WordPress.org

Ready to get started?Download WordPress

Forums

WP beginner security question (21 posts)

  1. ChangeAgent
    Member
    Posted 9 months ago #

    I have just started to build a WP site for my lady so she can share her knowledge with world. FYI I do not uderstand much about writing code, or some of the stuff I read. still I like doing it, and am learning.

    I began here, http://masterblogster.com/useful-plugins-to-secure-wordpress-website/ (came across it looking for a particular different plug-in solution), next I read http://codex.wordpress.org/Hardening_WordPress (where I admit I only understood part of it). I also visited some of the links I found in the article, as well as doing a search on the WP site, keyword 'securety'. Net result I am as confused as a bee in a virtual flower shop. I have for example not a clue if some of the plug-ins I found should be all used together, or if they might interfere with one-and-other, or what some of the functions are they offer.

    One particular question that comes up is, should I log in to my site (when doing maintenance) over a SSL connection? In that case I need to order a certificate form my ISP.

    What i did do is not use the admin login account (and deleted it) setting and created my own with a long password.

    At this point I will not have a blog where people can post.

    I also installed a pug-in that restricts the amount of log-in attempts and than blocks the log-in for 20 minutes.

    I also know about keeping plug-ins and WP up to date.

    So is there anybody out there, who could advice me what is best for a non-code-writer-and-novice like me to do in order to protect my site as best as I can from big-bad-wolfs out there? Or an article for folk like me?

    We are saying thank you and hope to gain some insight in this complex matter.

  2. bemdesign
    Member
    Posted 9 months ago #

    Well it sounds like you're Doing It Right. One thing I would strongly recommend is regular backups of your your WordPress database and the wp-content folder (at least the uploads and any custom themes - no need to backup plugins as you can just download and re-install).

    That and make sure you local machine connecting to the site is safe (no viruses/malware).

    And don't use untrusted networks (like an open internet point at a coffee shop) to connect to the site and log in.

    Oh and make sure your files and folders are using appropriate permissions - see http://codex.wordpress.org/Changing_File_Permissions
    You can use your server's control panel or SFTP client to set these with a nice user interface or you can do it manually using the appropriate commands on a command line.

    But yeah, you're doing good. You can do some more security stuff at the server level to help block malicious requests to the server but that's more advanced and, to be honest, not really needed unless evidence suggests otherwise.

  3. ChangeAgent
    Member
    Posted 9 months ago #

    bemdesign thank you.

    I am going to read the link you suggested.

  4. ChangeAgent
    Member
    Posted 9 months ago #

    interesting reading, although I do not claim to fully comprehend it all.

    In it it said that if you installed WP your self (as I did) you probably do not need to worry about anything. would you agree about that?

    and yes at them moment while building I do backups (by hand), but need to look at a automated system as I go life.

  5. bemdesign
    Member
    Posted 9 months ago #

    Yeah - in most cases you don't have to do a thing with file/folder permissions. But just be aware of it and using your SFTP client or server's control panel, make sure they are set appropriately (755 is probably the most "permissive" you'll ever want to set things).

  6. amsgator
    Member
    Posted 9 months ago #

    I have a few suggestions.

    Adding this code to your .htacess file will GREATLY decrease the number of brute force attacks you experience. The reason for this is that nearly all brute force attacks are performed by attacking the wp-login.php file directly, NOT by loading the page and actually filling in the login fields. When the attack is performed this way it does not send your website referrer. I was getting about 30-50 login attempts from across the world before I added the referrer code below, and since I added it I have had ZERO.

    The same is true for spam comments when they attack the wp-comments-post.php file the same way. By blocking login and comment attempts with any referrer other than your website (or no referrer at all), this code will send the bot back to whatever IP address it came from. Replace yourdomain with whatever your domain is.

    RewriteEngine On
    
    # BEGIN Limit Login Access by Referrer
    	<IfModule mod_rewrite.c>
    	RewriteCond %{REQUEST_METHOD} POST
    	RewriteCond %{HTTP_REFERER} !^http://(.*)?yourdomain\.com [NC]
    	RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    	RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$ [OR]
    	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301]
    	</IfModule>
    # END Limit Login Access by Referrer

    Also, several files in the wordpress installation list the version of WP you are running. Once a hacker knows what version you are running, it makes it easier for them to exploit any security issues that may exist. Adding this code to the .htaccess will deny access to those files.

    # BEGIN Deny Access to Certain Files
    	<FilesMatch "readme.html|license.txt|wp-config-sample.php">
    	Order allow,deny
    	Deny from all
    	</FilesMatch>
    # END Deny Access to Certain Files

    Lastly, adding this code to the functions.php file of whatever theme you are using will strip the wordpress version from your source code

    # Remove WordPress Version
    	function remove_wp_version() { return ''; }
    	add_filter('the_generator', 'remove_wp_version');
    
    # Remove Version Query Strings From JavaScript JS and CSS Stylesheet Files
    function _remove_script_version( $src ){
    	    $parts = explode( '?', $src );
    	    return $parts[0];
    	}
    	add_filter( 'script_loader_src', '_remove_script_version', 15, 1 );
    	add_filter( 'style_loader_src', '_remove_script_version', 15, 1 );
  7. ChangeAgent
    Member
    Posted 9 months ago #

    thanks bemdesign

    do you suggest I set all files and folders to this? I mean all that are of lower permission as 755?

