A to Z WordPress Security Guide 2015

I thought of writing a guide on WordPress security because, recently some sites hosted in WordPress have witnessed brute force attacks. The WordPress attack attempts will increase as soon as your blog starts to grow. So, in order to provide security to your WordPress blog. You need to follow some guidelines and tweaks.

I have listed some of the WordPress recent security attacks, how to prevent them from happening to your blog and some WordPress security plugins, security tips to be followed and implemented.

Below methods involve editing .htaccess file and others. Editing htaccess and others involve risk. So make sure that you back up the things before proceeding.

[caption id="" align="aligncenter" width="320"] A to Z WordPress Security Guide[/caption]

• How WordPress Makes Friends With Search Engines - A Look At Google, Yahoo And Bing

Brute Force Attack

One of the popular methods of hacking of WordPress blogs is brute force attack. In brute force attack the hacker tries to login to a WordPress account with every possible combination of characters. Some softwares that are meant for brute force attack will do this.

Plugin: Login Security Solution, can track the IP addresses from where login attempt is made and we can block those IP addresses, isn’t it cool?

Here are some more WordPress security best practices to avoid brute force attack.

Treat username as your password

The default username of WordPress database is admin, change that to your name or set the username to something unique, so that it is not easier to judge for hackers. If hackers know your username, it will be further easier for them to carry out the attack.

If the username is like password, then it is impossible to carry out brute force attack.

• How To Change Admin Username In WordPress Using cPanel?

Keep your passwords safe, secure and strong

Strong passwords secure your account from brute force attacks. It is difficult to implement a brute force attack on accounts with secure alphanumeric passwords.

Keep your passwords as long as possible, and include special characters and numbers in it. Make use of WordPress password strength checker while you are setting passwords for your WordPress account.

In brute force attack, hacking a WordPress account with secure alphanumeric password is almost impossible.

Enable Captcha for Login and Registration Pages

Enabling Captcha for your login page makes it impossible for hackers carry out a brute force attack on your account, as the captcha is reloaded after every attempt.

Also enabling captcha and other extra fields to Registration field, avoids spam registrants.

To make this possible you could use SI CAPTCHA Anti-Spam or alternatively you can use Cimy User Extra Fields plugin.

Limit login attempts

In order to prevent brute force attack. You may have to limit the login attempts to your WordPress account. This can be done with the help of a WordPress security plugin called limit login attempts, in which the WordPress account will be locked after some preset failed attempts and time. This ensures that your WordPress account is safe as far as a brute force attack is concerned.

Enable IP based login

There are plugins that offer you to set whitelist IP addresses from which one can login to your WordPress account. Include current IP address and the IP address of the place where you frequently travel in whitelist so that you can login to your WordPress account in those locations only and secure the WordPress account from brute force attacks.

Plugin – WP Login Security 2

Alternatively, you can manually create a separate .htaccess file for wp-admin folder listing the allowed IP addresses.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# IP addresses of my Computers
allow from 00.000.000.000
allow from 000.000.00.000
allow from 000.000.00.000
allow from 000.000.00.000


Malicious Script Injection

Malicious scripts or sometimes injected into the WordPress database. It is very difficult to find the malicious scripts in the WordPress database. These malicious scripts can act as key loggers and as well as SEO juice suckers. It acts like Trojans, which appear as useful in the front and carry out its malicious activities in the background. Here are some tips to prevent malicious script injection to your WordPress database.

Scan your site and block IP addresses known for hackers

Sounds tough, right? For me too without this plugin. WordFence security is the best security plugins for WordFence. Which alone has the capacity to cope with hackers. On installing, it thoroughly scans for any vulnerabilities in your WordPress account. It contains many options in free version and a plethora of options in the premium version.

It also contains inbuilt who is lookup, which helps you to find out the who is details (Website, telephone no, address of the person associated with the IP address)

Also offers you the facility to block the IP addresses trying to login to your account, block the network, etc. It will automatically track down the IP addresses from which the hacker tries to hack your site and add those IP addresses to its database, and blocks those IP addresses on all the sites that are running WordFence. That means a WordFence user is not only protecting himself but also the WordPress users using WordFence.

Avoid 3rd party plugins

Installing plugins from other than trusted sources like nulled plugins injects malicious scripts to your WordPress database.

Plugins and themes have become the major target of hackers to inject malicious scripts, steal the credentials of WordPress users. Always use plugins from WordPress or other trusted sources, which are thoroughly scanned before releasing.

Use anti-malware plugins

As removing malicious scripts manually is a nearly impossible task for an average user, there are numerous anti-malware plugins available in WordPress, that scans your WordPress database regularly for malicious scripts and remove them with your permission.

Plugins
Sucuri WordPress Security Plugin
Anti-Malware (Get Off Malicious Scripts)

You can also do it manually by inserting some code into your htaccess file, but back up your htaccess file before editing it.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Scan for malicious scripts in multiple .htaccess files

Infected htaccess files are being injected into the WordPress database to achieve redirections to some other websites unknowingly. This leads to Google marking your website as spam. Take a full backup of your WordPress database regularly to ensure that you are safe.

