WordPress powered websites are often target for hackers. Here are the some of the best security plugins and tips to better protect userr WordPress blog.
Here’s a list of changes I have done to improve the security of my WordPress blogs though the perpetual worry that such a thing can happen again will remain.
About a month ago, this WordPress blog was hacked. And since my other websites like ctrlq.org and hundredzeros.com are hosted on the same web server, the hacker successfully managed to wipe off all these sites from the Internet as well.
The web hosting company says that it could have happened because one of the sites was running an older version of WordPress. The passwords weren’t compromised though as all the login activity happened from known IP addresses. It was a tough period but fortunately, the deleted sites have been restored and the traffic is also back to normal.
Here’s a list of changes I have done to improve the security of my WordPress blogs though the perpetual worry that such a thing can happen again will remain.#1. Login with userr email address
When user install a WordPress blog, the first user is called “admin” by default. You should create a different user to manage userr WordPress blog and either remove the “admin” user or change the role from “administrator” to “subscriber.”
You can actually create a completely random (hard to guess) username and then use userr email address to log into WordPress. The plugin WP-Email Login will add support for email based usernames in the WordPress login form.
#2. Do not advertise userr WordPress version to the world
WordPress sites always publish the version number thus making it easier for people to determine if user are running an outdated non-patched version of WordPress.
It is easy to remove the WordPress version from page but user need to make one more change. Delete the readme.html file from userr WordPress installation directory as it also advertises userr WordPress version to the world.
#3. Don’t let others “Write” to userr WordPress directory
Login to userr WordPress Linux shell and execute the following command to get a list of all “open” directories where any other user can write files.
find . -type d -perm -o=w
You may also want to execute the following two commands in userr shell to set the right permissions for all userr WordPress files and folders (reference).
find /userr/wordpress/folder/ -type d -exec chmod 755 {} ;
find /userr/wordpress/folder/ -type f -exec chmod 644 {} ;For directories, 755 (rwxr-xr-x) means that only the owner has write permission while others have read and execute permissions. For files, 644 (rw-r–r–) means that file owners have read and write permissions while others can only read the files.
#4. Rename userr WordPress tables prefix
If user have installed WordPress using the default options, userr WordPress tables have names like wp_posts or wp_users. It is thus a good idea to change the prefix of tables (wp_) to some random value. The Change DB Prefix plugin lets user rename userr table prefix to any other string with a click.
#5. Prevent users from browsing userr WordPress directories
This is important. Open the .htaccess file in userr WordPress root directory and add the following line at the top.
Options -Indexes
It will prevent the outside world from seeing a listing of files available in userr directories in case the default index.html or index.php files are absent from those directories.
#6. Update the WordPress Security Keys
Go here to generate six security keys for userr WordPress blog. Open the wp-config.php file inside the WordPress directory and overwrite the default keys with the new ones.
These random salts make userr stored WordPress passwords more secure and the other advantage is that if someone is logged into WordPress without userr knowledge, they will get logged out immediately as their cookies will become invalid now.
#7. Keep a log of WordPress PHP and Database errors
The error logs can sometimes offer strong hints on what kind of invalid database queries and file requests are hitting userr WordPress installation. I prefer the Error Log Monitor as it periodically sends the error logs by email and also displays them as a widget inside userr WordPress dashboard.
To enable error logging in WordPress, add the following code to userr wp-config.php file and remember to replace /path/to/error.log with the actual path of userr log file. The error.log file should be placed in a folder not accessible from the browser (reference).
define(WP_DEBUG, true);
if (WP_DEBUG) {
define(WP_DEBUG_DISPLAY, false);
@ini_set(log_errors, On);
@ini_set(display_errors, Off);
@ini_set(error_log, /path/to/error.log);
}
#9. Password Protect the Admin Dashboard
It is always a good idea to password protect the wp-admin folder of userr WordPress since none of the files in this area are intended for people who are visiting userr public WordPress website. Once protected, even authorized users will have to enter two passwords to log in to their WordPress Admin dashboard.
10. Track login activity on userr WordPress server
You can use the “last -i” command in Linux to get a listing of all users who have logged into userr WordPress server along with their IP addresses. If user find an unknown IP address in this list, it is definitely time to change userr password.
Also, the following command will show the user login activity for a longer period of time grouped by IP addresses (replace USERNAME with userr shell user name).
last -if /var/log/wtmp.1 | grep USERNAME | awk {print $3} | sort | uniq -cMonitor userr WordPress with Plugins
The WordPress.org repository contains quite a few good security related plugins that will continuously monitor userr WordPress site for intrusions and other suspicious activity. Here are the essential ones that I would recommend.
- Exploit Scanner – It will quickly scan all userr WordPress files and blog posts and list the ones that may have malicious code. Spam links may be hidden in userr WordPress blog posts using CSS or IFRAMES and the plugin will detect them as well.
- WordFence Security – This is an extremely powerful security plugin that user should have. It will compare userr WordPress core files with the original files in the repository so any modifications are instantly detected. Also, the plugin will lock out users after ‘n’ number of unsuccessful login attempts.
- WordPress Sentinel – Another useful plugin that monitors userr WordPress files and alerts user whenever files are added, deleted and edited in any of the watched folders.
- WP Notifier – If user don’t login to userr WordPress Admin dashboard too often, this plugin is for user. It will send user email alerts whenever new updates are available for the installed themes, plugins and core WordPress.
- VIP Scanner – The “official” security plugin will scan userr WordPress themes for any problems. It will also detect any advertising code that may have been injected into userr WordPress templates.
Tip: You can also use the following Linux command to get a list of all files that have been modified in the last 3 days. Change mtime to mmin to see files modified “n” minutes ago.
find . -type f -mtime -3 | grep -v "/Maildir/" | grep -v "/logs/"
Secure userr WordPress Login Page
Your WordPress login page is accessible to the world but if user wish to prevent non-authorized users from logging into WordPress, user have three choices.
- Password Protect with .htaccess – This involves protecting the wp-admin folder of userr WordPress with a username and password in addition to userr regular WordPress credentials.
- Google Authenticator – This excellent plugin adds two-step verification to userr WordPress blog similar to userr Google Account. You’ll have to enter the password and also the time-dependent code generated on userr mobile phone.
- Login Dongle – This plugin takes a very unique approach to protect userr WordPress. It generates a bookmarklet with a secret question that user can add to user bookmarks. While on the WordPress login page, enter user credentials and then press this bookmarklet to get into userr WordPress – the button on the login screen won’t work.