How to secure WordPress (Part 1 of 3) - Flat101

How to secure WordPress (Part 1 of 3)

How to secure wordpress

All WordPress sites get regularly attacked, if we don’t see something that doesn’t mean it isn’t happening. This issue will be dealt with over three posts where we’ll get into how to make a WordPress site secure.. Step-by-step we’ll show you the keys to being able to survive after an attack on your website.

We’re going to see how WordPress sites are attacked andhow to secure them. The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks. They are dictionary or brute force attacks.

Identify the type of attack

The first thing we’re going to do to secure WordPress is to identify the different attacks. We’re going to start by first seeing the most common and easy to be dealt with attacks.

Dictionary (or brute force) attack

The attack consists of identifying WordPress users and then trying to login with their names attempting using password dictionaries. In case they don’t manage to extract the names of the users, by default they’ll try for the user admin.

To extract the list of users, it’s as easy as adding? author=1 to the URL of our WordPress installation. If that works, we’ll start increasing the ID to find more users.

author-request

author-result
As a result we’ll be redirected to the author’s page and we’ll see the login in the URL. Now we can go to the login page for WordPress and start to try passwords until we gain access.

author-login

Solution

The solution for protecting ourselves from this type of attack involves installing the Better WP Security plugin.

Better-WP-Security

This plugin will mainly do the following among other functions:

  • Blocking the robots that find security breachesand thus many times end up calling 404 pages.
  • Blocking all the known malicious robots through UserAgent whenever it’s available.
  • Detecting brute force attacks and blocking the attacker if they attempt to enter the password too many times.
  • Changing the URL of the panel, in such a way that wp-admin and wp-login.php show a 404 error.
  • Blocking access to the internal directories of WordPress.

Configuration of Better WP Security

We recommend that each time you put up a WordPress site on the internet, you install this plugin and configure it in general as follows:

First we’ll allow the plugin to modify the wp-config.php file and .htaccess to let us add the protection.

seguridad-wordpress-01

 

Detection of 404 errors

A lot of robots are dedicated to continuously attempting known security flaws in our WordPress installation in case one of them works. If the security flaw can’t be exploited, they end up on a 404 page, and as such we can say that if someone ends up generating more than a hundred 404 errors in less than 5 minutes, we’ll block them for a while. After being blocked numerous times, we block them indefinitely.

seguridad-wordpress-02

Blocking known robots

Some robots identify themselves with signatures we can use to directly block them before they’re able to do anything.

seguridad-wordpress-03

Once we activate this option, Better WP Security will add it to .htaccess.

better-wp-security-default-blacklist

Blocking brute force attacks

Better WP Security will identify attackers that unsuccessfully try to gain access too many times and will block them. If we subscribeby email to the network iThemes Brute Force Protection, we can share the list of attackers with other WordPress sites on the network and vice-versa.

seguridad-wordpress-04

Hide the control panel

Without a doubt, the most important measure for protecting against brute force attacks is to change the URL of the login for our WordPress site, so that only those who know the URL address can login. We recommend entering a unique name that you’re comfortable with.

Once this is done all the users we have will be notified that there’s new URL via email.

seguridad-wordpress-06

Other security measures

To finish up the configuration of the plugin, we’ll enabled other security measures which are just as important, such as avoiding files being listed in our directories, blocking suspicious URLs, not executing PHP in the uploads directory of WordPress, etc.

seguridad-wordpress-07

seguridad-wordpress-08

seguridad-wordpress-09

In conclusion

It’s important for us to take these security measures whenever we install a WordPress site that is exposed to the internet.

In the following articles we’ll see:

  • How to avoid users being listed using?author=1.
  • How to make effective backups and minimize the data loss for shops and blogs.
  • How to fully hide the fact that we’re using a WordPress installation protecting us against 99% of robot attacks.

I’ll answer any questions in the comments section


Leave a Reply

Your email address will not be published. Required fields are marked *

If you need development specialists to develop or improve your digital business, we can help you.

  • Los datos que nos faciliten el usuario a través este formulario se incorporarán a tratamientos cuyo responsable es FLAT 101 S.L. con CIF B99393613 y domicilio social en Avda. Maria Zambrano, nº 31, Edif. WTCZ, Torre Oeste, 12D, 50018 de Zaragoza. Puede contactar llamando al 976419856 o a través del correo electrónico info@flat101.es. La finalidad de recogida de datos en este formulario es poder contestar las consultas planteadas y enviar al usuario la información solicitada a través del correo electrónico o teléfono indicados en el formulario. Solo se realizan cesiones si existe una obligación legal. Reservados sus derechos a acceder, rectificar y suprimir, así como otros derechos, como se indica en la Política de Privacidad.