As you all know Nam Huy Linux Blog uses wordpress, and many popular websites like The New York Times, CNN, Forbes, boingboing, Ebay…. also uses wordpress. WordPress is an open source personal or professional blogging tool, Content Management System (CMS). WordPress requires PHP 5.2.4 or greater and MySQL 5.0 or newer on a hosting server to work. I’m not going to show you how to install or use wordpress in this article, but I’m going to show you how to secure wordpress to help your website as secure as possible.
1. Use secure password
Password is like a key to get into treasure chest, it’s a first line of defense in a digital world. You use password daily to access to your computer, windows/mac/Linux accounts, tablet or phone. Strong and secure password is important to protect yourself from identity theft and hacker, in our case we use secure and strong password to protect WordPress account, ssh account, Cpanel or Plesk account, ftp account.
DO:
- Use password at least eight characters or more
- Combine upper and lower case letters.
- Numbers and punctuations or symbols such as ~ ! @ # $ % ^ & * ( ) _ + [ ] { } ‘ ” < > ? / . ,
- Change your password frequently every 3-4 months
DON’T:
- Use the password included with your username, your name
- Use the same password for every website, account
- Your birthday
- Your family member’s name
- keyboard pattern, sequences or repeated characters, such as qwerty, asdfghjkl, or 12345678.
2. Update WordPress
Since WordPress 2.7, WordPress includes automatic updates within itself. You can easily check and update WordPress core to the latest version with a few mouse click from your WordPress Admin Panel. New and latest WordPress version always included bugs and vulnerabilities fixes which keep your WordPress website out of hacker attack.
By default to update WordPress core, you can go to wp-admin or your WordPress Admin Panel by this URL (replace yourwebsite.com to your website domain.
http://yourwebsite.com/wp-admin/update-core.php
or
http://yourwebsite.com/wp-admin/
After login with you wordpress administrator account, go to “Dashboard”, then “Updates”
3. Update WordPress Plugins
Similar to WordPress core, WordPress plugins need to update as soon as new releases are available for download or update via your wp-admin. Most WordPress plugins are free of charge and developed by volunteers. WordPress Plugins usually adds new functions to your WordPress blog or website, such as captcha, Akismet to prevent spam, create XML sitemaps, improve SEO for search engine optimization. By updating WordPress plugins to the newest version will not only improve the plugins and WordPress website stability, but improve your website security and functionality.
Please note there are many great plugins for wordpress, some of them will actually will do more harm than good for your website. Some WordPress plugins can break your website, some brings more security vulnerabilities, and some will make your WordPress website to use excessive cpu and memory.
Only add WordPress plugins have good reputation and history, add only what you need for your website. Finally only add one at a time to make sure that plugin work well with your website. If you add a lot of plugins at the same time and your website breaks, you won’t know which cause the problem.
4. Disable New User Registration
By default wordpress let anyone can register a membership as a subscriber, you can change new user default role in admin panel by going to Settings/General Settings. Most of the time spammers or bots try to register, them spam your website in comments which will make your posts look like a mess and later on will be out of control.
To disable New WordPress Registrations, go to WP Admin > Settings > General, you will see Membership, and a box to check with “Anyone can register”. Uncheck that box to prevent any new registrations.
5. Use robots.txt
Most popular search engines like Google, bing, or yahoo will follow robots.txt instructions in your website root directory. With robots.txt file, you can allow and/or prevent search engine robots/bots to crawl/index to certain part or single pages of your website.
robots.txt is file text file which includes a list of Allow and Disallow to tell the search engine bots should or should not visit that page on the website.
Some simple robots.txt rules
- User-agent: the name of the search engine bots/robots
- Allow: the URL you let search engine bots crawl and index
- Disallow: the URL you do not want search engine bots crawl and index
- Sitemap: URL of your XML sitemap file to let search engines crawl and index easier and faster.
