10 Wordpress Security Tips

Wordpress is popular today more than ever and there are a lot of different websites made on this CMS — blogs, corporate websites, online stores or even large portals. No doubt, Wordpress is convenient and easy to use but it has several security issues.

1. Protecting Wordpress from XSS-Injections

PROBLEM
Developers are always trying to protect GET-and POST-requests but sometimes this is not enough. We also need to protect a website from the XSS-Injection and attempts to modify the variables and GLOBALS _REQUEST.

SOLUTION
The following code blocks XSS-Injections and attempts to modify the variables and GLOBALS _REQUEST. Paste this code into your .htaccess file (see root folder).

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

The code allows to check all requests and if any request contains a tag or attempts to modify the value of variables GLOBALS and _REQUEST it just blocks it and shows 403 error page.

2. Remove displaying of additional information

PROBLEM
If you enter wrong details while trying to log in the admin panel our polite CMS will tell you about it. Well, do you want a hacker know that login details he entered are incorrect or its better not to display this information?


SOLUTION
Open functions.php file (wp-content/themes/your_theme_name) and add just 1 line of code:

add_filter('login_errors',create_function('$a', "return null;"));

3. Forcing SSL

PROBLEM
If you want to protect the information you transfer the best way is to use SSL protocol. It provides integrity and confidentiality of data. Its very easy to do it on Wordpress.

SOLUTION
First of all find out if your provider allows using SSL. If so, open we-config.php file and add this code:

define('FORCE_SSL_ADMIN', true);

Wordpress uses large number of constants and FORCE_SSL_ADMIN only one of them. It forces SSL using when entering the admin panel.

4. Use .htaccess to protect the wp-config file

PROBLEM
wp-config.php contains all information needed to connect to MySQL server and database. Its very important to protect this file.

SOLUTION
Add the following code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all</files>

We simply forbid access to this file for anyone.

5. Hide the Wordpress version

PROBLEM
Wordpress authomatically adds the number of its version to the source code and its very easy for somebody to use this information while hacking your site. Each WP verstion has its well known bugs and loopholes. So, lets hide this information.

SOLUTION
Open the functions.php file (wp-content/themes/theme_name/) and simply add this code:

remove_action('wp_head', 'wp_generator');

You should also delete the readme.html file from the root folder since it also contains information about your WP version.

6. Ban all spamers and bots

PROBLEM
Annoying spamers and bots can bring you a headache. Solution is to ban them by IP. Of course this will not protect you from spamming scripts that work through proxy.

SOLUTION
Add the following code to .htaccess file and then change IP address (123.456.789). This is it… that spammer will not disturb you any more.

<Limit GET POST PUT>
order allow,deny
allow from all
deny from 123.456.789</LIMIT>

7. Write a plugin to protect from harmful URL-queries

PROBLEM
Hackers very often try to find weaknesses with the help of all kinds of malicious queries. Wordpress well protected from this but we will add extra protection.

SOLUTION
Create a new file blockbadqueries.php and put it into wp-content/plugins folder. Then activate it in the admin panel just like any other plugin.

<?php/*
Plugin Name: Block Bad Queries
Plugin URI: vellumweb.com
Description: Protect WordPress Against Malicious URL Requests
Author URI: vellumweb.com/
Author: VellumWeb
Version: 1.0
*/
global $user_ID; if($user_ID) {
  if(!current_user_can('level_10')) {
    if (strlen($_SERVER['REQUEST_URI']) > 255 ||
      strpos($_SERVER['REQUEST_URI'], "eval(") ||
      strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
      strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
      strpos($_SERVER['REQUEST_URI'], "base64")) {
        @header("HTTP/1.1 414 Request-URI Too Long");
        @header("Status: 414 Request-URI Too Long");
        @header("Connection: Close");
        @exit;
    }
  }
}
?>

8. Hotlinking

PROBLEM
Just imagine that some images from your websites appear at popular chinese news site (I mean links to your images)… its horrible :)

SOLUTION
Hope you didn't close the .htaccess file. Now we need to put some code into it:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

You will have to change mysite\.com/ and /images/nohotlink.jpg

9. Kill the admin

PROBLEM
Its very easy to to get admin login details if you know username. And you know that WP default username is admin.

SOLUTION
Complete this database query:

UPDATE wp_users SET user_login = 'type_your_new_login' WHERE user_login = 'Admin';

10. Protect directories on your server

PROBLEM
Many hosting providers allow to view directories on their servers. For example if you go this link www.yoursite.com/wp-includes you may see its content. Undoubtedly this is not safe.

SOLUTION
We need to edit the .htaccess again:

Options All -Indexes

So your Wordpress website protected but do not forget about «sign out» button