Additional WordPress Base Configuration – Security Enhancements/Plugins

In a previous post we worked through setting up your WordPress site on NearlyFreeSpeech. Now I thought I’d write about the additional configuration steps I take with my WordPress sites once I have the base install up and running. These are generic and can be used across any installation which is why I’ve separated them out from the specific steps in the NearlyFreeSpeech set up guide.

In this post I’m focusing on the security improvements you can make to your configuration. These are either via a plugin or through some configuration file changes. I’ll also pick up on the functionality / appearance improvements which you can make in a subsequent post.

A note on editing the functions.php file

This post recommends editing the functions.php file to improve aspects of your WordPress site. Note that the functions.php file is actually tied to your theme so you will lose any customisations you make to it if you change themes. Where I recommend you edit the functions.php file it is probably better to use a plugin (I do!) such as ‘Code Snippets’ (https://wordpress.org/plugins/code-snippets/screenshots/) to manage any code that you would otherwise add to functions.php. This plugin then lets you managed each piece of code like its own plugin and you can turn it on and off and it will survive across theme changes. It adds its own section to the sidebar which acts like the ‘Plugins’ section.

Use the correct file permissions
You’ll note that we already set the correct file permissions in the previous post which stops visitors being able to write to our WordPress directory. Just to double check you can run these commands again from the root directory of your installation.

 

Don’t let everyone know your WordPress version
Remove the readme.html file from your WordPress root directory. Then people won’t be able to easily find out your version. This will stop them targeting attacks at your site when vulnerabilities in your particular version are discovered. Of course you should also keep your installed version up to date to ensure you have discovered vulnerabilities patched.

Don’t use the default admin username
The default username for a WordPress site is ‘admin’. This makes an unnecessarily easy starting place for an attacker looking to get access to your site. You should change the administrator account by logging in as ‘admin’ then creating a new account with administrator privileges. Log in with this new account then disable or take away the administrative privileges from ‘admin’. Easy.

Limiting PHP Script Access
This is optional as it could stop/hinder some themes or plugins. If you want to stop any .php files from running in your wp-content folder (or any other folder) then add this to a .htaccess file in the respective folder. You should be included in any directory that contains uploaded or cached content. You can paste this (including the last line break) at the command line:

To reverse this restriction for a subdirectory if needed, switch to that subdirectory and enter:

 

wp-config.php security keys
If you followed my setup guide in a previous post, you’ll already have updated your security keys in the wp-config.php file. If you didn’t follow my guide, you can change these keys by opening the wp-config.php file in an SSH session and replacing the security key section with keys sourced here: https://api.wordpress.org/secret-key/1.1/salt/

Note that these keys are regenerated every time you visit that page. The keys (actually salts) in the config file are used to add more security to your passwords.

Also note that if you suspect someone is logged into WordPress as you without your knowledge then by changing these values you will immediately lock them out of any logged in session since their cookies become invalid.

Database prefixes
If someone wants to attack your database set up they know the default DB table prefixes, this makes the attack a little bit easier (although still pretty hard). You can minimise this risk by changing the DB table prefixes using the ‘Change BD Prefix’ plugin.

.htaccess file – stop users viewing WordPress directory contents
If you followed my set up guide you’ll have created a .htaccess file in the WordPress installation root directory. Make sure this file has the line ‘Options -Indexes’ in it. This stops visitors from browsing your WordPress directories.

2 factor Authentication
Enable two factor authentication on your WordPress site’s admin pages, by installing this plugin: https://wordpress.org/plugins/google-authenticator/
This will allow you to use the popular Google Authenticator (or Authy) as the second factor. There are various other 2 factor plugins available also which make use of other second factors, e.g. usb keys, SQRL, …

Disable WordPress Login Hints
When you type a non-existent username or an incorrect password while logging into WordPress, it will provide a very detailed error message telling you exactly whether your username is wrong or the password doesn’t match. That could offer an hint to people who are trying to break into your WordPress blog but, fortunately, we can disable the login warnings by adding this to the functions.php file.

 

Limit Login Attempts
Install the plugin called (Limit Login Attempts). It logs the IP address and the exact date & time when a user is trying to log into your WordPress and also keeps track of unsuccessful login attempts. You can automatically lock out users after they have made ‘n’ unsuccessful login attempts.

Watch for unexpected file changes
Install plugin “WordPress File Monitor Plus”. This plugin will monitor your WordPress installation folder and will send email alerts when any file is added, deleted or modified on your server.

Scan if you notice anything unusual
Install plugin “Sucuri”. If you ever notice any suspicious activity on your WordPress site, use the Threat Scan plugin to automatically scan your PHP files and your WordPress database for any malicious code that may have been injected through the backdoor.

Leave a Reply

(email optional)