You can also use plugins such as bulletproof security to scan htaccess files for malicious scripts.

Choose a good hosting service

There are some hosting services, which offer free hosting services, but at the same time, they may inject malicious scripts into your WordPress database for the process of tracking and promotion. Therefore, avoid these un-trusted hosting service providers.

Go for trusted hosting providers that may be complimentary or paid.

HostGator, is one of the best hosting service providers out there. It ensures that your site is up all the time and also the security given by this hosting giant is incredible.

Avoid Pirated Themes

The themes available from other than WordPress that untrusted and are likely to contain malicious scripts that will be injected into your WordPress database as soon as you install the theme.

So, install the themes that are trusted and from WordPress and has good reviews. You can even purchase a premium theme to avail SEO benefits.

Numerous theme providers claim that they give premium themes for free, simply avoid them.

 

Other important tips

There are other methods that hackers use to hack a WordPress account. As the number of hacking methods is increasing day by day, it is necessary to take some extra important steps to secure your WordPress account. Some of the important of them are listed below.

Enable two factor Authentication

Two-factor authentication is an additional feature offered by many plugins to enhance the security of WordPress.

You can enable two-factor authentication by using Google Authenticator or Secret question.

Alternatively, you can also use Login Dongle that gives you bookmarklet, you need to click on the bookmarklet every time after logging in with your credentials.

Set Privacy locked for your WordPress Admin files

By default, WordPress set its admin files visible to the admin only. However, sometimes, it may be necessary to set the privacy manually. So set the privacy of the WordPress admin files visible to the administrator only in to cpanel. If you set the privacy of your WordPress admin files to the public, then it is easy for the hacker to snoop into your WordPress database structure and it will be easier to hack.

Use robots.txt to disallow access to admin files in your WordPress database. Add the below code into robots.txt file.
#User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*


The most dangerous feature is CHMOD 777, which enables public and all visitors to view, edit or modify the WordPress database. The malicious scripts can even alter these settings so it is important to consider your privacy regularly.

Require Login for Comments or disable links in the comments

Nearly 80% of the comments are spam. It’s better to allow only registered users to comment on your blog posts.

Alternatively, you could also disable links or HTML in the comments with the help of plugins like  Disable Author URL and Comment Links.

Update all the things

The older WordPress versions of vulnerable, so the newer versions of WordPress are released to fix the bugs and vulnerabilities. If you remain in the outdated version of WordPress, you are more vulnerable to hackers.

Likewise, do not forget to update the outdated plugins, as older plugins are more vulnerable to attacks. Avoid plugins that are updated for about two years and which does not have enough ratings.

This is one of the best practices to be followed instead of realizing that, “I should have updated that plugin”.

Remove anything that exposes your WordPress version

You may have discovered that the particular WordPress version is vulnerable and the latest has fixed that. Hackers before hacking looks at the WordPress version and its vulnerabilities to hack. To make sure that you do not expose the WordPress version to the public and remove anything that exposes WordPress version. If possible, remove everything like, Powered by WordPress, etc. To remove a WordPress version number manually, then you should add the following code to the functions.php file.

If possible, remove everything like, Powered by WordPress, etc.

To remove a WordPress version number manually, then you should add the following code to the functions.php file.
remove_action('wp_head', 'wp_generator');

Change Default WordPress database prefix

At the time of creation of WordPress database, it will ask you to set WordPress database prefix. Use WordPress databases prefix other than “wp”. Open WP-config-sample. PHP, find the prefix area, and change it to something that you desire. Just look at the screenshot below.

Keep WordPress audit security logs

WP Security Audit Log keeps log of everything happening on your WordPress blog. It is easy to track suspicious activities, as this plugin generates warning for every major change in your WordPress account.

It keeps log of every major activities like WordPress updates, passwords, users, roles, publish of post, installation of plugins, logins, file uploads, any sort of deletions. It also keeps log of IP addresses from where logins were made.

It literally logs every activity in your WordPress account makes the analysis and prevention of WordPress exploits easier.

 

Final words
These are some of the tips to be followed to make your WordPress site, bulletproof from hackers and vulnerabilities.

Limiting login attempts, IP based login, two-factor authentication are the surefire steps to be taken to secure your WordPress site. Regularly check your whole site for malware, using scanners such as Sucuri, Exploit Scanner, Theme Authenticity Checker, etc.
I hope you enjoyed this pillar post on complete guide to secure your WordPress account. If you follow all these above WordPress security guidelines, it will be impossible for a hacker to break into your WordPress account.

If you are following any methods to secure your WordPress blog. Please do share them. I personally took 7 hours to churn out this guide on WordPress security and best practices, then why can’t you take a minute to share or at least like this post?