTPS for admin and for login

Is your webhosting provider https capable? Have you https version for your website?

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

 

2. Change admin user name

If you did not changed it during intallation do it now. Directly in database in table “wp_users” rename user “admin” to other hard-to-guess name. And also change column “user_nicename” to something other because this is shown as URL of the blog post author.

3. Change admin nickname

In admin profil change “nickname” for something else than login name (you can do this also directly in database).

4. Edit your .htacces file

Change or insert http and https related stuff. If you use “nice URLs” you have probably in your .htaccess file something like this:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /

RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

 

Add there these lines:

# redirection for http
RewriteCond %{SERVER_PORT}  !^80$
RewriteRule !^wp-(admin|login|register|includes)(.*) - [C]
RewriteRule ^(.*)$ http://%{SERVER_NAME}/$1 [L]

It means that if you are not in admin, login or register you always get http. It is important for Google ranking – you dont want duplicity content. If you have same web content on http and https – it is for Google like two different sites and you will be penalized.

5. Do you want automatic updates or not?

If you don’t want automatic updates, for example you want to check more information before updating, you can disable automatic installation. Than you only get info that new update is released which appears in your Dashboard.

Put this line into your wp-config.php

define( 'WP_AUTO_UPDATE_CORE', false );

6. Remove WordPress version number from HTML and feeds

You need to directly edit WordPress file function.php for your installed theme.

Remove generator Meta Tag with WordPressu version from HTML head:

remove_action('wp_head', 'wp_generator'); 

Remove WordPressu version from RSS Feeds and RSS comments:

function rm_generator_filter() { return ''; }
add_filter('the_generator', 'rm_generator_filter');

7. You can disable password reset

Put these lines into the function.php file:

function disable_password_reset() { return false; }
add_filter ( 'allow_password_reset', 'disable_password_reset' );

8. Limit login attempts

You can use plugin which counts login attempts and disables login form after three unsucessfull attempts are performed. You can little configure this plugin.

Other recommendations:

  • Backup your WordPress site – content and database. And store this backups on other computer.
  • Install only plugins which you really need and which are well maintained and have at least 5 stars (in plugin rating).
  • Do not install WordPress themes from unsure sources. Better to give few bucks for themes from well known companies (eg. themify.me) than be hacked through exploited theme from unknown developer.

 

 

Are you not sure what all this means? You can ask in comments.