7 Things You Must Do For A Better WordPress Security

In this post, we will explain few WordPress security issues and how you can address them to secure your website using some plugins, htaccess rules and website vulnerability scanner

1. Improve WordPress Security On Login Page

BruteForce attack aims to guess WP login passwords by doing repetitive login attempts using some tools or scripts that generate various combinations in order to sign in. A default installation of a WordPress website is vulnerable to this attack.

Recommended WordPress plugins

Better wp security

A very good WordPress security plugin that can tweak several aspects of wp security. To block BruteForce attack check the “login limits” tab

wordpress security plugin login

Better WP Security Plugin used to protect WordPress sign in page



2. Restrict access to WP login page

You can block access to wp-login.php by adding rules to your .htcassess file. For example you can chose to grant access to a limited number of IP’s or even restrict access to admin login to a single country by using IP subnet masks.

You can get IP blocks relative to your country from here or you can Google for any IP ranges generator if you would like to allow or block specific subnets.

Restrict access to wp-login.php to a single country

These are the root htaccess rules to block wp-login.php for all, except for IP addresses from Tunisia

<FilesMatch “^(wp-login\.php)”>
order deny,allow
deny from all
#Allow from 127.0.0.1
Allow from 41.224.0.0/13
Allow from 46.36.198.88/29
Allow from 80.85.27.200/29
Allow from 193.95.0.0/17
Allow from 195.230.200.52/30
Allow from 196.203.0.0/16
Allow from 196.216.156.0/22
Allow from 197.0.0.0/11
Allow from 199.59.60.216/29
Allow from 208.114.116.184/29
Allow from 213.150.160.0/19
Allow from 216.153.65.0/26

Block /wp-admin directory

Put these lines in /wp-admin/.htaccess and change the IP/Subnet to yours.

order deny,allow
deny from all
Allow from 41.224.0.0/13

Warning: Some plugins may stop working correctly if you block the wp-admin folder or the wp-login.php, WooCommerce for example uses the /wp-admin/admin-ajax.php and uses the same authentication of WordPress for customers sign in.

 

3. Use htaccess to filter requests

It’s possible to filter requests based according to their methods, query string {QUERY_STRING}, user agents {HTTP_USER_AGENT} or referrer {HTTP_REFERER}
This is an easy way to get rid of bad bots, content scrapers and robots that don’t respect your robots.txt file or do excessive crawling.

BulletProof Security

Use this plugin to tweak htaccees settings, be careful when modifying settings! Bad configuration can make your site inaccessible or even less secure (vulnerable) !
Note: This can cause the “Request exceeded the limit of 10 internal redirects” error on Apache server, don’t forget to check your web server logs.

 

4. Hide site authors username

A default WordPress website shows author archive pages when asked for the URL yourwebsite.com/?author=X, where X is your author ID (first author gets ID number 1, and so on).
By blocking author archive pages you hide usernames from prying eyes. A default WP install affects ID 1 to admin user.

WordPress SEO by Yoast.com

This WP plugin can disable author archive pages.

 

5. Block bad IP’s with Fail2ban (only VPS/Dedicated server)

Install Fail2ban and “WP fail2ban” plugin to enable it. With some tweaking you can use it as a scan blocker too.

 

6. Use WP website vulnerability scanner

Using a scanner is the easiest way to find vulnerabilities and security issues.

Anti-Malware by ELI

This plugin scans for bad scripts and backdoors and is extremely useful if you installed a WP theme from a suspicious source or got your website hacked.

Ultimate Security Checker

A good website vulnerability scanner that checks various aspects of security, helping you find possible breaches. Make sure that your WordPress website is scanned frequently to correct any vulnerabilities.

 

7. Update Timthumb

Timthumb Vulnerability Scanner

Add this plugin to your site to check your version of timthumb and update it to the latest one.

 

 

Don’t forget to backup your website before making any changes, and always remember that even a “secure web hosting” company can not protect you if leave your WordPress site insecure.


Leave a Reply

Your email address will not be published.