WordPress Security-II

From Wiki 24x7servermanagement
Jump to: navigation, search

Preventive Measures for WordPress Security:

We have discussed of Security issues and understood Wordpress Security and its adverse effects to a certain extend. This article will guide you through some of the preventive measures that you can take to avoid security breaches..

High Login Attempts

Default WordPress installation does not restrict the user from doing multiple login attempts. In this scenario a simple brute force is enough to crack the password to gain the access. First thing to do right after the installation is to set a limit to this attempts.. Your host may implement this via ModSecurity, but to be on a safer side, you must secure it yourself..

Suggested plugins in this section are as follows:

		Name			::		Links
1)  WP Limit Login Attempts		::	wordpress.org/plugins/wp-limit-login-attempts
2)  Login LockDown			::	wordpress.org/plugins/login-lockdown
3)  Limit Login Attempts		::	wordpress.org/plugins/limit-login-attempts
4)  Login LockDown			::	wordpress.org/plugins/login-lockdown
5)  Login Security Solution		::	wordpress.org/plugins/login-security-solution
6)  Stealth Login Page			::	wordpress.org/plugins/stealth-login-page
7)  WordFence				::	wordpress.org/plugins/wordfence

Disconnecting user's idle sessions

If you are accessing your WordPress on a public computer, you go to be extra careful if someone is watching you. Saving passwords on such public computers are high risk. Your session may be hijacked to gain access.

Suggested plugins in this section are as follows:

		Name			::		Links
1)  Idle User Logout			::	wordpress.org/plugins/idle-user-logout/screenshots
2)  Automatic Sign Out For Inactivity	::	wordpress.org/plugins/automatic-sign-out-for-inactivity
3)  Inactivity Auto Sign Out Plugin	::	wordpress.org/plugins/inactivity-auto-sign-out-plugin

Adding Security Questionnaires for WordPress Logins

This step will give you more security and will be harder for any anonymous use to crack it.

Suggested plugins in this section are as follows:

		Name			::		Links
1)  WP Security Question		::	wordpress.org/plugins/wp-security-questions
2)  Secure User Account WordPress Login	::	wordpress.org/plugins/sua-secure-user-account-wp-login
3)  WangGuard				::	wordpress.org/plugins/wangguard

Securing WordPrss "Admin" user

As it is important to protect users, Admin user is the first one to be protected, as it has more privileges and full control over the website.. Adding a password protection in front of this, secures the Admin page from being brute forced.. You can

Suggested plugins in this section are as follows:

		Name			::		Links
1)  Protect Your Admin			::	wordpress.org/plugins/protect-wp-admin
2)  Page Security & Membership		::	wordpress.org/plugins/contexture-page-security
3)  Two Factor Authentication		::	wordpress.org/plugins/google-authenticator

Changing the "admin" username

WordPress is open source and the directory structure is well know to everyone who is involved in Web hosting. Changing the Admin username to different would add extra security layer, as it will get harder for the hacker to guess it.. This can be done easily from the phpMyAdmin, however, if you find it to difficult, you can use the plugin to do this.

Suggested plugin in this section is as follows:

		Name			::		Links
1)  Username Changer			::	wordpress.org/plugins/username-changer

Changing prefix of WordPress Database

As you know its all about database when it comes to WordPress and when you install it and it uses default prefix, which is well know to all, so it becomes even easier for someone to know what table will contain the useful information, however, on the other side, if you choose a different database prefix, it will be hard for someone to guess it.. This is the step that you will have to do while installing the WordPress..

File Editing

If you may know, WordPress has in-built feature that lets you edit the codes in the plugin and theme and this is the feature that is good in good hands and can turn out to be vulnerable in wrong hands. The best way for securing this is to disallow this feature. To do this, open the wp-config.php file and add in the below code in it:

define( 'DISALLOW_FILE_EDIT', true );

Disabling File Execution where it is not needed

The most common area in the WordPress is the upload section where there is no need for presence of any PHP script and this is the area where most spamming script and other malicious scripts are uploaded to gain the access. Having restriction to execute PHP script in this location will gain an upper hand for you over the hackers..

Create an .htacces file in this location and add the below code in it to secure it.. <Files *.php> deny from all </Files>

Disabling Directory listing and Indexing

The WebServer by default looks for index page in any particular directory that is browsed. If the WebServer is configured to display the Indexes and if the index page is not found, it will display the complete list of file and folders in the directory making all things visible publicly and if the WebServer is configured to not show indexes, it will error page and not list anything.. However, if your host does not allow it to be disabled for any reason, then you can add the below code in the .htaccess file and disable it for yourself.

Options -Indexes

Disabling XML-RPC in WordPress

If a hacker tries to attempt more login, he has to try more passwords, say for example, hacker attempted 200 attempts to crack the password, the plugin described above may block his access to the website and lock him down, but hackers are smart enough to know this. There is a function in XML-RPC, i.e., system.multicall where he can try hundreds and thousands of attempts in 30-40 requests... and this is huge, it give more possibility of login being cracked down, as more attempts are made, making brute force easy.

Suggested plugin in this section is as follows:

		Name			::		Links
1)  	Disable XML-RPC			::	wordpress.org/plugins/disable-xml-rpc
2)  	Manage XML-RPC			::	wordpress.org/plugins/manage-xml-rpc
3)  	Disable XML-RPC Pingback	::	wordpress.org/plugins/disable-xml-rpc-pingback


It is very important to keep backups of the Website to roll over to the one that is in good condition if for any reason security breached occurred on the current setup. You can roll over, check the vulnerability and go online again.

Suggested plugins in this section are as follows:

		Name			::		Links
1)  vaultpress				::	vaultpress.com
2)  backupbuddy				::	ithemes.com/purchase/backupbuddy
3)  BackUpWordPress			::	wordpress.org/plugins/backupwordpress
4)  Backup				::	wordpress.org/plugins/backup

Additional Helpful WordPress Plugins

		Name			::		Links
1)  Sucuri Plugin			::	sucuri.net/wordpress-security/wordpress-security-plugin-installation
2)  All In One WP Security & Firewall	::	wordpress.org/plugins/all-in-one-wp-security-and-firewall
3)  BulletProof Security		::	wordpress.org/plugins/bulletproof-security


Plugin mentioned in this section are provided for reference only and should be tested and checked with the developer or the Plugin providers for vulnerabilities if any.. We are not promoting any plugins here, they are just for reference, so user should be careful before they use it..

I hope this has been informative to you and I would like to thank you for reading this article..