10 steps to protect your wordpress blog
The administrative zone of any web application has long been a favorite target for hackers and its security is extremely concerned about the developers. This also applies to WordPress - when a new blog is installed, the system creates an administrator account with a unique password that is randomly generated in real time, which blocks universal access to the system settings, controlling it using the authorization page.
This article focuses on how to enhance the security of WordPress - both the administrative panel and blog settings, meaning the entire contents of the wp-admin folder, which is displayed only after authorization . We deliberately highlighted the phrase " after login " - you should be clearly aware that only one simple request separates the "evil hacker" and the admin panel of your entire blog or site! And the last one is protected as much as the strong password you chose.
')
In order to complicate the task of hackers many times, we offer a set of operations that you can perform manually. These solutions do not guarantee 100% protection, but with their help you will significantly improve the security of your blog.
Starting from version 2.6, it became possible to change the path to the wp-content folder. Unfortunately, this is still not applicable to the wp-admin folder. Security-conscious bloggers have come to terms with this and began to hope that this will be possible in future versions. Until this happens, we suggest using the following alternative solution. After unpacking the archive with WordPress files, you will see the “WordPress” folder - rename the folder (ideally into something strange like “ wordpress_live_Ts6K” ) and then configure the wp-config.php file in the root directory accordingly.
What will this change give us?
Multiple installed versions in the root directory - this is possible!
Note: If the WordPress system files are no longer in the root directory, and the name of the installation folder is changed in accordance with the recommendations described above, the blog will still be available at wp-config.ru . Why? Go to the “General settings” section of your blog and enter in the “WordPress address (URL)” field the real address of the blog on the server, as shown in the example:
The blog address must be beautiful and unobtrusive.
This will allow the blog to appear at a beautiful virtual address.
The WordPress configuration file wp-config.php contains some site settings and information for accessing the database. There are also other security-related settings (they are listed below). If there are no such values ​​in this file, or there are only those set by default, you need to add or change them accordingly:
You can also adjust other system settings in the configuration file. A clear and comprehensive list of available settings is available on the Code page.
Do not neglect the installation of the correct security keys!
Also, starting from version 2.6, WordPress allows you to move the wp-config.php file to the highest level. Due to the fact that this file contains much more important information than any other, and because it is always more difficult to get access to the root folder of the server, it makes sense to store it not in the same directory as the other files. WortdPress will automatically refer to the highest folder in the search file wp-config.php . Any attempt by users to customize the path is useless.
Not all ISP servers allow you to transfer data to higher levels than the root directory. In other words, not everyone has enough rights to implement the previous step. Or for other reasons: for example, if you have several blogs, with a certain folder structure, you will not be able to put all the files in the root, since their names will be the same for each of the blogs. In this case, we can deny access to the wp-config.php file from the outside using the .htaccess file. Here is the code for this:
[code] # protect wpconfig.php
[/ code]
It is very important to make sure that the .htaccess file is in the same directory as the wp-config.php file .
During the installation process, WordPress creates an admin account with the default username of “admin”. On the one hand, this is quite logical, on the other - a user with a known nickname, i.e. ID - 1, which has administrative rights, is a completely predictable target for hackers with their password recovery programs. From here follows our advice:
If you do not have a new blog and you have already posted posts or comments under the admin account, then from the proposed options at the time of deletion, select "Link all posts and links to:" and select the name of the new user:
Note: Ideally, it is desirable that the new user login is different from the username displayed in the posts so that no one will know your username.
The likelihood and frequency of potential attacks is directly dependent on the popularity of the blog. And it is desirable to be sure up to this point that there are no weak links in the security chain in your website.
Most often, passwords are the weakest link in this chain. Why? Ways to select a password for most users are often thoughtless and careless. Many studies have shown that most passwords are monosyllabic existing words typed in lowercase letters that are not difficult to pick up. In the password recovery software, there are even lists of the most frequently used passwords.
WordPress implements an intuitive indicator of the strength of a typed password, which shows in color its difficulty level:
We recommend using at least seven characters , combining lowercase and uppercase, and using service characters such as ! "? $% ^ & () .
Following the adage “two heads are better than one”, there is a way to double the protection of the administrative zone. Protection is governed by a .htaccess file, which must be located in the “wp-admin” folder along with the .htpasswd file, which stores the username and password. After accessing the folder, you will need to enter your login and password, but the difference is that in this case authorization is controlled on the server side, and not by WordPress itself.
In order to easily and quickly generate files. Htaccess and. Htpasswd , use this service .
