2.Use a different admin username. Wordpress has an “admin” account by default, so what you will need to do is create a new user with administrative privileges, log in as that user and then delete the old “admin” account. You can transfer all posts to the new account.
3.Create a “posting user” that has no adminstrative privileges. In addition to protecting your blog from unscrupulous hackers, you’ll be protecting it from you!
4.Use captcha where you can. This means for comments and logins.
5.Change your Wordpress table prefix. When installing for the first time, you can specify your prefix as part of the install. If you are changing an existing installation, change Wordpress table prefix will help you. There is a plugin here that will perform the change.
6.Limit access to the wp-admin directory. There are two ways that you can do this: you can limit access to the wp-admin directory by IP (this is no good if you have a dynamic IP or access your installation fro different locations like home and work) and you can password protect the wp-admin directory. Both methods require some jiggery pokery of the .htaccess file.
1.Protect wp-admin directory by IP address:
1.Create a file called “.htaccess” in your wp-admin directory, if there isn’t one already there.
2.Append the following contents where XXX.XXX.XXX.XXX = your outside IP address. Add multiple “Allow from” lines for multiple IPs:Order Deny,AllowDeny from allAllow from XXX.XXX.XXX.XXX
2.Password protect the wp-admin directory:
1.Create a file in your wp-admin directory called “.htaccess” if there isn’t already one.
2.Create a file above your public_html directory named “.htpasswd”. Make sure you put this outside the web accessible directory or someone could read easily your password! Usually this is where you go when you first login to your FTP.
3.Append the following contents to the “.htpasswd” file where xxxx = your username and yyyy = your password:
xxxx:yyyy
4.Append the following to your “.htaccess” file inside your wp-admin directory. Make sure you use the absolute path to the “.htaccess” file. If you don’t know, ask your ISP. xxxx = the username that you entered in your “.htpasswd” directory:AuthUserFile /home/username/.htpasswdAuthGroupFile /dev/nullAuthName EnterPassword
AuthType Basic
require user xxxx
7.Restrict access to your wp-config.php.
There have been cases on web servers where the PHP install gets broken and all PHP files become readable. This is a Bad Thing because your wp-config.php file contains your database username and password.
1.Create a file within your Wordpress root install directory called “.htaccess” if there isn’t already one.
2.Append the following to your “.htaccess” file inside of your wp-admin directory:Order Deny,AllowDeny from All
8.Restrict access to the wp-content and wp-includes directories:
1.Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.
2.Append the following to the “.htaccess” file. NOTE: you may have trouble with some plugins with this method:Order Allow,DenyDeny from allAllow from all
9.Use the wordpress online security scanner.
This plugin in conjunction with a CGI script available at Blog Security will perform version checks, XSS checks on your Wordpress template and will inspect your plugins for vulnerabilities.
10.Implement Mod Security:Append the following to the “.htaccess” file within the root of your Wordpress install. These are general rules to prevent some malicious attacks on your site as a whole and are not specific to Wordpress (you might have to do some reformatting because of word-wrap).
See BlogSecurity Wordpress Modsecurity White Paper (PDF)
0 comments:
Post a Comment