Securing WordPress Against Hackers and DDoS Attacks

I just tranlated slides from my WordCamp speech to English (it is the first version of translation, there may be many grammar mistakes). You can find many security tips there.

@picwellwisher12pk I don’t like to move wp-config up. This action prevents reveal information when server stops to interpret PHP code and shows source code. There was a bug in Plesk years ago that allows to show source code - this is the origin of this technique. If you move wp-config up, you need to allow scripts to access directories outside web. It may pose a greater risk.

Changing wp_ prefix is good advice, but it prevents only against simple bots and script kiddies. If SQL injection is possible, you can get correct prefix easily. Good practice is to block queries including “union” and other suspicious SQL commands.

Awesome advice @smitka. And thanks for translating your presentation and sharing it here. There’s a lot of good WP security advice in it. I really love slide 13 and 15 and how you point out the misorder of priorities in relation to business impacts.

@smitka What WordPress security plugin do you recommend?

Hello! How do you password protect your directory by setting up .htaccess password protection?

Hey @php. I recommend taking a look at this - https://wordpress.org/support/topic/password-protect-a-directory-with-htaccess - and this - http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/.

Hi, the tutorial on wpbeginner looks very good. Pay atention to the “Admin Ajax Issue” section to allow admin-ajax.php. Some plugins also use admin-post.php file.

There are three very good plugins:
WordFence
iThemes Security
All in one WP security and firewall

My favourite one is WordFence. It has some interesting features:

  • Limiting (not blocking) some traffic
  • Notification when plugins/themes update available
  • File change detection with possibility to roll back changes

On the other hand iThemes provides pretty good url filtering and has ability to change wp-admin slug.

I really like combo of WordFence + some rules from .htaccess generated form iThemes Security + rules to block queries contain “wp-config.php” and to block harvesting user names.

I usually don’t use security plugins on my own servers - I block login and scanning attempts with fail2ban and use WAF (naxsi) to enhance overall security (but it is quite hard to maintain rules).

This is great. Thanks so much!

I have one more question. How do you change the default WP login.php to something else?

If you use the “hide backend” feature in iThemes Security, login.php is also hidden (until you visit new wp-admin URL).

Be careful copying and pasting the code shown in the article above. They contain smart quotes, not regular straight quotes.

Thanks for pointing that out, @mginop!

Great Post. But I think you could have added few more aspects of security :smile:

Hi @AmitMojumder – security is a very broad topic. If there’s ever anything in particular you’d like to see on the WordPress channel, let me know and I’ll feed it back to the authors :smile:

@mginop thanks for the heads up, I’ve fixed the smart quotes!

Hi, I discovered interesting security plugin - https://wordpress.org/plugins/wp-simple-firewall/, it looks promissing.

Features:

  • simple interdaces
  • audit log - almost all actions are logged - login, plugin install, mail sent, new content
  • selectable autoupdater
  • 2 factor authentification with Yubi keys (FIDO is not supported)
  • common exploits filter (rev slider…)

Downsides:

  • no 404 detection
  • no file changes detection
  • block php uploads only in WP uploader (via hook, no via .htaccess)

The best way to secure your Wordpress website is not by using a plugin but by denying access to certain directories through htaccess file and your robots.txt file. Also choose a secure hosting provider.

I added the bit about the htpasswd to my htaccess, but now scheduled posts don’t publish automatically anymore. I really need the password as the site is under constant attack. Any suggestions?

Hey @kbez. Your wp-cron.php file is probably being interferred with.

Following this http://www.summet.com/blog/2012/04/26/missed-schedule-for-wordpress-posts-due-to-htaccess-password-protection-blocking-wp-cron-php/ and/or this https://wordpress.org/support/topic/wp-cron-with-htaccess-cron-jobs-not-running should do the trick.

Please let me know if you still have problems after following these guidelines.

Thank you for the help @gibbiv! My .htaccess already has the following instructions and still missed the schedule:

<Files wp-cron.php> Allow from all Satisfy any </Files>

Scheduled posts stopped working when I added:

AuthUserFile /path/to/.htpasswd AuthName "Login first" AuthType Basic <Files "wp-login.php"> Require valid-user </Files>

Does the order of the text in the .htaccess matter? I followed a few howto’s like the one you wrote and added instructions to protect wp-config.php, install.php, readme.html, php_error.log, as well as the following:

# Block URL based exploits RedirectMatch 403 \[

# Ban double slashes in all URLs RewriteCond %{THE_REQUEST} ^[A-Z]+\ /(([^/\ ]+/)*)/+([^\ ]*) RewriteRule ^ /%1%3 [L,R=301]

The above was added to the bottom of the .htaccess after the caching settings added by W3TC. In my wp-config.php I activated PHP error logging by adding:

@ini_set( 'log_errors', 'On' ); @ini_set( 'error_log', '/path/to/php_error.log' ); @ini_set( 'display_errors', 'Off' ); define( 'WP_DEBUG', false ); define( 'WP_DEBUG_LOG', false ); define( 'WP_DEBUG_DISPLAY', false );

This error log says nothing about wp_cron though.

I’m also in contact with my host and will give feedback if they have any success. Thanks for a great forum.

Hey @kbez. Definitely let us know if your hosting provider offers you a solution.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.