WordPress Security

Steps To Secure Your WordPress Website

WORDPRESS SECURITY AS EASY AS POSSIBLE AND FREE by Art Derfall

Secure-Your-Website.com

WordPress websites are hacked and taken down daily. Even if you just do two simple changes (your admin name and the log-in URL), you’ve made your site fairly secure in just a few minutes. I’ve taken suggestions from real experts (I’m a good intermediate), and have listed them here. Skip to the end to see step-by-step how easy it is to get into your website. There are three levels here:

1. Change the user name and the log-in URL. Change the password and add!@#)(+ 586, etc,

2. Add a few plug-ins and use them

3. Get into your CPanel File Manager and delete two or three files. Add some short text to two of the files – .htaccess and wp-config.php. I didn’t want to more files around, however.

SKIM THESE 4 SITES AS A OVERVIEW:

http://www.cenaynailor.com/blogging/wordpress-blogging/22-wordpress-tweaks/

http://heartifb.com/2013/09/16/essential-security-wordpress-blog/

http://codex.wordpress.org/Hardening_WordPress

http://www.bobwp.com/how-to-delete-your-default-admin-user/

Before trying everything below on an existing site, set up a new add-on domain using a basic WordPress theme. Try backing it up so you know how to do it.

WORDPRESS INSTALLATION: I use Hostgator.com. The support 24 hours a day is great.

There are two ways to set up WordPress in Hostgator:

CPanel quick install of WordPress. Defaults to user: admin. Don’t use Fantasico to install WordPress. It caused errors in the editor. The typical default to wp- something is a security risk. Whether there or through a plug-in choose a prefix that relates to the site somehow. It makes recognizing which database goes with which site.

“admin” and the wp- prefix can be changed later via one of the suggested plugins.
Your installer may allow for you to choose your administrator user name and password at the initial install.

Email is sent to me of random password which I can change later. Most site owners don’t change “admin”. Use www.strongpasswordgenerator.com to get tough passwords. They can also be used as User. Or www.random.org/passwords . You can then add some symbols to it (*&^%$+{).

One of the plug-ins, WordPress Security Scan has a password generator, and will change the bad wp_ database prefix to something tough to guess.

SUGGESTED PLUG-INS CAN BE DOWNLOADED and ACTIVATED FROM THE WP DASHBOARD PANEL

MANUAL WAY TO CHANGE USER NAME:

User: admin add a few characters to email address to allow the original email address to be used for new user.

Create new user with numbers and symbols. Be sure to give admin privileges.

Log out. Log in as new user. Delete “admin” as a user. Be sure to assign posts, etc. to new user. Use original email address.

CHANGE DEFAULT SITE.COM/WP-ADMIN or /LOG-IN.PHP:

http://wordpress.org/plugins/hc-custom-wp-admin-url/ FREE

This is a “must-have”. Now your login URL can display as site.com/dogbonz778 if you want. Changing the log-in URL and your user name and password (to something complex) gets your site fairly secure if you want to stop here. The slug change will be found in the permalinks settings area. Write it down. I couldn’t find it in the file structure on Hostgator,
so I guess it’s fairly secure for something simple.

NOTE: http://lastpass.com is a great way to deal with all your passwords. FREE http://preyproject.com . If your laptop or smartphone is stolen, it will tell you where it is and take photos of the thief. FREE.

TIME TO BACKUP EVERYTHING and OFTEN:

UpdraftPlus – WordPress Backup and Restoration . http://wordpress.org/plugins/updraftplus . FREE

Info at http://updraftplus.com . I’m using this on my http://secure-your-website.com .

I have been using an older version of WP Backup Plus. Search Google for “get wp backup plus”. Note the first three listings.

Study http://wpbackupplus.com . It backs up and clones sites. The videos are excellent and useful even if you use UPDRAFTPLUS.

You can get the latest version for $97 at http://review-bonuses.net/backup-plus-wordpress-plugin-review-bonuses.html

Note the first result in the search results. You can get an older version for free at post #10 via zippyshare. Try it and then buy the latest one. Just a suggestion.

HOW TO TEST YOUR SITE AND OTHERS FOR SECURITY:

Sitename.com/wp-admin or sitename.com/log-in.com gets you to a log in screen, but not if you changed it via the custom URL log-in suggested earlier.

Try “admin” as the user name and a few characters as a password. If you get a message that the password and not the user name is wrong, then the user name is “admin”. I’ll get into how passwords can be found later. sitename.com/readme.html brings up the readme file…problem sitename.com/install.php brings up the install file…problem sitename.com/install-helper.php brings up the helper file…problem sitename.com/wp-config.php brings up a blank screen…problem (means it can be edited). sitename.com/wp-content shows anything…problem sitename.com/wp-includes brings up a list of your files…problem More about these later.

INSTALL THE FOLLOWING PLUG-INS via your site’s WordPress plug-in search box. It looks for them at wordpress.org:

http://wordpress.org/extend/plugins/ultimate-security-checker/

This shows up in tools on the left of your dashboard. Run and then re-run after using the next two plug-ins.

http://wordpress.org/extend/plugins/better-wp-security/

Note: The name has been changed to iThemes Security, but the link above works to get you there.

This shows as “SECURITY” on the left.

You’ll see 20 or so lines of suggestions. If you can change red to green and have a few yellow ones left over, you’re fine. I did get locked out once when I over-did things. I think it was a setting to check IP addresses. Don’t use that feature. See this: http://wordpress.org/plugins/better-wp-security/faq/ I had to get Hostgator to reset things.

