Since WordPress is now the most famous CMS around for creating any type of website at present, it has become a popular target for hacking also. In order to safeguard it from malicious activities, many steps need to be taken at the user as well as admin level.
In our previous blogposts (Blog 1, Blog 2) on WordPress security, we discussed about webserver and database security; vulnerabilities related to network and WordPress; how you can secure your site by using a strong password and two-level authentication; why it is important to go for protected file transfer and restricting file permissions; and other steps that you should consider taking care of, for hardening your WordPress installation.
In this blog post, we will discuss some steps for securing WP admin folders, how disabling file editing and updating plugins can help you further in your WordPress installation hardening.
8. Safeguarding wp-admin
You can increase the security of your files, the login screen and the admin area of your blog by adding BasicAuth like password protection to /wp-admin/ at the server side. Due to this, any malicious attack aimed at your admin files first has to deal with this second layer of protection. A number of attacks on WordPress installations are executed independently by software bots.
However, it should be noted here that a number of WordPress functionalities may get affected when you secure the wp-admin/ directory, like the AJAX handler at wp-admin/admin-ajax.php.
There are basically two kinds of attacks that are most commonly executed on a WordPress blog:
- Trying to get blog access by using password guessing through ‘brute force’.
- Particularly designed HTTP requests to the blog’s server with explicit exploit payloads for particular vulnerabilities, including outdated or old software and plugins.
The fundamental execution of this second layer of password protection is to ensure that an SSL encrypted connection or HTTPS is required for administration, so as to encrypt all important information and communication.
9. Safeguarding wp-includes
It is also recommended that a second protection layer should be added at those places where scripts are normally not made accessible to the users. A simple method of accomplishing it is blocking the scripts through mod_rewrite in the .htaccess file.
Important: Place the code given below out of the # BEGIN WordPress and # END WordPress tags in the .htaccess file so as to make sure that WordPress doesn’t overwrite it as anything between these tags can be overwritten by WordPress.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
# BEGIN WordPress
Note: On Multisite, this will not work as desired, as RewriteRule ^wp-includes/[^/]+.php$ – [F,L] would stop image generation by the ms-files.php file. When this line is removed, the code will function but it may offer reduced security.
10. Safeguarding wp-config.php
It is also possible to provide added security by moving your wp-config.php file into the directory over your WordPress installation. This translates to storing your wp-config.php file out of the web root folder for a site deployed within your webspace’s root. However, there’s a difference in opinion among different groups of people about moving wp-config.php for security benefits.
It should be noted that wp-config.php can be placed where wp-includes resides, i.e. One directory level over the WordPress installation. You also need to ensure that only the web server you have the permission (400/404) to read it.
In case you are using a server with .htaccess, the code below can be put in the very beginning in that file so as to prevent anyone looking for it from accessing it:
deny from all
11. Disabling File Editing
Administrators, by default, are allowed to modify PHP files, like theme files and plugins through the WordPress Dashboard itself. An attacker on logging in, will utilize this tool first of all, as it permits code execution. However, WordPress provides a method of disabling editing through dashboard. This may not stop an attacker from uploading malicious content onto your website but it may be able to prevent some attacks. You just need to place the line given below in the wp-config.php file and it is like disabling the ‘edit_files’, ‘edit_themes’ and ‘edit_plugins’ for all WordPress users.
12. Updating Plugins
You need to ensure that your plugins are always up-to-date. In case there is some plugin that you are not using, it would be wise to delete it from the system.
A number of services and plugins can behave like your site’s firewall. Many modify your .htaccess file and prevent Apache level access, prior to being processed by WordPress, for instance, All in One WP Security or iThemes Security; however, some firewall plugins, as WordFence, operate at the WordPress level and filter attacks during the time of loading of WordPress, prior to it getting completely processed.
In addition to plugins, a web firewall (WAF) can also be installed at your web server’s end for filtering content prior to WordPress processing it. For instance, ModSecurity is a famous open source WAF.
Further, you can enhance security by adding a firewall between your web host and the net, by editing your DNS records to seep through the firewall. As a result, the firewall filters complete traffic before it reaches your site. Companies like Sucuri, CloudFlare etc. offer these services.
- Plugins requiring write access
In case any plugin asks for write access to your WordPress directories and files, then you first need to check its legitimacy by checking its code.
- Code execution plugins
One of the main aims of WordPress hardening is to minimize any kind of damage in case of an attack as far as possible. In the unfortunate case of a successful attack, plugins that permit arbitrary PHP or any other code to operate from database entries enhance damage to huge proportions. This can be avoided by using custom page templates which call the function. But for being able to utilize this security, you need to disallow editing of files in WordPress.
NOTE: This blog is the third part of a four blog series on WordPress hardening. Part 1 and Part 2 are already live. Part 4 will be published soon and will deal with 3 more steps for WordPress hardening – including security through obscurity, data backups and logging and monitoring.
UPDATE: Part 4 is now live.