Securing WordPress Against Hackers and DDoS Attacks

Originally published at: http://www.sitepoint.com/securing-wordpress-hackers-ddos-attacks/

There’s no disputing the popularity of WordPress, which powers more than 74.6m sites around the world, with 48% of Technorati’s top 100 blogs being managed by the platform. In the online world though, anything that’s popular is more open to attack and WordPress is no exception. However, the types of attack that tend to hit WordPress sites – unless you’re a big brand – are generally carried out by people without a huge amount of technical know-how. These are often referred to a ‘script kiddies’ as they use common code, techniques and kits in order to hack target sites.

XML-RPC for WordPress

The good news about this is that it means that often an attack can be dealt with quickly and easily. It’s not necessary to get to the stage where an attack does damage though, as most can be prevented in the first place. So today, we’ll be looking at how you can secure your installation and avoid common hacks.

Start with the Server

Before you think about securing your site, you should start from the ground up and that means making sure that your hosting server is secure in the first place. Starting with the basics, you should choose a host based on security and reputation and not on price. Whilst I’m sure there are some decent cheap hosts out there, for the most part hosting that costs you $2 per month is not going to cut the mustard.

Most of the managed WordPress hosting services have a reputation for secure hosting. They don’t all allow some performance-related plugins though, so you should check first to see exactly what access and level of control you have.

Continue reading this article on SitePoint

Hi There:

Applying a automatic update in wordpress is evil. Let’s say that i build a site for a customer with a specific plugin (usually we used more than 5 plugins). The next time that Wordpress will update, it could breaks the functionality of some (all) plugins. This without counting the template of the site.

Well, it does have the
Important! Back-up your database and files before proceeding Warning,
but we all know how effective that is :wink:

Of course an auto “rollback” (or at least a button) to correspond with the upgrade upon any FAIL would be ideal.

Hey @ProfesorJorge. Thanks for the response! In the nature of this post (high security), I disagree that it’s evil. However, in terms of making sure functionality doesn’t break (especially when using multiple third party plugins that you don’t control), applying an automatic update is evil.

Everything requires balance though, and every person’s case is different. There may are some scenarios where applying an automatic update is an effective - even enforced - security measure.

You can also put your wp-config.php file one step above its root directory. It will be accessible to WordPress itself but not to others unless WordPress is installed in some sub-directory.

Avoid using wp_ prefix for WordPress Tables, and avoid using Admin username just like told in this article.
There is a plugin “All In One WP Security & Firewall”. It can do many of these things for you. But be cautious about using it. If you know things well you can extra-tight your security with this plugin.

I just tranlated slides from my WordCamp speech to English (it is the first version of translation, there may be many grammar mistakes). You can find many security tips there.

@picwellwisher12pk I don’t like to move wp-config up. This action prevents reveal information when server stops to interpret PHP code and shows source code. There was a bug in Plesk years ago that allows to show source code - this is the origin of this technique. If you move wp-config up, you need to allow scripts to access directories outside web. It may pose a greater risk.

Changing wp_ prefix is good advice, but it prevents only against simple bots and script kiddies. If SQL injection is possible, you can get correct prefix easily. Good practice is to block queries including “union” and other suspicious SQL commands.

Awesome advice @smitka. And thanks for translating your presentation and sharing it here. There’s a lot of good WP security advice in it. I really love slide 13 and 15 and how you point out the misorder of priorities in relation to business impacts.

@smitka What WordPress security plugin do you recommend?

Hello! How do you password protect your directory by setting up .htaccess password protection?

Hey @php. I recommend taking a look at this - https://wordpress.org/support/topic/password-protect-a-directory-with-htaccess - and this - http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/.

Hi, the tutorial on wpbeginner looks very good. Pay atention to the “Admin Ajax Issue” section to allow admin-ajax.php. Some plugins also use admin-post.php file.

There are three very good plugins:
WordFence
iThemes Security
All in one WP security and firewall

My favourite one is WordFence. It has some interesting features:

  • Limiting (not blocking) some traffic
  • Notification when plugins/themes update available
  • File change detection with possibility to roll back changes

On the other hand iThemes provides pretty good url filtering and has ability to change wp-admin slug.

I really like combo of WordFence + some rules from .htaccess generated form iThemes Security + rules to block queries contain “wp-config.php” and to block harvesting user names.

I usually don’t use security plugins on my own servers - I block login and scanning attempts with fail2ban and use WAF (naxsi) to enhance overall security (but it is quite hard to maintain rules).

This is great. Thanks so much!

I have one more question. How do you change the default WP login.php to something else?

If you use the “hide backend” feature in iThemes Security, login.php is also hidden (until you visit new wp-admin URL).

Be careful copying and pasting the code shown in the article above. They contain smart quotes, not regular straight quotes.

Thanks for pointing that out, @mginop!

Great Post. But I think you could have added few more aspects of security :smile:

Hi @AmitMojumder – security is a very broad topic. If there’s ever anything in particular you’d like to see on the WordPress channel, let me know and I’ll feed it back to the authors :smile:

@mginop thanks for the heads up, I’ve fixed the smart quotes!

Hi, I discovered interesting security plugin - https://wordpress.org/plugins/wp-simple-firewall/, it looks promissing.

Features:

  • simple interdaces
  • audit log - almost all actions are logged - login, plugin install, mail sent, new content
  • selectable autoupdater
  • 2 factor authentification with Yubi keys (FIDO is not supported)
  • common exploits filter (rev slider…)

Downsides:

  • no 404 detection
  • no file changes detection
  • block php uploads only in WP uploader (via hook, no via .htaccess)