WordPress Themes, Plugins, Tutorials, Tips And More...

Tag: WordPress Security

Hardening WordPress Security: Monitoring


After discussing two of the main realm of WordPress security – Understanding Vulnerabilities and Securing – today we are moving towards the final process of understanding how we can monitor the whole of our set system as sometimes, only taking precautions can’t help us out and in that time, we have to consider the third option, monitoring. This means that sometimes prevention only not worked out here and there are chances that you may still be hacked, at that time intrusion detection/monitoring plays an important role. It lets you allow reacting faster, understanding better that what’s in actual going on behind the scene and how and in what ways you can recover your site.

Note: If you missed out first and second part of this three-part series, then you can read it at – Hardening WordPress Security: Understanding Vulnerabilities and Hardening WordPress Security: Securing.

Suggested Readings:

#1 Monitoring Your FTP Log Files

If you are on shared or reseller hosting, then you probably don’t have access to the FTP logs files for your account and in that case you need to talk with your hosting provider to provide you the one while if you are on VPS and Dedicated Server, then you have higher authorities with you and you can access your FTP log files which are located at the /var/log/messages directory.

#2 Monitoring Your Apache Log Files

If you are on shared or reseller hosting, you can have an access of your apache log files by logging onto your cPanel followed by clicking on the Error Log icon. The file contains the last 300 Apache errors which have been triggered by your website.

If you are on VPS or dedicated server without a cPanel installation, then you can get the log files in the /var/log/ directory while the apache log would then be located in the /var/log/httpd/ directory. If the server you are using comes with cPanel installs, the actual location of the Apache error log is /usr/local/apache/logs/error_log, where “error_log” is simply a plain text file.

#3 Monitoring Your Web Server Externally

If an attacker tries to add malware or deface your site, you can also detect these with the help of web-based integrity monitor solutions. In order to find the one such solution, all you have to Google it by looking onto Web Malware Detection and Remediation and the list will be there in front of you.

Photo Credit: Flickr/Keith Cooper

Hardening WordPress Security: Securing


Earlier I discussed about the various vulnerabilities which can harm your WordPress installations, including in the Computer, in the WordPress, in the Web Server or even in the Network. The idea is simple that there are one-to-many possibilities which leads to possibly harm and even in the worst case brings the whole of your work to a dead stage. So, what we can do to make the system secure, here again there are many things you can perform in order to safeguard the system, but still isn’t what one particular thing makes a perfect fit for you which not only makes your WordPress security strong but also make it hard to crack by anyone.

Note: If you missed out the first part of this three-part series, then you can read it at – Hardening WordPress Security: Understanding Vulnerabilities

Suggested Readings:


#1 By Strong Passwords

If you are having or keeping a strong password, then you are already in a step one of avoiding potential vulnerabilities which can possibly harm your installation. A strong password is one such an important task that you have to keep it up at first place, as its not only just a password but a lifeline of you to protect your site from vulnerabilities and hackers.

The stronger the password is, the better it make hard for the people to guess and even hard for a brute force attack to succeed. It will be always a good idea to use automatic password generators service such as MSD Services. The better the password you create, it lessen the chances for anyone to even think of it.

Moreover WordPress also having a password strength meter feature which when you put up your password in WordPress, it will show you up how strong your password is. A strong password not only just to protect your blog content, but also keep hackers away to install malicious scripts which can even result in compromising of your whole of server.

#2 Via FTP

Always use SFTP encryption whenever you connect to your server. Although the majority of you had never heard of what SFTP is? Well, SFTP is just like that as FTP, except the password and other data you put in will get encrypted as it’s transmitted between your computer and your website. This means your password is never sent in the clear way and it can’t be intercepted by a hacker. If in case you are unsure on how to get the one, you have to ask your web hosting provider about SFTP and they will guide you further on this.

#3 By File Permissions

You must be aware enough if you are an intermediate WordPress user that WordPress does allow to restrict the person to read, write, modify or access your WordPress filesystems as various files to be writable by the web server itself. While if any of such allowance can one have on writing access to the files will result in potentially dangerous, mainly in shared hosting environment.

It is always best to lock down your file permissions to as much as best extend you can while also loosen those restrictions in which you think you will be in need to allow writing an access or creating specific folders which will be having less restrictions for the purpose like uploading files.  The better the file system you have the better protection you set for your blog or site.

Suggested Reading: How To Change The File Permissions In WordPress?

#4 Securing Database

If you are running more than one blog on the same server, it will be good on considering keeping all of them in different databases each will be managed by different set of users. The best practice is to do all this step at the very same time when you perform your initial WordPress installation. As if all the databases are under one umbrella, then if an intruder successful in cracking one WordPress installation, then it will not be much hard to alter all of your other blogs. Make sure you understand your MySQL configuration well if you administer MySQL yourself while do make a note that your all un-required features are disabled.

