Safety First: A guide to securing your WordPress site. Part 2.

WordPress security via cPanel or Plesk (or other site admin tool)

cPanel and Plesk are two common control panels or admin tools for your web hosting environment. (There are others, too.) You’ll have been given a login name and password to access your site’s control panel by your web host. More than likely you’ll find your control panel at http://yoursitename.com.au/cpanel or http://yoursitename.com.au/plesk.

Login to your control panel and navigate to your WordPress files using the built-in file manager. They will most like reside in a folder called ‘public_html’. Note that there’s no folder called ‘WordPress’ as such; if you’ve installed WordPress in its default location, there will be a bunch of files within ‘public_html’, some of which relate to your WordPress installation and some of which don’t, and three folders called ‘wp-admin’, ‘wp-includes’ and ‘wp-content’. In a typical install, the ‘public_html’ folder is your WordPress ‘root’ folder.

Install security and salt keys

If you’re running a reasonably recent version of WordPress, chances are that these have been installed by default, but it’s a good idea to check, and if necessary, change them. The keys improve encryption of the information that is stored in a visitor’s cookies. The keys also make it harder to crack your password as it adds random elements to them (don’t worry, you don’t have to remember any of this). So…
Locate the file called wp-config.php. Open it using the control panel’s text or code editor. Check for the following sequence:

define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);

If your records here contain the phrase ‘put your unique phrase here’ or if they simply don’t exist, you need to edit or add them. Take a trip over to the  WordPress Salt Keys Generator;  you end up with something like this:

define(‘AUTH_KEY’, ‘i@nzZ(>%c&I[jovLzC> *|w!I|[DJ}?Vk-*%` ~0%n@-/#KOQYnEIht- K]q+g96’);
define(‘SECURE_AUTH_KEY’, ‘o&vU%1u`$jv~Na*#_ qy}7y (%:9,iR$pc,W$~)Bg.(Mlb@|#p7ry:U>Ie,@78bd’);
define(‘LOGGED_IN_KEY’, ‘x&Z{_>H?mrf6*a$+eJEq4W.^*?z4)|pO_TRmt)U=u_(Ns)v;yZh3^IcZ)J#PQ~)r’);
define(‘NONCE_KEY’, ‘5K]eufZX+L:X$>ctq01]CJ#FV7(i4o;cC/J-K&x_sB6fc6c-Ql/)RFj1jk)KMJ^T’);
define(‘AUTH_SALT’, ‘A}$^):A6 sBWC/Ir!T0j19N&D<@Z<ffWwf$)|Ii&ZCgJ4&:4On9~j6GM|`MG4;vc’);
define(‘SECURE_AUTH_SALT’, ‘V{(nQf<-rXg5a*!m=Mg!;I /xs3HX7l.3h!dnrAr-d&)/B;1R:vvb(v5(~d*N:9r’);
define(‘LOGGED_IN_SALT’, ‘jak-iN{m(mJTi7[$~W]T2.XJ2R@3`%#Er]QNmbS!um#Y#iRfssFp+=vm`iN]c$D@’);
define(‘NONCE_SALT’, ‘(c@fS5=S6!p{1mW1]jHa5{(<l)jgO-2# &|a5R2,T{.bGfe$r;:v-|?%9cyBzWq-‘);

Replace the un-keyed block with the new block of keyed code, such as the one above, in your wp-config.php file.

Don’t copy-and-paste the codes above: they’re just an example. Get your own unique keys from the WordPress Salt Keys Generator.

Change the table prefix of your WordPress database tables

By default, each of the tables in your WordPress database (where all you content and information is stored) is preceded by the prefix, ‘wp_’, so your tables are named ‘wp_posts’, wp_users’, ‘wp_terms’ and so on.

As with the default ‘admin’ username, hackers know these defaults and target them because it takes one more variable out of the hacking equation. If you change the prefix, hackers have to guess it, which can go a long way to their giving up.

Don’t pass this one by: targeting your WordPress database is a major threat for SQL Injection vulnerabilities (I won’t go into the details here; suffice it to say it’s scary stuff), and potentially gives hackers access to your database. Once they’ve got access to your WordPress database, they can do pretty much whatever they want.

