Friday, November 12, 2010

Securing Wordpress without plugins

Securing Wordpress without plugins

Listed below are methods to enhance security of your blog without use of any plugin:
  1. Separate Blog and Wordpress Directory – You can separate the wordpress and blog directory in two ways. You can either input the separate urls Admin>>Settings>>General or use wp-config.php to define the two urls. Second approach can be used for troubleshooting purposes when you can’t access Admin Dasboard. In such case make sure that wordpress url is something encrypted. Such config is also useful when you upload default zip file from wordpress.org where wordpress is located in a subdirectory. Also make sure that this will work only if index.php from wordpress root install is copied to the blog url directory. And edit the pathname in the file accordingly in index.php. E.g. if your wordpress is in /home/public_html/domain/wordpress7472/ (http://domain.com/wordpress7472) and blog is at /home/public_html/domain/ (http://domain.com), then the index.php at /home/public_html/domain/ should look like the following:
    1<?php
    2define('WP_USE_THEMES', true);
    3require('wordpress2472/wp-blog-header.php');
    4?>
    Comments removed from original index.php as they are not required. Pathname in index.php should be relative to the directory where it resides currently.
  2. Change Default Username – This is the most basic of methods which will definitely help you from few type of attacks which are targetted primarily because wordpress provides default username at first install. To change the username, you need to perform a sql query or directly edit the entry if you are using phpmyadmin. Here is the sql command to change the username:
    1UPDATE 'wp_users' SET 'user_login' = 'NEWUSERNAME' WHERE 'wp_users'.'ID' =1 LIMIT 1 ;
    If you are not comfortable running a sql query or editing databases, create a new admin user and delete the old one.
  3. Changing Database prefix – Wordpress uses the default prefix for its tables which is wp_ which can be easily targetted as anybody would know the table name directly without guessing. Changing this prefix helps a lot to prevent from random SQL attacks. If you are yet to install Wordpress, this prefix can be changed during the installing procedure where the installer asks for the prefix.Changing the prefix on a working blog takes a bit more work. Listed below are the steps required to change the wordpress table prefix:
    1. Open the file wp-config.php in your wordpress root directory and find the following line:
      1$table_prefix = 'wp_';
      and change it to
      1$table_prefix = 'newprefix_';
      Newprefix can contain any letter, number or underscore but it should not start with a number. You can use wp_webhost125_ or wpwebhost125_ as your newprefix too.
    2. Rename all tables in your SQL Database with the newname. You can use the following sql query to achieve this:
      1ALTER TABLE wp_users RENAME TO newprefix_users;
      You will have to repeat the same query for all tables.
    3. Changing the table names does not complete the job. There are still some option names using default table prefixes which need to be updated manually. Under the table newprefix_options, find the option named ‘wp_user_roles’ and rename the option name to ‘newprefix_user_roles’. There is no general sql query for doing this because option id of this option name can be different on different blogs.Under the table, newprefix_usermeta, options to be renamed are: ‘wp_capabilities’, ‘wp_user_level’ and ‘wp_autosave_draft_ids’. Last option name will exist only if you have saved some of the draft posts earlier.
    Now the new table prefix should start working as required.
  4. Remove WP Version Information – Wordpress generally gives away the version number of your installation at 2 places – in the site’s header and the footer(if the theme displays it). If you are using a older version of Wordpress, you should remove it lest it gives hackers information that you are using outdated version which may have some security loopholes in it for them to exploit.Removing information from the footer is easy…just find the php code
    1<?php bloginfo('version'); ?>
    in your footer.php and delete it. For removing it from your header, it requires you to edit the theme’s functions.php file since it is displayed automatically in header by wp_head() function call from header.php file. Add this line to your theme’s function.php just before the last ?> :
    1remove_action( 'wp_head', 'wp_generator' );
    Above method of editing functions.php works only in Wordpress 2.5 and above. For wordpress versions below, it remove this code from theme’s header.php file:
    1<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->
    This code may appear in your themes if you are using them in Wordpress 2.5 or above, as some theme authors may not have removed this.
  5. Disable Remote Publishing if you do not use it – If you are not using any external tools to publish to your blog like Windows Live Writer then you should disable remote publishing. Go to Admin>>Settings>>Writing and uncheck both options mentioned under Remote Publishing: Atom Publishing Protocol and XML-RPC. For the complete disable of remote publishing, add the following lines in your theme’s function.php just before the last ?>:
    1remove_action('wp_head', 'wlwmanifest_link');
    2remove_action('wp_head', 'rsd_link');
    First line removes the link which disables Posting from Windows Live Writer. BTW, adding the rsd_link line will disable pingbacks and trackbacks from working on your blog apart from disabling Remote Publishing. If you need them, don’t add the second line.
  6. Hide your plugins and themes – You don’t want people to know about the themes and plugins used by you. To do that, just visit wp-content/plugins/ and wp-content/themes/ under your blog’s url and upload a empty index.html file into these directories.
  7. wp-config.php hacks: Following is the list of hacks related to the file wp-config.php.
    Note: All codes which need to be inserted into wp-config.php should be before the line which says stop editing. This is very important for any hack to work properly
    1. Protect wp-config.php file – This file is very important as it contains the username and password of the database on which your blog is hosted. Add the following code in .htaccess file in your blog’s root directory:
      1<files wp-config.php>
      2Order deny,allow
      3deny from all
      4</files>
