How to secure WordPress (Part 1 of 3)
How to secure wordpress
All WordPress sites get regularly attacked, if we don’t see something that doesn’t mean it isn’t happening. This issue will be dealt with over three posts where we’ll get into how to make a WordPress site secure.. Step-by-step we’ll show you the keys to being able to survive after an attack on your website.
We’re going to see how WordPress sites are attacked andhow to secure them. The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks. They are dictionary or brute force attacks.
Identify the type of attack
The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks.
Dictionary (or brute force) attack
The attack consists of identifying WordPress users and then trying to login with their names attempting using password dictionaries. In case they don’t manage to extract the names of the users, by default they’ll try for the user admin.
To extract the list of users, it’s as easy as adding? author=1 to the URL of our WordPress installation. If that works, we’ll start increasing the ID to find more users.
As a result we’ll be redirected to the author’s page and we’ll see the login in the URL. Now we can go to the login page for WordPress and start to try passwords until we gain access.
The solution for protecting ourselves from this type of attack involves installing the Better WP Security plugin.
This plugin will mainly do the following among other functions:
- Blocking the robots that find security breachesand thus many times end up calling 404 pages.
- Blocking all the known malicious robots through UserAgent whenever it’s available.
- Detecting brute force attacks and blocking the attacker if they attempt to enter the password too many times.
- Changing the URL of the panel, in such a way that wp-admin and wp-login.php show a 404 error.
- Blocking access to the internal directories of WordPress.
Configuration of Better WP Security
We recommend that each time you put up a WordPress site on the internet, you install this plugin and configure it in general as follows:
First we’ll allow the plugin to modify the wp-config.php file and .htaccess to let us add the protection.
Detection of 404 errors
A lot of robots are dedicated to continuously attempting known security flaws in our WordPress installation in case one of them works. If the security flaw can’t be exploited, they end up on a 404 page, and as such we can say that if someone ends up generating more than a hundred 404 errors in less than 5 minutes, we’ll block them for a while. After being blocked numerous times, we block them indefinitely.
Blocking known robots
Some robots identify themselves with signatures we can use to directly block them before they’re able to do anything.
Once we activate this option, Better WP Security will add it to .htaccess.
Blocking brute force attacks
Better WP Security will identify attackers that unsuccessfully try to gain access too many times and will block them. If we subscribeby email to the network iThemes Brute Force Protection, we can share the list of attackers with other WordPress sites on the network and vice-versa.
Hide the control panel
Without a doubt, the most important measure for protecting against brute force attacks is to change the URL of the login for our WordPress site, so that only those who know the URL address can login. We recommend entering a unique name that you’re comfortable with.
Once this is done all the users we have will be notified that there’s new URL via email.
Other security measures
To finish up the configuration of the plugin, we’ll enabled other security measures which are just as important, such as avoiding files being listed in our directories, blocking suspicious URLs, not executing PHP in the uploads directory of WordPress, etc.
It’s important for us to take these security measures whenever we install a WordPress site that is exposed to the internet.
In the following articles we’ll see:
- How to avoid users being listed using?author=1.
- How to make effective backups and minimize the data loss for shops and blogs.
- How to fully hide the fact that we’re using a WordPress installation protecting us against 99% of robot attacks.
I’ll answer any questions in the comments section