Harden Your WordPress Security
YOU’LL NEED THIS
WORDPRESS INSTALLATION In addition to the obvious.
FREE PLUGINS All referenced in the tutorial. SSL CERTIFICATE
Required to switch to HTTPS-only connections. A SELF-HOSTED WORDPRESS SITE— one not hosted on http://wordpress.com— is one of the easiest ways to build and maintain an independent web presence, whether it’s a blog, online magazine, or even an ecommerce store. But one thing that’s often overlooked with WordPress is security.
In this tutorial, we’re going to perform a security audit, and enact several additional layers of protection to “harden” your WordPress installation. Not only will you be surprised to learn how vulnerable your WordPress-powered site has been up until now, but you’ll also be relieved to learn that, armed with the right settings and plugins, you can close most of its loopholes.
There are plenty of other ways in which you can toughen your WordPress installation, too. First, make sure everything—WordPress itself, and any plugins and themes you’ve installed—is fully up to date. Second, perform an audit of all the plugins you have installed: Search for reviews to check they’re legit, make sure you only install through the WordPress website, and remove those you don’t need or use to free up resources. Once that’s done, you’re ready to make your WordPress site more resilient to hijackers and other malicious attacks. 1 HARDEN LOGIN Log in to WordPress, navigate to “Users > Your Profile,” scroll down, and click “Generate Password” to create a strong random password. Copy this somewhere safe (such as to your password manager), and click “Update Profile.”
Next, let’s set up two-factor authentication, which means that even if someone breaks your password, they can’t log in to your account without your mobile device and a suitable app, such as Google Authenticator or LastPass Authenticator. Go to “Plugins > Add New,” and install Two-Factor Authentication from David Nutbourne. Click “Activate,” click the plugins icon to enable it, then scan the QR code into your mobile app [ Image A]. 2 INSTALL ALL-IN-ONE PLUGIN Go back to “Plugins > Add New” to install All In One WP Security & Firewall, a 100 percent free plugin from Tips and Tricks HQ, which contains all the tools required to add multiple layers of security to your account. Once activated, look for the green shield icon in the left-hand pane, and click it. You’re whisked to a dashboard with a handy Security Strength Meter. Chances are its score is incredibly low [ Image B].
Start by scrolling down to the Critical Feature Status. These four switches need to be on, so click the first one, which allows you to change your username from the unsafe default (“admin”) to something more personal. Click the switch, then click “Edit User” to change your username. Also, switch to the “Display Name” tab to make sure that your display name isn’t the same as your username. 3 REDUCE BRUTE-FORCE ATTACKS Return to the main dashboard and click “Login Lockdown.” Start by checking the “Enable Login Lockdown Feature.” This allows you to block specific IP addresses when they attempt—and fail—to log in. You have control over the number of failed attempts, and the time in which those attempts occur, plus how long the IP address
is locked out. You can also instantly lock out attempts using invalid usernames, although a safer bet may be to add “admin” to the specific username list [ Image C], now you’re no longer using it. Click “Save Settings.” You can be notified by email whenever an IP address is locked out, or just check the “Failed Login Records” tab. 4 ELIMINATE BRUTE-FORCE ATTACKS Go further by restricting the opportunities for brute-force attacks. Select “Brute Force” under the WP Security icon, where you’ll find several options for keeping hackers away from your site. Some can be potentially dangerous—”Rename Login Page” is one such option, but so long as you remember the name you give your wp-login.php page, you won’t have any problems [ Image D]. Other options include using cookies to block brute-force attempts, and a “Login Whitelist” tab, where you can restrict access to specific IP addresses or ranges. If you’re tempted by this option, be sure to check with your Internet provider that your public IP address is static, or you’ll end up locking yourself out when it next changes. 5 MORE ESSENTIAL TWEAKS Click “File Permission” to review the current permission settings of your Word Press installation files. Hopefully, they’re correctly set to prevent outside interference, but if not, you can click “Set Recommended Permissions” next to any that require it. Also consider disabling PHP File Editing, if you don’t normally edit these files.
Next, select “Scanner” to perform a check for file changes. This is a benchmark scan, so no problems will be detected—going forward, enable the automated file change detection scan to be alerted to any changes that could indicate the presence of malicious activity. The “Malware Scan” tab merely redirects you to a paid-for solution that provides a more robust scan for $6.95 a month. 6 SWITCH ON FIREWALL Finally, click “Basic Firewall” to switch on the firewall, but click the link allowing you to back up your .htaccess file first—just to be on the safe side (this is backed up to your web space, so you need to download it using FTP or via your site host’s control panel). Review the other options, too—for example, blocking remote access to the debug log file still allows you to access it when logged on through FTP. Also consider enabling the 6G Blacklist Firewall Rules [ Image E]. Note, if any plugins stop working, either disable features or consider replacing them with similar plugins that do play nicely with your hardened blog. 7 LIMIT USER ACCESS If your blog is used by more than one person, make sure you’re the only Administrator, and grant the minimum level of access required to other users for them to do their jobs. Word-Press supports a wide range of user roles [ Image F]— for those contributing to your blog, consider Author or Contributor to limit them to posting and managing their own posts. For trusted users, Editor allows them to manage other posts as well. Some plugins add additional levels—Woo-Commerce adds a Catalog Manager level, for example.