WordPress, the widely recognized self-hosted content management system (CMS), has gained immense popularity on the Internet. As with any widely used platform, it attracts attention from hackers seeking to exploit vulnerabilities. Being an open-source software hosted on GitHub, WordPress is constantly monitored for bugs and security flaws that could potentially compromise websites.
To ensure the security of your WordPress installation, it is crucial to keep it up to date by using the latest version of WordPress.org software, along with updated themes and plugins. Here are some essential steps you can take to enhance the security of your WordPress blogs:
1. Optimize your WordPress account login:
When you initially set up a WordPress blog, the default user is named “admin.” It is advisable to create a new user account for managing your WordPress blog and either remove the “admin” user or downgrade its role from “administrator” to “subscriber.” Generating a unique and hard-to-guess username is recommended. Alternatively, you can enable single sign-on with Jetpack and use your WordPress.com account to access your self-hosted WordPress blog.
2. Conceal your WordPress version:
By default, WordPress websites display the version number, making it easier for potential attackers to identify outdated and unpatched versions. Removing the WordPress version from the page is a straightforward process. Additionally, it is crucial to delete the “readme.html” file from your WordPress installation directory, as it also reveals your WordPress version to the public.
3. Secure your WordPress directory:
Take control of your WordPress Linux shell and execute the following command to identify “open” directories where unauthorized users can write files:
`find . -type d -perm -o=w`
You should also run the following two commands in your shell to set appropriate permissions for all WordPress files and folders:
`find /your/wordpress/folder/ -type d -exec chmod 755 {} \;`
`find /your/wordpress/folder/ -type f -exec chmod 644 {} \;`
For directories, the permission value “755” (rwxr-xr-x) ensures that only the owner has write permissions, while others have read and execute permissions. Regarding files, the permission value “644” (rw-r—r—) grants file owners read and write permissions, while others can only read the files.
4. Modify your WordPress table prefix:
By default, WordPress tables are named with prefixes like “wp_posts” or “wp_users.” To enhance security, consider changing the table prefix (wp*) to a random value. The “Change DB Prefix” plugin simplifies the process, allowing you to rename the table prefix effortlessly.
5. Prevent directory browsing on your WordPress site:
It is crucial to add the following line at the top of your WordPress root directory’s “.htaccess” file:
`Options -Indexes`
This configuration prevents outsiders from viewing file listings in directories when the default “index.html” or “index.php” files are absent.
6. Update your WordPress Security Keys:
Generate six security keys for your WordPress blog by visiting the appropriate website. Then, open the “wp-config.php” file within your WordPress directory and replace the default keys with the newly generated ones. These random salts enhance the security of stored WordPress passwords. Furthermore, if someone is logged into WordPress without your knowledge, their session will terminate immediately due to the invalidation of their cookies.
7. Keep a log of WordPress PHP and database errors:
Error logs can provide valuable insights into invalid database queries and file requests affecting your WordPress installation. The “Error Log Monitor” plugin is highly recommended as it periodically sends error logs via email and presents them as a widget in your WordPress dashboard. To enable error logging in WordPress, add the following code to your “wp-config.php” file, ensuring to replace “/path/to/error.log” with the actual path of your log file. Remember to place the “error.log” file in a folder inaccessible to web browsers.
“`
define('WP_DEBUG', true);
if (WP_DEBUG) {
define('WP_DEBUG_DISPLAY', false);
@ini_set('log_errors', 'On');
@ini_set('display_errors', 'Off');
@ini_set('error_log', '/path/to/error.log');
}
“`
8. Password protect the WordPress Admin Dashboard:
It is advisable to password protect the “wp-admin” folder of your WordPress installation. This additional layer of protection ensures that unauthorized users cannot access sensitive files on your public WordPress website. With this measure in place, even authorized users will need to enter two passwords to access the WordPress Admin Dashboard.
9. Monitor login activity on your WordPress server:
Utilize the “last -i” command in Linux to obtain a list of all users who have logged into your WordPress server, along with their corresponding IP addresses. If you notice an unfamiliar IP address in the list, it is essential to change your password immediately. Furthermore, the following command provides a longer-term user login activity grouped by IP addresses (replace “USERNAME” with your shell username):
`last -if /var/log/wtmp.1 | grep USERNAME | awk ‘{print $3}’ | sort | uniq -c`
10. Monitor your WordPress site with plugins:
The WordPress.org repository offers various security-related plugins that continuously monitor your WordPress site for intrusions and suspicious activities. Here are some recommended plugins:
– Exploit Scanner: Quickly scans WordPress files and blog posts for potential malicious code, including hidden spam links.
– WordFence Security: A powerful security plugin that compares your WordPress core files with the original repository versions, instantly detecting any modifications. It also enforces lockouts after multiple unsuccessful login attempts.
– WP Notifier: Sends email alerts whenever updates are available for installed themes, plugins, and the WordPress core. Useful if you don’t frequently log in to the WordPress Admin dashboard.
– VIP Scanner: An official security plugin that scans your WordPress themes for issues and detects injected advertising code in your WordPress templates.
– Sucuri Security: Monitors WordPress core file changes, provides email notifications for file or post updates, and maintains a log of user login activity, including failed login attempts.
Additionally, you can use the following Linux command to obtain a list of files modified within the last three days. Adjust “mtime” to “mmin” if you want to see files modified within a specific number of minutes:
`find . -type f -mtime -3 | grep -v “/Maildir/” | grep -v “/logs/”`
Secure Your WordPress Login Page:
While the WordPress login page is accessible to the public, you can take steps to prevent unauthorized access:
– Password Protect with .htaccess: Protect the “wp-admin” folder of your WordPress installation by adding a username and password requirement in addition to your regular WordPress credentials.
– Google Authenticator: Implement two-step verification on your WordPress blog, similar to Google Accounts. This plugin adds an extra layer of security by requiring both a password and a time-dependent code generated on your mobile device.
– Password-less Login: Use the Clef plugin to log into your WordPress website by scanning a QR code. You can also remotely end the session using your mobile phone.
By following these steps and utilizing the recommended plugins, you can significantly enhance the security of your WordPress website and protect it from potential threats.
Discover more from AI Avenue
Subscribe to get the latest posts to your email.
