Earlier I discussed about the various vulnerabilities which can harm your WordPress installations, including in the Computer, in the WordPress, in the Web Server or even in the Network. The idea is simple that there are one-to-many possibilities which leads to possibly harm and even in the worst case brings the whole of your work to a dead stage. So, what we can do to make the system secure, here again there are many things you can perform in order to safeguard the system, but still isn’t what one particular thing makes a perfect fit for you which not only makes your WordPress security strong but also make it hard to crack by anyone.
Note: If you missed out the first part of this three-part series, then you can read it at – Hardening WordPress Security: Understanding Vulnerabilities
#1 By Strong Passwords
If you are having or keeping a strong password, then you are already in a step one of avoiding potential vulnerabilities which can possibly harm your installation. A strong password is one such an important task that you have to keep it up at first place, as its not only just a password but a lifeline of you to protect your site from vulnerabilities and hackers.
The stronger the password is, the better it make hard for the people to guess and even hard for a brute force attack to succeed. It will be always a good idea to use automatic password generators service such as MSD Services. The better the password you create, it lessen the chances for anyone to even think of it.
Moreover WordPress also having a password strength meter feature which when you put up your password in WordPress, it will show you up how strong your password is. A strong password not only just to protect your blog content, but also keep hackers away to install malicious scripts which can even result in compromising of your whole of server.
#2 Via FTP
Always use SFTP encryption whenever you connect to your server. Although the majority of you had never heard of what SFTP is? Well, SFTP is just like that as FTP, except the password and other data you put in will get encrypted as it’s transmitted between your computer and your website. This means your password is never sent in the clear way and it can’t be intercepted by a hacker. If in case you are unsure on how to get the one, you have to ask your web hosting provider about SFTP and they will guide you further on this.
#3 By File Permissions
You must be aware enough if you are an intermediate WordPress user that WordPress does allow to restrict the person to read, write, modify or access your WordPress filesystems as various files to be writable by the web server itself. While if any of such allowance can one have on writing access to the files will result in potentially dangerous, mainly in shared hosting environment.
It is always best to lock down your file permissions to as much as best extend you can while also loosen those restrictions in which you think you will be in need to allow writing an access or creating specific folders which will be having less restrictions for the purpose like uploading files. The better the file system you have the better protection you set for your blog or site.
Suggested Reading: How To Change The File Permissions In WordPress?
#4 Securing Database
If you are running more than one blog on the same server, it will be good on considering keeping all of them in different databases each will be managed by different set of users. The best practice is to do all this step at the very same time when you perform your initial WordPress installation. As if all the databases are under one umbrella, then if an intruder successful in cracking one WordPress installation, then it will not be much hard to alter all of your other blogs. Make sure you understand your MySQL configuration well if you administer MySQL yourself while do make a note that your all un-required features are disabled.
#5 Securing wp-admin
It is always good to add a server-side password protection to yours /wp-admin/ by adding a double protected layer around your blog’s admin area, the login screen as well as your files. Doing this will give an edge to an attacker or bot to attack as now it has to crack not one, but two security layers instead of just your actual admin files.
- Sending an old/outdated Plugins and software (HTTP requests) to your server with specific exploit payloads for specific vulnerabilities.
- Gaining access by using “brute-force” password guessing.
#6 Securing wp-includes
WP-includes can be secured on adding where scripts are generally not intended to be accesses by any user. All you have to do is to block the script using mod_rewrite in the .htaccess file. In order to do so, make sure you add the code below outside the #BEGIN WordPress and #END WordPress tags in the .htaccess file while remembering that WordPress can overwrite anything between these tags.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
#7 Securing wp-config.php
To secure your wp-config.php file, make sure you move the file to the directory above your WordPress install, means you store wp-config.php file outside the web-root folder. Also make a note here that only you and of course your web server can read this file while using the code below can deny access to anyone who is trying to surf it.
deny from all
#8 Disabling File Editing
The WordPress by default allows your blog admin to edit PHP files, including both the theme files and plugin which is the first thing that interest attackers who are able to gain access in your site. But, using the code below, you can even disable editing from your Dashboard itself. Place the code in wp-config.php will lead on stop allowing the users the capabilities to edit any of theme or plugin files.
Always make sure that all the Plugins you are using are updated while those are not in use, and are inactive, it’s better to delete them permanently from the system.
Photo Credit: Flickr/Michael Coghlan