Why is this happening so often?
A few years ago, only hackers were able to crack websites and bring them down due to their level of knowledge in systems, networking, and coding. In recent times, however, things have changed and just about anyone can find tutorials on the Internet that show step-by-step procedures to penetrate a website running vulnerable software.
At Kualo, we take security seriously and have implemented several systems to protect your applications from being exploited. We cannot, however, protect every piece of software that clients operate on their sites, as there is no guaranteed way to protect your websites from being exploited due to vulnerabilities resulting from not upgrading to the latest releases, poorly coded plugins, or custom code.
This tutorial aims to focus on a common web application used by our clients – WordPress. We’ll provide some tips and suggestions that will help you add an extra layer of security to your WordPress installations.
Important Points:
- Always keep your WordPress installation up to date, including (crucially!) any plugins that you have installed
- Create a new admin user with a custom username, and then delete the default ‘admin’ user as many attacks will target standard usernames
- Change your admin account password regularly
- Only install plugins that are well-reviewed by the WordPress community, and are actively developed
- Change the default database prefix. All default WordPress installs use the database prefix of “wp_” which makes any exploiter’s job much easier. You can change this prefix to something unique – the following plugin can quickly help you change your WordPress database prefix with a few clicks: http://wordpress.org/extend/plugins/db-prefix-change/
Securing WordPress:
Below is a list of recommended modifications or adjustments to make to your WordPress installations. Read it carefully and if you have any questions feel free to get in touch with our support team before proceeding.
1) Hide your WP version. Hiding the WP version makes it harder for bots collecting information about your site from identifying whether or not you run a vulnerable version. You can use the following plugin to do it for you: http://wordpress.org/extend/plugins/hide-wordpress-version/
2) Limit access to the admin area (the wp-admin directory) using the password protection tool in your account’s cPanel interface
For steps 3 and 4, please bear in mind that any changes made to the .htaccess file need to be placed outside the tags # BEGIN WordPress and # END WordPress. Anything written between those tags can be overwritten by the WordPress application.
3) Secure access to key files by adding add the following lines to the .htaccess file in your WordPress installation directory:
<files .htaccess wp-config.php>
order deny,allow
deny from all
</files>4) Secure access to your wp-includes directory. This is often used by hackers to place malicious files when they find a vulnerable installation. Add the following lines to the .htaccess file in your WordPress installation directory:
# Block include-only files.
RewriteEngine On
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L] # End block include-only files
Note that this won’t work well on Multisite WordPress installations, as RewriteRule ^wp-includes/[^/]+\.php$ – [F, L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
5) Block search engine bots from browsing your directories. Google and other search engines can crawl unwanted URLs and expose them to hackers. It’s best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes into your site’s root folder and is just a text file. Edit/Create your robots.txt files in your public_html folder and ensure it has the following parameters
User-agent: *
Crawl-delay: 5
Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-*
Extra Precautions:
We recommend that you consider installing the following plugins into your WordPress installation to add an extra layer of security. Please note that you don’t have to install them all, just choose the ones that best suit you:
- http://wordpress.org/extend/plugins/limit-login-attempts/ – Limit Login Attempts: It blocks IPs after several authentication failures.
- http://wordpress.org/extend/plugins/stealth-login-page/ – Changes your login page to an address only you will know
- http://wordpress.org/extend/plugins/bulletproof-security/ – WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection, and SQL Injection hacking attempts.
- http://wordpress.org/extend/plugins/wordfence/ – Wordfence Security is a free enterprise-class security plugin with a firewall, anti-malware scanning, malicious URL scanning, and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme, and plugin files, even if you don’t have backups.
- http://wordpress.org/extend/plugins/better-wp-security/ – iThemes Security (formerly Better WP Security) takes the best WordPress security features and techniques. It combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting elements or the possibility of missing anything on your site.
Leave a Reply