For the best in Secure Managed Hosting, call: 01904 500 272

Call now on: 01904 500 272

ha247 ha247

Hardening WordPress! ( In Apache )

Published by Nick Fox

Hardening WordPress! ( In Apache )

Before talking about Hardening WordPress and how to keep a WordPress website secure we must first ask “What is security?” As defined by codex.wordpress.org, and because we think this is an excellent description, “Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.”

Taking control of your security;

  1. Limit access
    Limit the number of people who have access to your website and server
  2. Isolate functions
    Have your hosting provider help you restrict access to the admin area
  3. Source control
    Ensure your code is in git or svn, this will really help identify changes made to your code
  4. Backup
    Maintain regular backups or choose a hosting company that include this service
  5. Only use trusted sources
    Do not get plugins/themes from sources that are not trusted
  6. Apply Updates!
    Do your best to keep up to date, including plugins and themes. WordPress is a popular system, this makes it attractive to attackers. When a security bug has been patched you can be sure an attacker will try to compromise any system they can.
  7. Security updates and news
    Security vulnerabilities are something that affects all software, WordPress is no different. Ensure you are notified of security issues as soon as they have been made public.

Hardening your website and its environment;

  1. Backup your website’s files and databases. Don’t wait to find out why this is number one on my list.
  2. Before you, or an attacker, makes any changes to your website, back it up. (If you don’t have a backup of your website make one now, before doing anything else!)
  3. Ensure your code is in git. This makes it simple to see what files have been modified. Simply run `git status` & to see the changes run `git diff`
  4. Avoid having any file or directory set to 777, this is bad! Check with your host before making permissions changes as they can have adverse effects on the performance and availability of your site.
    Change directory permissions
    find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
    Change file permissions
    find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
  5. Allow the webserver access to wp-uploads
    chgrp nobody -R /path/to/your/wordpress/install/wp-content/uploads/;
    chmod -R g+w /path/to/your/wordpress/install/wp-content/uploads/;
  6. Restrict access to wp-admin
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "WordPress Admin Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    # whitelist the office IP
    allow from xx.xx.xx.xxx
    # whitelist the VPN IP
    allow from xx.xx.xx.xxx
  7. Block access to scripts are generally not intended to be accessed by any user.
    # Block the include-only files.
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    # BEGIN WordPress
  8. Don’t execute php in wp-content/uploads/ by adding the .htaccess file
    # Kill PHP Execution
    <Files *.php>
    deny from all
    </Files>
  9. Don’t allow access to your config file by adding this to your .htaccess file
    <files wp-config.php>
    order allow,deny
    deny from all
    </files>
  10. Disable file editing
    cat << EOF >> /path/to/your/wordpress/install/wp-config.php
    ## Disable Editing in Dashboard
    define('DISALLOW_FILE_EDIT', true);
    EOF

Useful plugins;

Install a security plugin, there are many listed – https://wordpress.org/plugins/tags/security

Back

With a diverse range of features to discuss, it’s never too early to speak to one of our specialist advisors.

Just dial 01904 500 272 or get in touch via the form below.