  8. ChangeAgent
    Member
    Posted 9 months ago #

    amsgator I say thank you.

    Adding this code to your .htacess file

    Is that the invisible one at top level? I did once something to it (beginners mistake, using a plug-in) and it locked me out. not a big deal, but I learned.

    Otherwise good info.

    I will look at this later as today I need to upgrade my home computers so will be busy al day. might post more questions.

    The additions you suggest, I just paste at the end of the file?

  9. ChangeAgent
    Member
    Posted 9 months ago #

    Again thanks for posting.

    an other question if I may.

    are you saying that using any securety plug-ins, as mentioned for example in the above link I posted (http://masterblogster.com/useful-plugins-to-secure-wordpress-website/) are of no use? Or do they add extra security on top of what you guys suggest?

    example, I found one that claims to hide your WP version. I also read an article that you can not hide it as it always shows ups somewhere (again I do not always understand the technical bits).

    You see all novice questions, but grateful for your help.

  10. bemdesign
    Member
    Posted 9 months ago #

    A lot of the security plugins are basically doing what you've already done and what we've suggested - so basically you can do it without a security plugin if you want.

    I've used the All-in-one WP Security and Firewall plugin and it provides a bit of everything - limiting login attempts, immediately refusing logins with usernames that don't exist, .htaccess settings to refuse malicious queries, change the database prefix, database and wp-config.php backups, file permission settings, block IPs, etc. It actually does a decent job of explaining what it's doing and why.

    Do you need to use a security plugin? No. Does it help? It certainly can - but a lot depends on you and your WordPress setup. At any rate, download and test the plugin on a test environment and find out if it's useful for you and your server environments.

  11. amsgator
    Member
    Posted 9 months ago #

    If it can be done without a plugin it's better to not use a plugin. Plugins slow your site down, so the less the better. The only security plugin I use is Wordfence.

    As far as the htaccess stuff, put it in your site's htaccess files, it doesn't matter where it goes in the file itself. Same for the functions.php file, as long as it's between the opening and closing tags.

  12. leejosepho
    Member
    Posted 9 months ago #

    I use BulletProof Security to write my htaccess for protection of my entire site (including wp-admin and a folder for database backups) and to add Custom Code wherever I wish, and it is mostly idle the remainder of the time unless being used to limit failed login attempts. Also, here is a bit of code I use to stop enumeration from being used to discover user names for invasive login attempts:

    #### ba00 send username enumeration to Home Page
    ## see http://llocally.com/blog/2013/08/19/what-is-your-login-username-to-your-wordpress-website/
    # BEGIN author & enumeration redirects
    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
    RewriteRule ^(.*)$ /? [L,R=301]
    ## ba02 send /author/ scans to Home Page
    RedirectMatch (?i)^/author.*$ /
    </IfModule>
    # END author & enumeration redirects

    note: The "ba02" part of that stops author scans from returning all posts made by a known author.

  13. ChangeAgent
    Member
    Posted 9 months ago #

    great leejosepho

    for clarity, you ad the code to your htaccess file?

  14. ChangeAgent
    Member
    Posted 9 months ago #

    thanks bemdesign. I try the plugin.

  15. ChangeAgent
    Member
    Posted 9 months ago #

    thanks for clarifying amsgator.

  16. leejosepho
    Member
    Posted 9 months ago #

    great leejosepho

    for clarity, you ad the code to your htaccess file?

    Yes, and if you want a version of the first part that returns "Forbidden" rather than your Home Page, AITpro has posted two replacement lines here:
    http://wordpress.org/support/topic/what-file-permissions-are-needed-while-editing?replies=29#post-4863434

    And for anyone who might prefer a plugin, that all began here:
    http://wordpress.org/plugins/stop-user-enumeration/

  17. ChangeAgent
    Member
    Posted 9 months ago #

    thanks leejosepho, I have a read later today.

  18. ChangeAgent
    Member
    Posted 9 months ago #

    bemdesign wrote

    Yeah - in most cases you don't have to do a thing with file/folder permissions. But just be aware of it and using your SFTP client or server's control panel, make sure they are set appropriately (755 is probably the most "permissive" you'll ever want to set things).

    I checked them and this is all in order, nothing over 755.

  19. ChangeAgent
    Member
    Posted 9 months ago #

    removed by me

  20. ChangeAgent
    Member
    Posted 8 months ago #

    Amsgator, I am about to go life and implementing our suggestions. I have a question:

    Lastly, adding this code to the functions.php file of whatever theme you are using will strip the wordpress version from your source code

    I read once somewhere I think, that once you have your site configured you can not change this. is this correct?

  21. ChangeAgent
    Member
    Posted 7 months ago #

    Lastly, adding this code to the functions.php file of whatever theme you are using will strip the wordpress version from your source code

    Amsgator (or anybody), could you tell me if this is so? I read once somewhere I think, that once you have your site configured you can not change this. is this correct?

Reply

You must log in to post.

About this Topic