How to secure WordPress (Part 1 of 3) - Flat101

How to secure WordPress (Part 1 of 3)

How to secure wordpress All WordPress sites get regularly attacked, if we don’t see something that doesn’t mean it isn’t happening. This issue will be dealt with over three posts where we’ll get into how to make a WordPress site secure.. Step-by-step we’ll show you the keys to being able…

How to secure wordpress

All WordPress sites get regularly attacked, if we don’t see something that doesn’t mean it isn’t happening. This issue will be dealt with over three posts where we’ll get into how to make a WordPress site secure.. Step-by-step we’ll show you the keys to being able to survive after an attack on your website.

We’re going to see how WordPress sites are attacked andhow to secure them. The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks. They are dictionary or brute force attacks.

Identify the type of attack

The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks.

Dictionary (or brute force) attack

The attack consists of identifying WordPress users and then trying to login with their names attempting using password dictionaries. In case they don’t manage to extract the names of the users, by default they’ll try for the user admin.

To extract the list of users, it’s as easy as adding? author=1 to the URL of our WordPress installation. If that works, we’ll start increasing the ID to find more users.

author-request

author-result
As a result we’ll be redirected to the author’s page and we’ll see the login in the URL. Now we can go to the login page for WordPress and start to try passwords until we gain access.

author-login

Solution

The solution for protecting ourselves from this type of attack involves installing the Better WP Security plugin.

Better-WP-Security

This plugin will mainly do the following among other functions:

  • Blocking the robots that find security breachesand thus many times end up calling 404 pages.
  • Blocking all the known malicious robots through UserAgent whenever it’s available.
  • Detecting brute force attacks and blocking the attacker if they attempt to enter the password too many times.
  • Changing the URL of the panel, in such a way that wp-admin and wp-login.php show a 404 error.
  • Blocking access to the internal directories of WordPress.

Configuration of Better WP Security

We recommend that each time you put up a WordPress site on the internet, you install this plugin and configure it in general as follows:

First we’ll allow the plugin to modify the wp-config.php file and .htaccess to let us add the protection.

seguridad-wordpress-01

Detection of 404 errors

A lot of robots are dedicated to continuously attempting known security flaws in our WordPress installation in case one of them works. If the security flaw can’t be exploited, they end up on a 404 page, and as such we can say that if someone ends up generating more than a hundred 404 errors in less than 5 minutes, we’ll block them for a while. After being blocked numerous times, we block them indefinitely.

seguridad-wordpress-02

Blocking known robots

Some robots identify themselves with signatures we can use to directly block them before they’re able to do anything.

seguridad-wordpress-03

Once we activate this option, Better WP Security will add it to .htaccess.

better-wp-security-default-blacklist

Blocking brute force attacks

Better WP Security will identify attackers that unsuccessfully try to gain access too many times and will block them. If we subscribeby email to the network iThemes Brute Force Protection, we can share the list of attackers with other WordPress sites on the network and vice-versa.

seguridad-wordpress-04

Hide the control panel

Without a doubt, the most important measure for protecting against brute force attacks is to change the URL of the login for our WordPress site, so that only those who know the URL address can login. We recommend entering a unique name that you’re comfortable with.

Once this is done all the users we have will be notified that there’s new URL via email.

seguridad-wordpress-06

Other security measures

To finish up the configuration of the plugin, we’ll enabled other security measures which are just as important, such as avoiding files being listed in our directories, blocking suspicious URLs, not executing PHP in the uploads directory of WordPress, etc.

seguridad-wordpress-07

seguridad-wordpress-08

seguridad-wordpress-09

In conclusion

It’s important for us to take these security measures whenever we install a WordPress site that is exposed to the internet.

In the following articles we’ll see:

  • How to avoid users being listed using?author=1.
  • How to make effective backups and minimize the data loss for shops and blogs.
  • How to fully hide the fact that we’re using a WordPress installation protecting us against 99% of robot attacks.

I’ll answer any questions in the comments section



Leave a Reply

Your email address will not be published. Required fields are marked *

Últimos artículos publicados
News
5 min
Por Mercedes Gómez
17 May, 2018
Web Analytics / Digital
3 min
Por Flat 101
10 October, 2017
News
4 min
Por Flat 101
27 September, 2017
Development
4 min
Por Sandra Navarro
21 February, 2017
News
2 min
Por Miguel Ángel Vallés
31 October, 2016
Web Design and UX
7 min
Por Sandra Navarro
23 June, 2016

If you need development specialists to develop or improve your digital business, we can help you.

  • The data provided to us by the user through this form will be included in the data processing whose responsible is FLAT 101 S.L. with CIF B99393613 and registered office at Avda. Maria Zambrano, nº 31, Edif. WTCZ, Torre Oeste, 12D, 50018 de Zaragoza. You can contact us by calling 976419856 or by e-mail at info@flat101.es. The purpose of collecting data on this form is to be able to answer the queries raised and send the user the information requested via the email or telephone indicated on the form. Data will only be transferred if there is a legal obligation to do so. Your rights to access, rectify and delete, as well as other rights, are reserved, as indicated in the Privacy Policy.