The WordPress authorization page is the door to the administrative zone of your blog, which becomes available after an error-free verification. Each user has an infinite number of authorization attempts, and each time the default WordPress Helpful indicates exactly what was the error. That is, if the login is incorrect, WordPress will say so. This is convenient for the user, but also for the hacker.
It is easy to guess how quickly the probability of selecting a login / password combination is reduced when the system indicates that it is entered incorrectly. A simple line of code will help solve this problem, just add it to the functions.php file of your theme:
[php] add_filter ('login_errors', create_function ('$ a', "return null;")); [/ php]
The initial / modified view of the authorization page.
WordPress does not keep statistics of authorizations, both successful and not. This is very inconvenient for the administrator, as he does not have the opportunity to see if there were unauthorized access attempts to take any measures if they become frequent. We offer two solutions: the Login LockDown and Limit Login Attempts plugins. After installation, they not only log the authorizations, but also limit the number of failed authorization attempts, blocking the IP of the attempted for a certain time.
One last thing: as a rule, WordPress developers react very quickly if they find vulnerabilities in the engine. So stay tuned and updated whenever possible. Fortunately WordPress itself announces the release of the new version. This also applies to plugins - keep their versions up to date.
Remember : less is better when it comes to any add-ons and add-ons. As an administrator, you need to make sure that you have installed and active, only those plugins that you really need. Each plug-in is a potential risk and security threat, since they are all developed by third-party developers.
How do you protect your blog from hacking? What do you use for this?
Translation from WordPress for everyone !
This article focuses on how to enhance the security of WordPress - both the administrative panel and blog settings, meaning the entire contents of the wp-admin folder, which is displayed only after authorization . We deliberately highlighted the phrase " after login " - you should be clearly aware that only one simple request separates the "evil hacker" and the admin panel of your entire blog or site! And the last one is protected as much as the strong password you chose.
')
In order to complicate the task of hackers many times, we offer a set of operations that you can perform manually. These solutions do not guarantee 100% protection, but with their help you will significantly improve the security of your blog.
1. Rename the wordpress folder.
Starting from version 2.6, it became possible to change the path to the wp-content folder. Unfortunately, this is still not applicable to the wp-admin folder. Security-conscious bloggers have come to terms with this and began to hope that this will be possible in future versions. Until this happens, we suggest using the following alternative solution. After unpacking the archive with WordPress files, you will see the “WordPress” folder - rename the folder (ideally into something strange like “ wordpress_live_Ts6K” ) and then configure the wp-config.php file in the root directory accordingly.
What will this change give us?
- Firstly, all WordPress files will not be mixed with other files in the root of the site, so we will increase the clarity of the root level.
- Secondly, multiple copies of WordPress can be installed in parallel in folders with different names, excluding their interaction, which makes it ideal for testing.
- The third advantage is directly related to security: the administrative zone (and the blog as a whole) is no longer in the root folder and in order to carry out any hacking actions, it will first need to be found. This is problematic for humans, but bots are a matter of time.
Multiple installed versions in the root directory - this is possible!
Note: If the WordPress system files are no longer in the root directory, and the name of the installation folder is changed in accordance with the recommendations described above, the blog will still be available at wp-config.ru . Why? Go to the “General settings” section of your blog and enter in the “WordPress address (URL)” field the real address of the blog on the server, as shown in the example:
The blog address must be beautiful and unobtrusive.
This will allow the blog to appear at a beautiful virtual address.
2. Update wp-config.php file
The WordPress configuration file wp-config.php contains some site settings and information for accessing the database. There are also other security-related settings (they are listed below). If there are no such values ​​in this file, or there are only those set by default, you need to add or change them accordingly:
- Security Keys: Starting from version 2.7, WordPress has four security keys that must be properly installed. WordPress saves you from having to invent these lines yourself, automatically generating the right keys in terms of security. You just need to insert the keys into the corresponding lines of the wp-config.php file. These keys are required to ensure the security of your blog.
- The prefix of the table of the newly installed WordPress blog should not be a standard “wp_”. The more complicated the prefix value is, the less likely the possibility of unauthorized access to the tables of your MySQL database. Bad: $ table_prefix = 'wp_'; . Much better: $ table_prefix = 'wp4FZ52Y_'; Do not be afraid to forget this value - you need to enter it only once, you will not need it anymore.
- If SSL encryption is available on your server, it is recommended to enable it to protect the administrative zone. This can be done by adding the following command to the wp-config.php file: define ('FORCE_SSL_ADMIN', true);
You can also adjust other system settings in the configuration file. A clear and comprehensive list of available settings is available on the Code page.
