OK, this is by far the most hard to understand article in the series, and in all honesty your going to get the least bang for the buck in terms of actually learning anything that will secure your WordPress site, installation. What this will provide a little bit of background on where WordPress loads it’s files and some techniques you can apply manually to secure them. Don’t panic if this stuff goes over your head the next article contains a series of plugin recommendations some of which will enable you to handle these issues very well without having to get your hands dirty.
WordPress is a dynamic content management system, which is know in the biz as a CMS. This means when a person goes to your site there is no singular home or about us page on your server. All the pages of your site are derived directly from the data you load into the system and the pages are created on the fly from this information. The web pages that do exist are mostly application code designed to interpret the information you provide and format it into the presentation you interact with. This little magic trick is done through various PHP, mySQL, CSS files located following directories of your site:
In order for these files to “work” they have to be writable by the web server, and that is potentially dangerous, especially in a shared hosting environment. I recommend that you limit your file permissions to the following for the root directory files 644 and 755 for the other folders (see below.) There may be some files/folders e.g. cache that may require different permissions but for most situations this should be safe.
Now, if you don’t know what these numbers mean don’t panic when WordPress performs an automatic update it the operations are performed as the file owner not a web server user and it basically does this automatically. If you want to make sure you can right click on your file/folder on your server with Filezilla and click File Permissions, you should see something that looks like the images above.
If you are hosting your sites independently as I recommended in the first lesson then you are already have a fairly good containment strategy. Just make sure that your databases are also managed independently by a different user and if you can also if you are reasonably well versed in phpmyadmin and don’t mind getting your hands dirty consider changing your database prefix from wp_ to something more obscure like wp_b01nG etc. You will have to match it to the $table_prefix = 'wp_';
in the wp-config.php file and you will have to manually rename each database table name to match it but it will help in preventing sql injection.
The most common WordPress hacker attacks consist of specially crafted HTTP requests that exploit specific vulnerabilities of outdated plugins software bugs and malicious code. This means don’t ever download WordPress from anywhere but a trusted source and carefully review your plugins before you install them. Don’t just download them from anywhere on the web.
Of course the other most common form of attack is good ol’ brute force password guessing, however if you paid attention to my first article this will prove to be difficult as a means for hackers to gain entry since your username is probably anything but admin and your password is a confusing mess of numbers letters & various symbols at least 12 characters long.
Some people like to move the wp-config.php file up a directory, the jury is still out on this because if it’s not done precisely, it can backfire and introduce serious vulnerablities. I like to keep things a bit simpler. If you have a server with .htaccess in the root directory you can add the following to your root .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
Now if you want to be really, really secure you can whitelist access to the /wp-admin/ directory. To do so you will need to have a static or at least stable IP address on the computers you manage your WordPress site from. The down side of this is you won’t be able to edit the site from a cafe unless you manually update the .htaccess file in the /wp-admin/ with that IP address you are currently into the .htaccess file format below:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 66.249.64.0
# whitelist work IP address
allow from 66.249.95.255
Note: the above IP addresses are for Google, you can find your IP address by clicking here.
Just be sure you don’t have a dynamic IP this trick only works if your IP address is stable many schools, cable companies, and even some business’ IP addresses are dynamic and change often. Then again some dynamic IP addresses stay the same for months…
Another smart move is to disable File Editing from the WordPress Dashboard. Editing code in this manner sucks anyway so it’s no loss and your much safer keeping an update of your changes as you go it only adds a couple of steps but it will save you a lot more when you realize you’ve made a mistake. Simply place the following line of code in your wp-config.php file
define('DISALLOW_FILE_EDIT', true);
Note: This won’t do diddly divided by squat to prevent them from uploading files if they have gained access admin access but it will stop some of the more pernicious tricks they may have and limit the scope of damage they can do. I still recommend it.
OK this was a palpably more advanced lesson in web security, next lesson, I’m going to conclude this series with one last article on specific plugins for enhancing security, monitoring techniques and why backups and server logs are your best friends when everything goes sideways.