- * wildcard, you can block and allow the whole directory with * wildcard
In this article we are going to use robots.txt to prevent search engine to crawl some important wordpress directory that you don’t want search engine to index them. You want your robots.txt file prevent search engines bots to crawl most of wordpress core directories except /wp-content/uploads/ which all your upload images will be store here and if you want google images search to crawl and display them in google images search.
- /wp-admin/ wordpress Admin Panel, you don’t want anyone to know or access this area.
- /wp-includes/ most of wordpress core files are here
- /wp-content/ contains themes, plugins, and some user upload files and to be writeable by you or users to the webserver, which break down to
- /wp-content/themes/ themes files
- /wp-content/plugins/ plugins files
- /wp-content/uploads/ users upload files
Here are the typical robots.txt file for a wordpress website, it may be vary depends on your wordpress setup but you get the idea.
User-agent: * Allow: /wp-content/uploads/ Disallow: /cgi-bin/ Disallow: /feed/ Disallow: /trackback/ Disallow: /wp-admin/ Disallow: /wp-content/ Disallow: /wp-includes/ Disallow: /xmlrpc.php Disallow: /wp- Allow: /wp-content/uploads/ Sitemap: http://yourdomain.com/sitemap.xml
6. Protect WordPress Admin Panel
WordPress Admin Panel is located at /wp-admin/ in your domain root directory, which allow you control and mange your wordpress website. Unless you have multiple users or writers, you don’t want anybody without permission access this place. The best way to protect the Admin Panel is by using .htaccess and .htpasswd (password protecting a directory).
.htaccess is a text file that contains the rules and configs for the directory where it’s placed, those rules and configs will be enforced in that directory and it’s sub directories.
.htpasswd is a text file that contains plain-text usernames and encrypted passwords.
First, create .htaccess file in /wp-admin/ directory. Remember to change AuthUserFile /home/username/.htpasswd to where your .htpassed is located.
AuthType Basic AuthName "Protected Area" AuthUserFile /home/username/.htpasswd Require valid-user
Second, create .htpasswd file, I highly recommend you to store .htpasswd file where that is not public accesible. For example /home/username above the www or html_public directory. You can google search with keyword .htpasswd generator or .htpasswd creator. You can also create one yourself with the simple rule
(plain-text username)(:)(md5 encrypted text/password)
Your .htpasswd should look something like this.
username:$apr1$/QCaxMiw$ylE03Jdu6GRrUmALlzjrv0
7. Hide WordPress version
Follow up 2. Update WordPress, older WordPress may contains many bugs take make your WordPress vulnerable to attack. You don’t want anybody or the public know what version you are running, so the best way is to hide it. To do that, go to your WordPress Admin Panel, then Appearance, Editor, select the Theme you are using, find Theme Functions (functions.php). Add this code to functions.php file
function remove_wp_version() { return ''; } add_filter('the_generator', 'remove_wp_version');
8. Protect wp-config.php and .htaccess files
wp-config.php file contains many critical and sensitive information in your WordPress setup, for example mysql database connection username and password in plain-text! base WordPress configs. For that reason nobody should have access to wp-config.php beside you. You can deny and prevent anyone if you use shared hosting environment to sneak on your wp-config.php file by adding this code to .htaccess file in WordPress root directory.
<Files wp-config.php> order allow,deny deny from all </Files>
If you have been reading and following me up until this point, you can see we use .htaccess very often to protect WordPress. Using .htaccess may slow down Apache http server, but if you are using shared hosting, you don’t have the luxury to access httpd.conf file. The only way you have access to httpd.conf file is to use VPS (Virtual private server) or delicated server. Even though by using .htaccess slows Apache http server down, you wont really notice it. Then what is .htaccess files? .htaccess file is a file which contains one or more configuration directives and sub directories where .htaccess file is located.
To protect .htaccess file itself from shared hosting neighborhoods, add this code to all the .htaccess files that you have.
<Files .htaccess> order allow,deny deny from all </Files>