Do not neglect the installation of the correct security keys!
3. Move the file wp-config.php
Also, starting from version 2.6, WordPress allows you to move the wp-config.php file to the highest level. Due to the fact that this file contains much more important information than any other, and because it is always more difficult to get access to the root folder of the server, it makes sense to store it not in the same directory as the other files. WortdPress will automatically refer to the highest folder in the search file wp-config.php . Any attempt by users to customize the path is useless.
4. Protect the wp-config.php file
Not all ISP servers allow you to transfer data to higher levels than the root directory. In other words, not everyone has enough rights to implement the previous step. Or for other reasons: for example, if you have several blogs, with a certain folder structure, you will not be able to put all the files in the root, since their names will be the same for each of the blogs. In this case, we can deny access to the wp-config.php file from the outside using the .htaccess file. Here is the code for this:
[code] # protect wpconfig.php
<files wp-config.php> Order deny, allow deny from all
[/ code]
It is very important to make sure that the .htaccess file is in the same directory as the wp-config.php file .
5. Delete the administrator account.
During the installation process, WordPress creates an admin account with the default username of “admin”. On the one hand, this is quite logical, on the other - a user with a known nickname, i.e. ID - 1, which has administrative rights, is a completely predictable target for hackers with their password recovery programs. From here follows our advice:
- Create another user with administrative rights and your nickname.
- Complete the session.
- Login with a new account.
- Delete the " admin " account.
If you do not have a new blog and you have already posted posts or comments under the admin account, then from the proposed options at the time of deletion, select "Link all posts and links to:" and select the name of the new user:
Note: Ideally, it is desirable that the new user login is different from the username displayed in the posts so that no one will know your username.
6. Choose a strong password.
The likelihood and frequency of potential attacks is directly dependent on the popularity of the blog. And it is desirable to be sure up to this point that there are no weak links in the security chain in your website.
Most often, passwords are the weakest link in this chain. Why? Ways to select a password for most users are often thoughtless and careless. Many studies have shown that most passwords are monosyllabic existing words typed in lowercase letters that are not difficult to pick up. In the password recovery software, there are even lists of the most frequently used passwords.
WordPress implements an intuitive indicator of the strength of a typed password, which shows in color its difficulty level:
We recommend using at least seven characters , combining lowercase and uppercase, and using service characters such as ! "? $% ^ & () .
7. Protect the wp-admin folder.
Following the adage “two heads are better than one”, there is a way to double the protection of the administrative zone. Protection is governed by a .htaccess file, which must be located in the “wp-admin” folder along with the .htpasswd file, which stores the username and password. After accessing the folder, you will need to enter your login and password, but the difference is that in this case authorization is controlled on the server side, and not by WordPress itself.
In order to easily and quickly generate files. Htaccess and. Htpasswd , use this service .
8. Disable the display of errors on the login page.
The WordPress authorization page is the door to the administrative zone of your blog, which becomes available after an error-free verification. Each user has an infinite number of authorization attempts, and each time the default WordPress Helpful indicates exactly what was the error. That is, if the login is incorrect, WordPress will say so. This is convenient for the user, but also for the hacker.
It is easy to guess how quickly the probability of selecting a login / password combination is reduced when the system indicates that it is entered incorrectly. A simple line of code will help solve this problem, just add it to the functions.php file of your theme:
[php] add_filter ('login_errors', create_function ('$ a', "return null;")); [/ php]
The initial / modified view of the authorization page.
9. Limit the number of failed login attempts.
WordPress does not keep statistics of authorizations, both successful and not. This is very inconvenient for the administrator, as he does not have the opportunity to see if there were unauthorized access attempts to take any measures if they become frequent. We offer two solutions: the Login LockDown and Limit Login Attempts plugins. After installation, they not only log the authorizations, but also limit the number of failed authorization attempts, blocking the IP of the attempted for a certain time.
10. Maintain current versions.
One last thing: as a rule, WordPress developers react very quickly if they find vulnerabilities in the engine. So stay tuned and updated whenever possible. Fortunately WordPress itself announces the release of the new version. This also applies to plugins - keep their versions up to date.
Remember : less is better when it comes to any add-ons and add-ons. As an administrator, you need to make sure that you have installed and active, only those plugins that you really need. Each plug-in is a potential risk and security threat, since they are all developed by third-party developers.
And you?
How do you protect your blog from hacking? What do you use for this?
Translation from WordPress for everyone !
Source: https://habr.com/ru/post/62814/
All Articles