Suggested Readings:

#5 Securing wp-admin

It is always good to add a server-side password protection to yours /wp-admin/ by adding a double protected layer around your blog’s admin area, the login screen as well as your files. Doing this will give an edge to an attacker or bot to attack as now it has to crack not one, but two security layers instead of just your actual admin files.

Possible Attacks:

  • Sending an old/outdated Plugins and software (HTTP requests) to your server with specific exploit payloads for specific vulnerabilities.
  • Gaining access by using “brute-force” password guessing.

#6 Securing wp-includes

WP-includes can be secured on adding where scripts are generally not intended to be accesses by any user. All you have to do is to block the script using mod_rewrite in the .htaccess file. In order to do so, make sure you add the code below outside the #BEGIN WordPress and #END WordPress tags in the .htaccess file while remembering that WordPress can overwrite anything between these tags.

#7 Securing wp-config.php

To secure your wp-config.php file, make sure you move the file to the directory above your WordPress install, means you store wp-config.php file outside the web-root folder. Also make a note here that only you and of course your web server can read this file while using the code below can deny access to anyone who is trying to surf it.

#8 Disabling File Editing

The WordPress by default allows your blog admin to edit PHP files, including both the theme files and plugin which is the first thing that interest attackers who are able to gain access in your site. But, using the code below, you can even disable editing from your Dashboard itself. Place the code in wp-config.php will lead on stop allowing the users the capabilities to edit any of theme or plugin files.

#9 Plugins

Always make sure that all the Plugins you are using are updated while those are not in use, and are inactive, it’s better to delete them permanently from the system.

Photo Credit: Flickr/Michael Coghlan

If you like the post, make sure you do share your views via the comments below and also like and follow JustWP.org on Facebook and Twitter.

Hardening WordPress Security: Understanding Vulnerabilities

Security Cameras

We did earlier talked about on how to secure WordPress in different ways, but now taking the things to a step further. It’s best to understand different vulnerabilities which can affect your WordPress installations. There is no hard and fast rule which says I am secure but understanding, taking precautions and moreover taken serious steps only will leads towards a secure system. The idea on writing this article is not about detailing each and everything in one single go, but to divide the whole of thing in three parts: Understanding Vulnerabilities, Securing and Monitoring. In this article, we will be going to discuss about what various potential vulnerabilities are there which can harm or even make a huge big mess of your WordPress installation.

Security – What it is?

Although one can think of straight away that security is something about having secure systems, but in actual it’s more than that. The definition of security is to protect the privacy, integrity and availability of the resources under the server administrator’s control. The one, who is taking direct care of have to readily discuss security concerns, provides the server software most recent stable versions as well as offers reliable backup and recovery methods.

Suggested Readings:

The Basics

  • Security Themes: Always keep some general ideas over considering security for every aspect of your system.
  • Limiting access: Reduce possible entry points which are available to a malicious person.
  • Containment:  Your system being set in such a way so that it will minimize the damage which can be done in the event if it gets compromised.
  • Preparation and knowledge: Always keep your WordPress installation backup ready at regular intervals.


#1 In The Computer

The computer you are using might be a home to hundreds (or even thousands of) spyware, malware and virus infections. You have to make sure that computers you have been using must be free from of all of them. Not even a single security amount in WordPress or on your web server will make even a small difference if the keylogger found on your system. Double check (or even if you still have doubt, triple check) that your web browser, operating system and software all are up to date.

#2 In The WordPress

Although WordPress is so good enough that if you are having an older version of installation, then it will showed up a message saying that the latest version is available and it’s good to install it. Always make sure that your WordPress have to be of latest version upload as it saves you from the D-day. The folks behind WordPress – an open source platform isn’t made from the knowledge of all of us – always keep its focus on updating regularly to address new security issues wherever it may arise. Also remember if you are still running on older version, then better update it to latest version today as older WordPress version not maintained with new security updates.

Suggested Reading: Updating WordPress – Will It Make My Site A Mess?

#3 In The Web Server

Although there are less chance that you might heard of this, if you are not at least an intermediate WordPress user – but there are also chances that the web server running WordPress and software running on it, can be the victim of vulnerabilities.

This means that it would be uttermost important that you would be running secure, stable versions of your web server as well as software over it, and make sure that you are using a trusted hosting provider which will be taking an extra care of it from the backend.

To note here that if your site is running on shared server (with total of 30 other websites on same server) and badly one of website gets compromised, then result of which your website can potentially be compromised too. Make sure you keep a note on with your web host on asking and discussing which security precautions they are taking.

#4 In The Network

Make sure that the network on both the WordPress server side as well as the client network site will be the trusted one. This can do by updating firewall rules both on your home router as well as by the networks on which you work from. Remember sending passwords from Internet cafe which have been using an unencrypted connection, wireless or other is not a trusted network. Your web host should be making double sure here that their network is not compromised by any types of attacks and the same you should do too.

Note: In the second-part of this three-part series, we will discuss about how you can secure your WordPress security.

Photo Credit: Flickr/Jaymis Loveday

Powered by WordPress & Theme by Anders Norén