Hardening WordPress - HA247

 Interested in Secure Managed Hosting? Call: 01904 500 272

ha247ha247

Hardening WordPress! ( In Apache )

Published by Nick Fox

Hardening WordPress! ( In Apache )

Before talking about Hardening WordPress and how to keep a WordPress website secure we must first ask “What is security?” As defined by codex.wordpress.org, and because we think this is an excellent description, “Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.”

Taking control of your security;

  1. Limit access
    Limit the number of people who have access to your website and server
  2. Isolate functions
    Have your hosting provider help you restrict access to the admin area
  3. Source control
    Ensure your code is in git or svn, this will really help identify changes made to your code
  4. Backup
    Maintain regular backups or choose a hosting company that include this service
  5. Only use trusted sources
    Do not get plugins/themes from sources that are not trusted
  6. Apply Updates!
    Do your best to keep up to date, including plugins and themes. WordPress is a popular system, this makes it attractive to attackers. When a security bug has been patched you can be sure an attacker will try to compromise any system they can.
  7. Security updates and news
    Security vulnerabilities are something that affects all software, WordPress is no different. Ensure you are notified of security issues as soon as they have been made public.

Hardening your website and its environment;

  1. Backup your website’s files and databases. Don’t wait to find out why this is number one on my list.
  2. Before you, or an attacker, makes any changes to your website, back it up. (If you don’t have a backup of your website make one now, before doing anything else!)
  3. Ensure your code is in git. This makes it simple to see what files have been modified. Simply run `git status` & to see the changes run `git diff`
  4. Avoid having any file or directory set to 777, this is bad! Check with your host before making permissions changes as they can have adverse effects on the performance and availability of your site.
    Change directory permissions
    find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
    Change file permissions
    find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
  5. Allow the webserver access to wp-uploads
    chgrp nobody -R /path/to/your/wordpress/install/wp-content/uploads/;
    chmod -R g+w /path/to/your/wordpress/install/wp-content/uploads/;
  6. Restrict access to wp-admin
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "WordPress Admin Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist the office IP
    allow from xx.xx.xx.xxx
    # whitelist the VPN IP
    allow from xx.xx.xx.xxx
  7. Block access to scripts are generally not intended to be accessed by any user.
    # Block the include-only files.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    # BEGIN WordPress
  8. Don’t execute php in wp-content/uploads/ by adding the .htaccess file
    # Kill PHP Execution
    <Files *.php>
    deny from all
    </Files>
  9. Don’t allow access to your config file by adding this to your .htaccess file
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
  10. Disable file editing
    cat << EOF >> /path/to/your/wordpress/install/wp-config.php
    ## Disable Editing in Dashboard
    define('DISALLOW_FILE_EDIT', true);
    EOF

Useful plugins;

Install a security plugin, there are many listed – https://wordpress.org/plugins/tags/security

Back

Find out why our customers believe we’re the best choice for web hosting. CALL 01904 500272.

Or fill out the fields below and we will call you back.

  • Ben Morrison

    “We’ve worked with HA247 now for around 18 months on many client projects. Their ability to talk like human beings and cut through the jargon especially appeals to etailPR’s own objectives. Their focus on our requirements was instrumental in building the strong relationship we have today. We love that we can ring up, talk to a real person and know that they will give a considered view from their technical standpoint.”

    Ben Morrison, Etail PR

    www.etailpr.com

  • Tom Calpin

    “Switching to HA247 has been one of the best choices we’ve made as a development agency. The team are great at responding to our answers in just the right level of detail, and it’s refreshing to not have to deal with patronising comments, lies with fake jargon thrown in, and ‘have you tried reloading your browser?’. The server ‘just works’, and any issues are resolved urgently, sometimes even before we spot them. Our third-party monitoring service reports 100% uptime since we got our HA247 server. Not 99%. Not 99.999%. 100%.”

    Tom Calpin, Easy-Web-Sites

    www.easy-web-sites.co.uk

  • David Bates

    Working in association with the HA247 team has been a pleasure. They embrace every challenge that faces them and their service is second to none. The team
    display an enthusiasm that is refreshing in today’s business climate and nothing is too much trouble. Technically they are at the top of their game for sure!

    David Bates, Creative World Ltd

    www.creativeworld.co.uk

  • Jason Wheeler

    HA247 have been instrumental in getting our ecommerce clients safely and securely hosted at excellent monthly rates. The support given by Nick and his team whether during initial setup, adding SSL, or getting to the bottom of any hiccups our sites might encounter, has been second to none

    Jason Wheeler, Fashion Nexus Ltd

    www.fashionnexus.co.uk

  • Graham Cox

    “HA247 offer a reliable and professional service. We have been very pleased with their hosting services for the past two years and will continue to use them for the foreseeable future. We are very satisfied customers.”

    Graham Cox, Osiris Educational Limited

    www.osiriseducational.co.uk

  • Geoff Willings

    “I’ve used many hosting companies. You get what you pay for! HA247 is, by far and away, the best hosting partner we’ve ever had. Firstly, HA247 actually listened to our initial requirements. They asked all the right questions to further understand our needs and have been instrumental to the evolution of our online infrastructure. Their experience and expertise is delivered with friendly enthusiasm. It makes working with them an absolute pleasure. We’re really looking forward to what the future holds with these top notch chaps contributing as an extension to our own team.”

     Geoff Willings, Azexis

    www.azexis.com & www.evance.it

  • Chris Skitch

    “My old unmanaged dedicated server hosted by a “cheap-as-chips” French company was down when the team at HA247 came to the rescue. Nick is a genius. I had hit a brick wall trying to fix the issues when Nick was able to diagnose and restore my server within minutes. Since migrating to HA247 my uptime has increased from 98% to an astounding 100%. Myself and my clients could not be happier. I have no hesitation in recommending HA247.”

    Chris Skitch, Didgeroo

    www.didgeroo.com

  • Steven Wright

    “Your servers are faster than my servers. I happen to know that my servers cost more money. You clearly have some kind of secret sauce in there because we moved our main website this evening, and geez is it fast.”

    Steven Wright, Wright CCS

    www.wrightccs.com

  • Gio Najar

    “Here at Chi Chi London our Internet presence is critical to our ecommerce business. Our High Availability hosting through HA247 combines high-end technology with very experienced Internet technicians.
    The HA247 team understands how my marketing impacts on the servers, and they are always available to talk. Their scalable hosting system just works.”

    Gio Najar, Director, Chi Chi London

    www.chichiclothing.com

  • Dan Grant

    “HA247 have turned hosting on its head, for them it’s not about ramping up the numbers it’s about customer service and attention to detail. It’s about being approachable and never too busy to help. In short they are doing business as it should be done.”

    Dan Grant, Not Only But Also

    www.notonlybutalso.net

  • Nigel Wilkinson

    Having dealt with various Hosting companies over the past 15 years I can only say I wish I’d met HA247 years ago. They understand our business, understand hosting and are quick to respond to tech support and with suggestions that make our life easier. I have no hesitation in recommending them.

    Nigel Wilkinson, WNW Digital Ltd

    www.wnwdigital.co.uk