Last active
March 30, 2023 07:37
-
-
Save amolvishwakarma/e19dc46595b227ce02b0c920901d53d3 to your computer and use it in GitHub Desktop.
Wordpress Security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1.) Changing File & Directory Permissions | |
Note: Run the below command from the shell and make sure to change the path where your wordpress installation done. | |
For Directories: | |
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \; | |
For Files: | |
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \; | |
2.) Securing wp-admin | |
Note: Adding a second layer of protection to wp-admin, create a .htaccess file inside wp-admin directory & add the below code. | |
Make sure to replace the path with your actual path where the file resides. | |
# Password Protected wp-admin | |
AuthType Basic | |
AuthName "Only Admins Are Allowed" | |
AuthUserFile /path/to/.htpasswd | |
require valid-user | |
<Files admin-ajax.php> | |
Order allow,deny | |
Allow from all | |
Satisfy any | |
</Files> | |
3.) Securing wp-includes | |
Note: A second layer of protection can be added where scripts are generally not intended to be accessed by any user. | |
To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file | |
# Block the include-only files. | |
<IfModule mod_rewrite.c> | |
RewriteEngine On | |
RewriteBase / | |
RewriteRule ^wp-admin/includes/ - [F,L] | |
RewriteRule !^wp-includes/ - [S=3] | |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] | |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] | |
RewriteRule ^wp-includes/theme-compat/ - [F,L] | |
</IfModule> | |
4.) Securing wp-config.php | |
Note: Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). Place the below code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. It will deny access to wp-config if anyone is surfing for it. | |
<Files wp-config.php> | |
order allow,deny | |
deny from all | |
</Files> | |
5.) Disable File Editing | |
Note: The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. | |
This is often the first tool an attacker will use if able to login, since it allows code execution. | |
WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent | |
to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users, whenever you need | |
to make the changes from the dashboard comment the code and after the changes are done make sure to uncomment it. | |
define('DISALLOW_FILE_EDIT', true); | |
6.) Plugins | |
Note: Keep the plugins always up-to-date to apply the security patches and also make sure to delete a plugin which is not required. | |
7.) Avoid common things that wordpress offers. | |
a.) Don't use the account with name admin or webmaster it is easy to guess. | |
Note: When creating an administrative account, avoid easily guessed terms such as admin or webmaster as usernames. | |
On an existing WordPress install you may rename the existing account in the MySQL command-line client with the below command. | |
command: UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin'; | |
b.) Change the table_prefix. | |
Note: By default wordpress installation comes with wp_ prefix. Changing this can block at least some SQL injection attacks. | |
8.) Backing up database. | |
Note: You can use wp-db-backup to manually create the backup or schedule it with an option to download or email to a db admin. | |
9.) Use secured passwords. | |
Note: Dont use easily guessable passwords for ex: company name, username or your real name. | |
10.) Hide wordpress version. | |
Note: Hide wordpress version from both your head file and RSS feeds. | |
Add the code in wp-includes/functions.php in the bottom. | |
Snippet: | |
function hide_remove_version() { | |
return ''; | |
} | |
add_filter('the_generator', 'hide_remove_version'); | |
11.) Block accessing xmlrpc file. | |
Note: An attacker will try to access your site using xmlrpc.php by using various username and password combinations.Xmlrpc supports post calls. Place the below code outside the # BEGIN WordPress and # END WordPress tags. | |
<Files xmlrpc.php> | |
Order allow,deny | |
Deny from all | |
</Files> | |
13.) Block account on x number of failed login attempts. | |
Note: There are multiple plugins to perform this task For ex: Login LockDown, Limit Login Attempts, etc. | |
14.) Simultaneous login. | |
Note: By default wordpress doesn’t restrict simultaneous login using same username and password on multiple devices. | |
You can use LoggedIn plugin , Prevent Simulataneous SignIns, etc and keep the no. of sessions which is allowed for the same user for security purpose dont share the same credentials with anyone otherwise for auditing it will be difficult to understand who has done the changes for ex: user1 and user2 are using same creds os user3 and edited multiple posts. | |
15.) Two Factor Authentication. | |
Note: Adding a second layer of protection on wp-admin to prevent bruteforce attacks and secure the user accounts which has the weak passwords. (WP 2FA plugin, mini orange, etc) | |
WP 2FA is free for all users & supports multiple 2fa methods, while mini orange has 3 users free lifetime. | |
16.) .git ownership | |
Note: Dont give ownership to apache user. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment