Wordpress Bulletproof Security Secrets

[GoWork]

Step 1: Choose a good hosting provider.

We tend to choose the cheapest hosting provider we can get, and this is a very bad move if you want a secure website. Many of the cheap ( and free) shared web-hosts do not have the folders Chmoded properly. You can actually enter another user's FTP using a shell script hosted on your folder. At-least 30 - 40% websites are hacked because of this vulnerability. Some of the well known Hosts like HostGator and GoDaddy have very strict Folder permissions. So, go with them if you can't afford a dedicated Server.

Step 2: Primary Installation configuration

When you are installing Wordpress on your server, DO NOT CHOOSE the default username (admin) and db prefix (wp). Instead use a Hard to Guess username and Choose an Alpha-Numeric sentence (not word!) with some special characters added to it for password, and a different db prefix. Password Cracking has become increasingly fast and the hackers now use GPU instead of CPU to bruteforce. It is at least 1000 times (or even more!) faster. So choose db prefix, password and username carefully. This will make the n00bs frustrated and give up their hope.

Step 3: Delete everything that you don't use, choose the right theme.

I am not sure how much effective this is, but you should delete all the unused themes (including twenty ten and twenty eleven) and plugins (including hello dolly). This will make your server more manageable and you will be able to detect the shell scripts faster.
Choosing the right theme matters! Make sure your theme doesn't have TimThumb script which hackers exploit to upload a remote malicious php file. The best way is to make the theme yourself! If you can't do that, then out source the job to some freelance site. Make sure your theme's user inputs are properly escaped, so that there isn't any SQL Injection vulnerability.

Step 4: Install "Login LockDown"

This plugin makes brute-forcing much more tougher. If the hackers use WP-Scan type of scanners, it will throw warning to them that this site is using Login LockDown . Some of them might get frustrated and give up trying!

Step 5: Mute all the errors

This is a very important step that you need to take for not only WP installation, but for any system in production environment. Many of the hackers use FPD (Full Path Disclosure) vulnerability in Wordpress to know the full path of your site. There can also be other kinds of error notices which can leak sensitive information to the attacker. The best way to mute all errors is by modifying your php.ini file. If you are using Godaddy as your host, then make a new file called php5.ini ( if there isn't any already. create php.ini if your php version is 4, not 5) and add the following line:


Code:display_errors = Off
expose_php = Off

The code may vary from host to host. You should really ask the support staff how to do this.

Step 6: Password Protect your wp-admin directory (the twist!)

by protecting your wp-admin directory, you kind of add a extra layer of protection to your admin section. This works pretty well and I have even seen some major security blogs ( they are the experts isn't it!) doing this. How to do this?
Firstly you need a htpasswd file. There are tons of online htpasswd generators available such as


Code:www.htaccesstools.com/htpasswd-generator/

Enter your username and password and it will create the htpasswd for you. Not to mention again, choose some unique and hard to guess username and alpha numeric sentence with added special characters as the password. Save it in a file called .htpasswd and place the file outside your public_html folder (uploading the file outside the public_html makes it harder to access the file from web).
Now create a new .htaccess file with the following rule and upload the .htaccess file under your wp-admin folder.


Code:AuthUserFile /full/path/to/your/htpasswd/folder/.htpasswd
AuthGroupFile /dev/null
AuthName "Password Protected Area"
AuthType Basic
<limit GET POST>
require valid-user
</limit>

Step 7: Maintenance and backup:

Keep an eye on your apache log files to see if anything funny is going on! Also, do regular backups. When ever you update your content, take a full db and site backup. This way, you can revert back to the last back up if something happens.

That's basically it! I hope you enjoy reading this and more importantly, it helps someone

[tonny]

+Reps Added

[spixel]

thanks for sharing your experience , some of these i didnt know about , im gonna start updating my website , thank you again reps added

[Sunil aryan]

Thanks, very nice insights.

[Lumos]

Given that the OP is ~5.5 years old now, I wonder what other steps might be needed which have come about due to changes during all that time ??

[FreeBlackHat]

We are applying all of these options inside our hosting company : )

Thanks for sharing your experiences.