It’s very popular plug-in, however, and I’m using it without a problem now. I set the 404 intrusion detection to:

Check period: 5 minutes Error Threshold: 20 Lockout Period: 15 minutes I have unchecked blacklist repeat offenders.

http://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

This shows as WP SECURITY on left. You can change the user name and limit log-in attempts (3 to 5 is good). You can change the database prefix here. Choose something a bit complex, but something that you will recognize in the list of databases in your CPanel that relates to the site.

I used the random generator. After all the checked settings I made the All In One WPSandF had green for:

ADMIN USERNAME LOGIN LOCKDOWN FILE PERMISSION BASIC FIREWALL

My score was now 150 out of 305 at this point. In the green. Everything in my new site had all 21 lines in Better WP Security blue, green, and yellow. No reds. Rerun the Ultimate Security Checker. At this point I had an A with a score of 98 out of 115.

BACKUP NOW.

 

 

THINGS TO DO WITH THE FILES IN CPANEL. SCARY IF YOU HAVEN’T BEEN THERE BEFORE:

This will be done in the file manager. Find your site under _public.html. You’ll be getting into some files and using the delete and edit modes. My suggestions don’t include moving files as Cenay has suggested. I’ve caused myself problems in the past. Just trying to keep it simple.

DELETE the readme.html file, install.php file, and the install-helper.php file in the wp-admin folder.

NOTE WHAT NO LONGER WORKED FOR ME IN THE FOLLOWING:

FROM CENAY’S SUGGESTIONS: Prevent Visitors From Browsing Your WordPress Folders:

Okay, there are the curiosity seekers, and there are hackers. I don’t want either one accidentally wandering around my WordPress installation. For ANY reason. There are a couple of ways you can prevent this. One is simple, one is not so simple. Select the method you are most comfortable with.

Method 1

Create an empty text file and save (name) it index.php. Upload this file to wp-content (wherever you placed this), wp-admin, and wp-includes. The empty file will be read when they navigate to that location and display a blank white page, rather than a list of your files. ….This was from the suggestion, but read further before doing anything.

Method 2- THIS SHUT DOWN THE SITE, POSSIBLY WITH THE UPGRADE TO THE LATEST WP:

Add the following line to your .htaccess file that exists in the main WordPress installation directory. Options All -Indexes.

This was suppose to turn off the auto-feature to *list* files that exist in a directory without a default page. I DELETED IT AND THE SITE REAPPEARED. I USED METHOD ONE ONLY IN THE WP-INCLUDES FOLDER. The file list is now gone when I enter secure-your-website.com/wp-includes.

Create the empty index.php file within CPanel on the left with wp-includes open on the right. I tried uploading one I created in Wordpad but ended up with a line of text showing after secure-your-website.com/wp-includes.

HIDE THE EDITORS:

In the wp-config.php file add after <?php

ADD THIS: define( ‘DISALLOW_FILE_EDIT’, true );

I copied and pasted it in and it didn’t work one time because the ‘ and the ‘ had formatting. Just change the two marks in the wp-config.php editor.

This hides the editors. Delete it if you need to bring them back to your dashboard on your site.

Ultimate Security Checker suggested permission changes for 7 files. The only one that needed changing on this site was for wp-config. I changed it to 0400. I may or may not move wp-config.php, and use the suggestion to securing blog against malicious URL requests (a bit too much work).

USC (see the tabs) and the other plug-ins offer more security strategies, if you want to continue.

Your site will be very secure now.

Cenay Nailor (see link) under her 22 suggestions:

Do 1 to 6, 9 #7 I skipped because I don’t have many revisions or comments. Involves files in CPanel.

#9 Do add the ping list (via her link) to the one that WordPress gives you. Under media settings, uncheck organize uploads by month and year. #10 Google XML sitemap

#11 The site backup plug-in does it and more. #14 was done. #16 was handled by deleting the readme.html file, I think.

The rest…choose them.

Cenay Nailor has many great videos on YouTube. She and I both use WordPress templates from http://elegantthemes.com. Inexpensive, modern design, and timely technical support.

As for analytics, I’ve been using http://statcounter.com FREE

The site should have akisment to block comment spam. http://akismet.com/ FREE

How Your Site is Being Attacted/Hacked Right Now!

WordPress Security…

80% of websites have serious security vulnerabilities. The vast majority of user names are “admin”. A hacker is halfway there!

I could find most passwords using the hacker tool Burpsuite / Burp Intruder for a dictionary attack.

TESTING TO FIND WORDPRESS SITES AND SECURITY BREACHES:

Search Google for “wp-content” to find WordPress sites. Double check via “view source”

in the address bar. Let’s say the website that shows is site.com.

Enter site.com/wp-admin or site.com/wp-login.php in the address bar. Test for user name: admin. Usually works.

Try a few passwords. It will tell you admin correct, password wrong. Easy to hack unless you make wp-admin or wp-login.php invisible, or limit to three tries per hour.

Check site.com/wp-config.php a blank screen means you’ve reached it and can hack it. It needs to be made invisible and change permissions to just the site owner.

Check site.com/readme.html Usually shows. Shows the version of WordPress. Indicates hacking methods, if the version isn’t up-to-date (most sites).

Check site.com/wp-admin/install.php and site.com/wp-admin/install-helper.php. A vulnerable point for hacking.

Here’s an Adams State College session on how to hack a website:

http://www.youtube.com/watch?v=O90lSMmTjjo&feature=related

They even show you how to use Burpsuite hacking software to brute force discover a password.

ART

destroyed WordPress website

Don’t let a hacker destroy your WordPress website

Leave a Reply

Your email address will not be published. Required fields are marked *