Software development is really complex process and although WordPress developers take security very seriously, you should also take extra measures to ensure safety and security of your blog/web site.
There are few simple steps to make your WordPress installation lot harder for attacker to compromise.
WordPress software
Always keep up to date. Flaws in security model are being identified and addressed immediately as soon as they are reported. So it’s important for you to always keep your WordPress installation up to date. It’s very easy to do now that WordPress has automatic update feature, where all you have to do is just to tell it to install the newer version of it.
File permissions
You need to make sure that webserver can modify only those files that it is allowed to. Do not rely on WordPress to enforce this, use file system permission model. All files in WordPress installation need to be owned and writeable to by the user that installed the system and not the user which is used to run webserver. Only exceprion to this is /wp-content/ directory, which contains uploaded contents.
Make sure you perform all actions in whatever your WordPress installation directory is, and not outside of it!
Let’s make all files owned by your user and set the group to web server group:
$ sudo chown -R myuser.www-data *
Then change all file permissions so that files can be written to by your user only, and read-only by other users:
$ find . -type d -exec chmod 755 {} \;
$ find . -type f -exec chmod 644 {} \;
Finally allow group write for wp-content/ directory, so that web server can do automatic updates for plugins and user content could be uploaded:
$ chmod -R g+w *
Secure wp-admin access
WordPress recommend using additional plugins and HTTP authentication to provide additional security to the administration pages, but I think this is not necessary if you implement the following two security measures: enforce SSL only traffic to /wp-admin/ and allow access only from certain IP addresses.
Make /wp-admin/ available on SSL connection only, so all traffic to and from (including passwords) is encrypted. This prevent attackers hijacking traffic and intercepting passwords and other sensitive data.
This may sound bit complicated, but bear with me, it’s not that scary as it may look like. So you will need two <VirtualServer> directives: one for normal web traffic and one for SSL.
In default HTTP definition, you then need to make a special case for /wp-admin/ URL, and enforce redirection to HTTPS, so whenever you try to access wp-admin/ using http:// you will be redirected to https:// instead. HTTPS VirtualHost on it turn has instructions to deny access from all, but only the IPs listed in the configuration:
<VirtualHost server_ip:80>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/virtual/www.example.com
ErrorLog /var/log/apache2/www.example.com-error.log
CustomLog /var/log/apache2/www.example.com-access.log combined
<Location /wp-admin/>
RewriteEngine on
RewriteRule ^(.*)$ https://%{SERVER_NAME}/wp-admin/ [R=permanent,L]
</Location>
</VirtualHost>
<VirtualHost server_ip:443>
ServerName example.com
ServerAlias www.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/certs/example.com.pem
SSLCertificateKeyFile /etc/ssl/private/example.com.key
DocumentRoot /var/www/virtual/www.example.com
ErrorLog /var/log/apache2/www.example.com-error.log
CustomLog /var/log/apache2/www.example.com-access.log combined
<Location /wp-admin>
Order deny,allow
Deny from all
Allow from trusted_ip_1
Allow from trusted_ip_2
</Location>
</VirtualHost>
Other security measures
Install WP Security scan plugin which will provide a good overview of how your installation looks like from the security point of view.
Also remove advertising of the WordPress version that you are using. Add the following line to functions.php file, which you are using:
remove_action('wp_head', 'wp_generator');
And did I mention that you need to make regular backups?…
Related posts: