Hardening WordPress – Application Side

“HELP! I’ don’t know what happened!”
“Everything on my site has changed!”
“My customers are getting redirected to another website!”

Phrases I’ve heard many a new customer tell me over the last few years which ultimately leads to a few conclusions:

1. The user accesses their WordPress login from anywhere (coffee shop, library, doctor’s office, hotel WiFi) with blatant disregard for securing their communications. If you haven’t noticed, logins to WordPress are communicated, by default, over unencrypted channels.
2.  The user clicks “next, next, next” and has their own WordPress instance built in a matter of minutes with no real understanding of what actually is happening. It is important to RTM (Read The Manual). If you’ve read the manual and then searched for additional information and landed here; congrats, you’ve done much more than most folks.
3. The user runs everything as full friggin administrator. There is zero, zero, reason to post as full administrator. Create a second account and use that. Even better, use “User Role Editor” plugin and create a null or dummy account and attribute all the posts to that null account. It is called “Principle of Least Privilege”.
4. The user downloads every plugin and theme under the sun, leaves them ALL enabled, and never removes unused or unnecessary plugins or themes. This is a great way to contract a DTD (Digitally Transmitted Disease).

Now that you know why I’m posting, let’s get to the real reason you are here: taking basic steps to secure your WordPress site. I’m posting as if you have built your site on a shared platform like GoDaddy or RackSpace (not VPS or dedicated host in which you can take additional steps server-side to lockdown your site). If you are using VPS or dedicated host, these steps will also work for you.

BACK UP YOUR SITE!

Using a secure wired or wireless connection (not from Starbucks), log in to your WordPress site as administrator. Go to “Plugins”, at the top click “Add New”. Search for “All In One WP Security & Firewall” (AKA: AIOWP) created by “Tips and Tricks HQ, Peter, Ruhul, Ivy”. Install that plugin and activate it.

On the left menu bar, you should now have a “WP Security” tab under “Settings”. Click on that. Let’s harden!

• Dashboard: This is a high-level overview of your security posture. Even in my most hardened state, I’ve never surpassed 390/470.
  • Take a look at “Critical Security Status”. This is a basic overview of security lockdown status. If any of these are off, consider remediating.
• Settings – If you find yourself in a bind and think AIOWP is causing the problem, you can disable all security features here but, by the time you find yourself in a bind, you probably won’t be able to access this page. 😉
• User Accounts
  • List of Administrator Account
    • Ensure the accounts are not labeled “admin”, “administrator”, “root”, “guest”, or “default”. If they are, change it.
      • By default, the first user you create in WordPress is the administrator account and the first “example” post on all new WP installations is attributed to the only administrator account in WordPress thus telling the world your administrator login. Derp.
• User Login
  • Login Lockdown tab
    • Enable Login Lockdown Feature: Enabled
    • Allow Unlock Requests: Enabled
    • Max Login Attempts: 3 to 5
    • Login Retry Time Period: 5 min
    • Time Length of Lockout: 60 min
    • Display Generic Error Message: Enabled
    • Instantly Lockout Invalid Usernames: Enabled
    • Notify By Email: [optional]
  • Force Logout tab
    • Enable Force WP User Logout: Enabled
    • Logout the WP User after XX Minutes: 120
• User Registration – You will need to open the WP Security tab and approve all newly created user accounts.
  • Manual Approval tab
    • Enable manual approval of new registration: Enabled
  • Registration captcha tab
    • Enable captcha on registration page: Enabled
• Database Security
  • DB Prefix tab
    • Generate New DB Table Prefix: Enabled and click “Change DB Prefix”
  • DB Backup tab – This will allow you to easily backup your database on a regular basis for easy export/backup to another system.
    • Enable Automated Scheduled Backups
    • Backup Time Interval: 1 Days
    • Number of Backup Files To Keep: 5 – If your site becomes compromised, you’ll have 9 days to restore to a working database. After day 10, you’re compromise is permanent and you’ll have to restore from some other method. If you don’t check your blog often, increase this to 10 or higher to give yourself 19 days of restoration possibilities.
• Filesystem Security
  • File Permissions tab – Ensure your permissions are set green across the board otherwise remediate. This is where users get jammed up. I’ve seen MANY a bad “How-To” that tells users to set permissions incorrectly. Follow the recommendations on this page at a minimum!
    
  • PHP File Editing tab
    • Disable Ability To Edit PHP Files: Enabled – Leave this off unless you need to edit PHP files then turn back on when finished.
    • WP File Access tab
      • Prevent Access to WP Default Install Files: Enabled
• Blacklist Manager
  • Ban Users tab – If you don’t know what an IP is, exit this tab and move on. If you need to blacklist a specific IP (or subnet with “/”, enter that here).
    • Enable IP or User Agent Blacklisting: Disabled (enable for special cases)
    • NOTE: Consider the country blocking addon: https://www.site-scanners.com/country-blocking-addon/
• Firewall
  • Basic Firewall Rules tab
    • Enable Basic Firewall Protection: Enabled
    • Enable Pingback Protection: Disabled – Please beware that if you are using the WordPress iOS App or Jetpack, then you will need to deactivate this feature in order for the app to work properly. If not, enable it.
      
    • Block Access to debug.log File: Enabled
  • Additional Firewall Rules tab
    • Disable Index Views: Enabled
    • Disable Trace and Track: Enabled
    • Forbid Proxy Comment Posting: Enabled
    • Bad Query Strings: Enabled
    • Advanced Character String Filter: Enabled
  • 6g Blacklist Firewall Rules
    • Enable 6G Firewall Protection: Enabled
    • Enable legacy 5G Firewall Protection: Enabled
  • Internet Bots tab
    • Block Fake Googlebots: Enabled
  • Prevent Hotlinks
    • Prevent Image Hotlinking: Enabled
• Brute Force
  • Rename Login Page tab
    • Enable Rename Login Page Feature: Enable
      • Set this something that you will write down and remember like “CustomLogin”, “AllowMe”, “homepage”, or random characters. You will use www.YourSite.com/CustomLogin instead of www.YourSite.com/wp-admin from here on out.
      • If you forget you will need console access (or shell access) to the server to bypass this feature. If you are using GoDaddy, RackSpace, or some third-party WordPress hosting platform, you will need their assistance if you forget or break this.
      • You will need to logout, flush browser cache, and use new login to access the site. You can also enable, log out, go to your new login page and shift-refresh the page to force a reload.  Due to server/site caching, the first few attempts to access the site usually results in a “Page cannot be found” at login at the new URL. It resolves itself after about 5 minutes.
    • Login Captcha tab – Jetpack has a login captcha option. You don’t need to enable Jetpack login captcha unless you like doing math twice at login.
      • Enable Captcha On Login Page: Enabled
      • Enable Captcha On Custom Login Form: Enabled
      • Enable Captcha On Lost Password Page: Enabled
    • Login Whitelist tab
      • Login IP Whitelist Settings: Disabled unless you know exactly what you are doing.
        
    • Honeypot tab
      • Enable Honeypot On Login Page: Enabled
• Spam Prevention
  • Comment Spam tab
    • Enable Captcha On Comment Forms: Enabled
    • Block Spambot Comments: Enabled
• Miscellaneous
  • Prevent Your Site From Being Displayed In a Frame
    • Enable iFrame Protection: Enabled
      • Users Enumeration
        • Disable Users Enumeration: Enabled