    2. Update/Add Security Keys in wp-config.php – Since Wordpress 2.6, there are some security keys added to wp-config.php which enhances the security of your Wordpress installation as they help to encrypt the cookie information stored by your blog. If you don’t have them or want to change them, visit Wordpress.org Secret Key Service to generate random keys and paste the generated code in wp-config.php as it is just before the sentence which says stop editing or replace the existing keys.
    3. Move wp-config.php file – Wordpress 2.6+ allows you to move your file out of your wordpress install directory. If your blog is in root directory, best way is to move wp-config.php upto one level higher. For example if your blog is at http://www.domain.com (home/public_html/domain/) then wp-config.php can be kept at home/public_html/ without need of any configuration. This feature is supported by Wordpress 2.6+. And if you are using Wordpress 2.5 or lower or using wordpress a subdirectory, process of moving the file is different which is mentioned below:
      1. Open the current wp-config.php and copy the portion which contains Database information and authentication keys of wordpress. Now go to the directory where you want to shift the wp-config.php file, create a new file in that folder named something as config.php and paste the earlier copied information. Your wp-config.php should like something as:
        01<?php
        02define('DB_NAME', 'blogname');
        03define('DB_USER', 'username');
        04define('DB_PASSWORD', 'password');
        05define('DB_HOST', 'localhost');
        06define('DB_CHARSET', 'utf8');
        07define('DB_COLLATE', '');
        08define('AUTH_KEY', 'abcdefghijklmnopqrstuvwxyz');
        09define('SECURE_AUTH_KEY', 'abcdefghijklmnopqrstuvwxyz');
        10define('LOGGED_IN_KEY', 'abcdefghijklmnopqrstuvwxyz');
        11define('NONCE_KEY', 'abcdefghijklmnopqrstuvwxyz');
        12$table_prefix  = 'newprefix_';
        13?>
        I have removed the comments from the php file as they are not needed and inflating this tutorial unnecessarily too.
      2. Now instead of above code in wp-config.php, paste the following line in your wp-config.php and save the file.
        1include('/home/public_html/config.php');
      3. In effect instead of moving the complete file, you have moved the sensitive portion of wp-config.php which is now at unaccessible location.(home/public_html/ is always unaccessible – you can copy to any such location if this is not your webhosting’s case)
    4. Use SSL for Login/Admin – If you have purchased SSL Certificates for your domain, then you can enable SSL connection for your Wordpress login and admin channel by embedding the following code into your wp-config.php:
      1define('FORCE_SSL_ADMIN', true);
      For more information about SSL on Wordpress, read Wordpress Codex Article.
  8. Htaccess file hacks: Following is the list of hacks performed to .htaccess file for securing Wordpress:
    1. Protect wp-admin directory – You can block all IPs from accessing wp-admin directory except your IP address. Add the following code to your .htaccess file:
      01AuthUserFile /dev/null
      02AuthGroupFile /dev/null
      03AuthName "Example Access Control"
      04AuthType Basic
      05<LIMIT GET>
      06order deny,allow
      07deny from all
      08allow from xx.xx.xx.xx
      09allow from xx.xx.xx.xx
      10</LIMIT>
      where xx.xx.xx.xx is your IP address.
    2. Protect Public Browsing of All Directories – Dropping index.html file protects only plugins and themes directories and its not practical to drop index.html in every other directory. A better way is to insert the following code in .htaccess file:
      1Options All -Indexes
    3. Deny comment posting to no referrer requests – Most spammers are bots which post comments to your blog without even accessing or opening your blog and open the file wp-post-comments.php directly without sending any referrer information. The following code if inserted into .htaccess file blocks such bot spammers:
      1RewriteEngine On
      2RewriteCond %{REQUEST_METHOD} POST
      3RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
      4RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
      5RewriteCond %{HTTP_USER_AGENT} ^$
      6RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
      Replace yourblog.com with your blog’s domain.
    4. .htaccess authentication for Wordpress Admin – This method will add one more username/password authentication for your Wordpress Admin Dashboard. Steps to achieve this are listed below:
      1. Visit Dynamic Drive’s .htaccess Password Generator and fill out the username, password and a path which is inaccessible by anybody (e.g /home/public_html/ )
      2. Copy the code provided for .htaccess into your blog’s wp-admin .htaccess file(create if not created)
      3. Copy the code for .htpasswd file into .htpasswd file into the path provided above ( /home/public_html/.htpasswd )
      Now your Wordpress Admin Should be password protected twice!
      Password Protecting wp-admin using .htaccess
  9. Use Shell/SSH instead of FTP – SSH/Shell access is much more secure for transferring files than FTP. Use it if your webhosting allows it.
  10. Block Wordpress folders from Search Engines – You should block your wordpress folders from being accessed by search engines by inserting the following line in your robots.txt file in your blog’s root directory:
    1Disallow: /wp-*
  11. Suppress Error Message on Log-In Page – When your login to wp-login.php fails, Wordpress always tells you whether the username is wrong or password is. This may be useful for you but is also very useful to a person who is trying to brute attack into your blog. You can suppress this message by inserting the following code just before the last ?> in your theme’s functions.php file:
    1add_filter('login_errors',create_function('$a', "return null;"));
  12. Change File Permission – Check your file and folder permissions. For wp-config.php, set the file permission as 644. For directories, set the permission as 755 and files as 644.
  13. Choose a strong Password for Admin – Choose a password which should contain random alphabets, numbers and special characters which makes it tough to crack. You can use a Password generator tool for it too.
  14. Make Daily Backups of your Database – You should keep a daily backup of your blog’s database. Use WP-DBManager Plugin to have the database emailed you daily.
  15. Keep Your Blog, Plugins and Themes Updated – Always try to maintain updated versions of your blog, plugins and even the theme.

 

No comments:

Post a Comment