WordPress Security

April 21, 2013, by | Start Discussion

Introduction

You must have heard the name WordPress as it has become popular term across the social media world. I am not going deep into explaining what WordPress is but here is a short introduction to WordPress – It is a free and open source advanced blogging platform & content management system (CMS) developed using widely used server side scripting language PHP & database MySQL. In past it was just a blogging platform available on WordPress.com and then available as open source software at wordpress.org to create websites & blogs. As things progressed for developers of this blogging tool, many features have been added to make wordpress more a content management system. Currently wordpress is most popular blogging & website CMS platform serving more than 60% of websites present on web. Many popular sites & magazines are usingwordpress including like Mashable, TechCrunch, etc. In this series, we will be talking about the wordpress software platform which we install on other hosting solutions to create websites.

At the start of my initial wordpress projects, I was not much aware of the security issues resided in core system files. One of my friend’s website was compromised and I helplessly tried fixing it using some of tricks. It was back in 2008. I even could not figure out the reason. It might have had happen due to vulnerabilities in wordpress setup or some loopholes already present in shared hosting provider. Many of us host wordpress sites on shared hosting & we have to rely on their service for security. My first suggestion is to double check the reputation of hosting provider where you are going to host wordpress site. Google about them, read their reviews & whatever updates they have done in past to ensure security for their customers. This is highly recommended.
Now after hosting provider, things are all depend on you, how you make the site secure yourself. Hosting providers can only ensure security for their services. But installation should also be tightned so that no one can creep into setup files.

Prevention while setting up

Change database table prefix

Typical database table prefix while setting up wordpress is ‘wp_’. As it is default one, it is known to all & guessing it quite easy. You can change it to you anything. You will find option to change in wp-config.php file

$table_prefix = ‘jkthks_’;

Add security keys

It is highly recommended to add security keys in wp-config.php. This key makes the wordpress installation secure. Security keys are used to ensure better encryption of information stored with user cookies. And you can change these keys any time to invalidate all existing cookies set in browser.

You can generate your random keys from here: https://api.wordpress.org/secret-key/1.1/salt/

Example:

Disable editing of theme files from wordpress dashboard

Many times when an attacker enters the site, uses the theme editor (under Appearance Menu) to execute the malicious code. We can simply disable the file editing option by adding below line in wp-config.php

define ('DISALLOW_FILE_EDIT',true);

Turn off Error Messages on login page

An error message gives idea to attacker about username & password. Credentials can be exposed easily using error messages. We can hide this just by adding below line in theme’s function.php

add_filter('login_errors',create_function('$a', "return null;"));

Hide WordPress version number

It is good to hide your wordpress version number which is generated typically in head section of website. An attacker can easily understand what needs to do if he comes to know the version information. Usually many wordpress themes publish it on <head> tag like below:

<meta name="generator" content="WordPress 3.1" />

You can remove wordpress version from theme by adding below code in function.php

Secure wp-admin directory

Securing wp-admin directory is the best possible practice to protect most important core files of wordpress installation. If attackers try to enter directory, a login prompt will be displayed and ask for password. It can be done using below options:

  1. If your hosting service has provided you cpanel, just follow this tutorial
  2. Password protection using .htaccess&htpasswd. Follow this tutorial

File Permissions to WordPress installation Directories & File

This is the most crucial step while hardening wordpress installation. WordPress itself recommends below permissions:
For files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

For directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

We will discuss more hardening tips in next issue of CHMag.

Sagar is IT Engineering Student. Currently working as a WEB DEVELOPER.

Leave a Reply