Although this is far from being a complete list on how you can secure WordPress, it does add some decent security that's missing by default. Simply leverage the access permissions by writing some code in the Linux .htaccess files. These rules work great one sites that have only a single admin/writer, or a few writers. If your WP site lets anybody register, or requires registration to leave comments, then you'll have a much harder time locking down the site.
To increase your WordPress security, consider adding these access rules:
Tip #1 - Prevent all access to the wp-config file
Code:
# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
Tip #2 - Prevent all access to wp-register
Code:
# protect wp-register.php
<files wp-register.php>
order allow,deny
deny from all
</files>
^ Only use this one one sites where nobody will register via WordPress. Do this in addition to disabling registrations in the wp-admin.
These days, it's almost safer to just use a Facebook comments plugin, and skip WordPress native comments. Less spam, too!
Tip #3 - Prevent all access to .htaccess:
Code:
# protect htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
Tip #4 - Deny access to wp-login based on IP, due to not being listed as an allowed range:
Code:
<files wp-login.php>
order deny,allow
deny from all
allow from 1.
allow from 2.3.
allow from 4.5.6.
allow from 7.8.9.10
</Files>
^ This rule needs customization. The numbers are examples. What it does is prevent any access to IP addresses (full or partial) NOT listed. You generally want to use a few as possible. For example,
24. is all AT&T networks in North America, and could be safely added.
IP addresses are described as such:
x. = /8 range
1.x. = /16 range
1.2.x. = /24 range
1.2.3.x = /32 range
I'd never allow more than a /16 range. Use
WhatIsMyIP.com to figure out all your possible IP addresses at home, work, mobile phones, favorite web cafes, etc. Then enter the /16 ranges for those places. This makes it so only you can access WordPress admin. It's hard to brute force WP when you can't even get to the backend!
Tip #5 - Use the Login-Lockdown plugin, too, and tweak the values (the default ones suck). Note that it does work up to at least WordPress 3.3, regardless of the "up to 2.8.4" claimed on the official WordPress.org site, and probably will on future versions for the foreseeable future. (It was simply written when 2.8.4 was the current version, and then development seems to have stopped.)
Tip #6 - Good password? Be sure the WordPress password isn't weak.
USe-A-c0mpl3x-p4$S_!! -- not "atlanta" or "bravesrule" or whatever.
______________________
Also note that then #1 reason WP sites get hacked is because of exploited themes and plugins!
It's not necessarily because anything is "outdated" as many lemmings (morons) claim, including quite a few web hosts, but simply that something (new or old) has been exploited. So always watch plugin/theme updates to see if security patches were made. Same for versions of WordPress -- newer isn't always "safer" and sometimes just breaks plugins/themes, so you don't have to be an upgrade junkie in the interest of security. It just doesn't work that way. Simply watch for security patches. Sometimes these can be applied manually (no update/upgrade required), and sometimes it does require an update.
Be safe.
______________________
Bonus tip: Be very sure to add anti-hotlinking in the root .htaccess, too:
Code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
"RewriteEngine on" is probably already there, if using custom permalinks in WordPress. Save your bandwidth.
______________________
Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.
|