FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY
WHO HAD (TO FIX) A HACKED WORDPRESS?
bg.vu/fos14
WHAT REALLY MATTERS: TOP 3! IF YOU HAVE 5 MINS TO SPARE, JUST DO THESE
92% (of ~500 sites)
#1 Update your blogs regularly! http://wordpress.org/extend/plugins/wp-updates-notifier/
Change update behavior # Disables ALL core updates: define('wp_auto_update_core', false); Be sure to REALLY know what you re doing there! # Enables all core updates, including minor and majors: define('wp_auto_update_core', true); # Default: Enables core updates for minor releases: define('wp_auto_update_core', 'minor'); Want something more fine-grained? Check AUTO_UPDATE_$TYPE filter (e.g. auto_update_plugin, auto_update_theme, etc.) which is used for specific updates. http://github.com/georgestephanis/update-control/
WWW.INFINITEWP.COM
WWW.MANAGEWP.COM
#2 Get rid of stuff you don t use! Remove all inactive plug-ins as well as themes!
#3 Backup Database & Files, often! http://wordpress.org/extend/plugins/backwpup/
SECURITY STARTS AT SETUP MAKE THINGS RIGHT FROM THE BEGINNING!
#4 Setup WordPress properly Use unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = wp_vzqcxsjv7ul_ ; https://api.wordpress.org/secret-key/1.1/salt/
#5 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots.htaccess file to prevent external access Even better move wpconfig.php outside of www. Also do chmod 400/440
#6 Remove the default admin Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
FileZilla stores passwords unencrypted in a well known file. There is malware out there that looks for these straight away! Don t use the Normal logon type. There are the Ask for password and the Interactive types that won t save your passwords on disk. Even better: Don t use FileZilla and regular FTP logins, at all! NEVER EVER STORE PASSWORDS! AT LEAST: SWITCH TO SFTP & USE A PROPER CLIENT!
WWW.LASTPASS.COM
#7 Protect your Login (and wp-admin) Recommended: Try the Lockdown WP Admin plug-in to protect PHP files in wpadmin as well as the login itself. Don t just put an.htaccess for basic passwd. protection. It s a lot of pain http://wordpress.org/extend/plugins/lockdown-wp-admin/
#8 Lock-out multiple failed logins Limit Login Attempts http://wordpress.org/extend/plugins/limit-login-attempts/
#9 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
#9 Even better: Two-factor Verification Google Authenticator http://wordpress.org/plugins/google-authenticator/
#9 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones G-Auth-App.
WWW.DUOSECURITY.COM
WWW.DUOSECURITY.COM
WWW.GETCLEF.COM
#10 Block malicious URL requests domain.com/?q=%2e%2e or domain.com/path/base64_ will return HTTP 403 (Forbidden). http://wordpress.org/plugins/block-bad-queries/
ADDITIONAL TWEAKS THINGS YOU COULD DO IN YOUR CONFIG AS WELL
#11 SSL Logins & Administration define('force_ssl_login', true); Set FORCE_SSL_LOGIN to true to force all logins to happen over SSL. (still allows non-ssl admin sessions) define('force_ssl_admin', true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow )
#12 Move the wp-content folder define('wp_content_dir', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); WP_CONTENT_DIR points to new the full local path (no trailing slash) define('wp_content_url', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_URL points to new full URI (no trailing slash either)
#13 Disable File Editing define('disallow_file_edit', true); Set DISALLOW_FILE_EDIT to true to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
#14 Fix File & Folder Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only! http://wordpress.org/extend/plugins/wp-security-scan/
WORDPRESS.ORG/PLUGINS/WORDFENCE/
WORDPRESS.ORG/PLUGINS/BETTER-WP-SECURITY/
@basgr SEO Trainings, Seminars & Strategy Consulting Berlin-based Full-Service Performance Marketing Agency WordPress Security, Consulting & Development bg.vu/fos14