Changing the prefix of your database tables requires changing your wp-config.php file, and changing all your tables through a database utility such as phpMyAdmin. If you don’t feel confident with either of these steps, ask someone for help.

Keep WordPress updated — automatically

Every new release of WordPress addresses security issues that may have become apparent in the previous version. If you don’t keep WordPress up-to-date, you are more susceptible to attack because older versions don’t have all the latest security updates.

Since version 3.7, WordPress has had a feature that automatically updates WordPress in the background; however, this only applies to minor updates, not major ones. (Major updates are released roughly twice a year and are signified by incrementing the version number by 0.1; minor updates increment by 0.01. So a major update would be 3.9, 4.0 and 4.1, whereas a minor update would be 4.11, 4.12 and so on.)

To enable major updates as well as minor updates automatically, add the following to your wp-config.php file:

define( ‘WP_AUTO_UPDATE_CORE’, true);

Be aware that there is a risk that your website will ‘break’ or become in some way unfunctional following a major update. This is more likely if your plugins are not actively updated along with the WordPress core. For this reason, you may not want to enable this function. If you choose not to update automatically, you should keep a regular eye on what updates are available and install them manually.

Disable the theme and plugin editor

WordPress has a built-in facility to edit your theme and plugin files. This is great if you’re a developer; pretty pointless if you’re not.

Further, if a hacker manages to get into your site, they can do a lot of damage, very quickly, if they have access to this editor. It makes sense, then, to simply disable it.

Add the following code to your wp-config.php file:

define ( ‘DISALLOW_FILE_EDIT’, true);

Use correct file permissions

It is important that file permissions are configured correctly. Having a directory erroneously set to 777 (a permissions designation) could allow a malicious party to upload a file or modify an existing file.

According to WordPress, you should use the following permissions on your website:

All directories should be set to 755 or 750;
All files should be set to 644 or 649;
wp-config.php should be set to 600.

There is a files permission editor within cPanel and Plesk. Use the File Manager to view your files, select a file or directory and click the Permissions button. Change as necessary. Be careful!

Edit .htaccess

Your .htaccess file is an important file that controls redirects and permalinks, among much else. It can be used to beef up the security of your WordPress site.

If you cannot see your .htaccess file within cPanel’s or Plesk’s File Manager, make sure you have the View Invisible Files option turned on.

In all instances of the following edits to your .htaccess file, place any code outside of the #BEGIN WordPress and #END WordPress tags. And don’t forget to download a copy of your current .htaccess file before you start.

Protect wp-config.php

As we’ve seen above, there’s a lot you can do with your wp-config.php file to protect your site; likewise, there’s a lot that hackers can do if they get access to it. To protect it, add the following snippet to your .htaccess file:

files wp-config.php
order allow,deny
deny from all
/files

Protect the wp-includes directory

The wp-includes directory contains a lot of important files required to run WordPress. There really is no need for a visitor to be able to view this directory. To protect it, add the following snippet to .htaccess:

IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
IfModule

Protect the .htaccess file itself

Add the following snippet to .htaccess:

Files .htaccess
order allow,deny
deny from all
/Files

Okay, that’s enough of the propellor head stuff. There’s a lot more you can do with .htaccess but it’s getting beyond the scope of what was supposed to be a quick intro to security for WordPress. If you want to know more, there’s plenty more on the wordpress.org website.

In this series ...

In brief

  • Heading

    Enter description text here.

Caution

We’re going to be editing some files that are critical to the correct functioning of WordPress.

It’s a good idea before editing these files to save a copy to your desktop or work folder so that if something goes wrong you can restore the system by re-uploading these files.

If that makes you nervous, it may be a good idea to get someone experienced to do this on your behalf.

If you proceed, do not use Microsoft Word as a text editor; use cPanel’s (or Plesk’s) built-in code editor, or a pure text editor such as Sublime (Google it).

‘Nuff said.

Special Offer.

If you’re already a customer of saso.creative (and even if you’re not), we’ve got a Special Offer for security audits and security planning. We review many of the potential security breaches detailed in these three articles on WordPress security, provide you a report of suggested improvements, and implement any or all of those suggestions as appropriate.

Please enter your name.
Please enter a message.

Leave a Comment