9 Tips For Advanced WordPress Security - Robot Box

 

Editor’s note: WordPress security is serious business, and it is not a topic to be taken lightly. We certainly don’t here at Synthesis.
In 10 Steps to a Secure WordPress Website I went over some of the basics of WordPress security. Now, in this post, contributed by our friends at InfoSec Institute, we provide you with even more in-depth knowledge about how to add extra layers of security to your WordPress site.

1: Audit Overall Work Station Security

Any security holes outside of WordPress, in software and hardware you use with it, can affect the CMS itself.
It’d be sad to create a really secure password for your WordPress admin account, only to find out a keylogger defeated all of your effort. Thus, it is imperative that any and all PCs and web servers you use are kept properly secure.
To do so:

• Make sure you’re running the most recent release of your favorite web browser, and set it to automatically patch. Do the same with your antivirus software and operating systems.
• Make sure that all authentication vectors you use have secure passwords which are changed every so often.
• Scan your PCs and servers for malware, and do so frequently.
• Use proper firewalls at the OS level, at the router level, and at the ISP level, if at all possible.

2: Keep WordPress Updated

Once your work station is secure, the next step is to make sure you always have the most recent version of WordPress installed. Updating WordPress is relatively quick and easy, and it can be done through the WordPress panel in your web browser.
If the most recent version of WordPress is incompatible with the versions of PHP and mySQL installed in your web server or web host, I strongly recommend you go to the effort to upgrade those to ensure your version of WordPress is up to date. [Editor's note: you'll never have to worry about this with Synthesis.]
Obsolete versions of WordPress will no longer get security patches, much the same way that older OS’s see support expiration.

3: Report Bugs and Vulnerabilities

If you ever discover security vulnerabilities on your own, do the community a favor by sending a detailed e-mail to security@wordpress.org. If the vulnerability is in a plugin, e-mail plugins@wordpress.org.
You would want other web developers to report loopholes that may affect your website, so treat others as you would like to be treated!
Just avoid writing about those newly discovered vulnerabilities on the web or on social networking sites, so that information doesn’t fall into the wrong hands.

4: Check For Exploits

Every so often, run the Exploit Scanner plugin to check for indications of malicious activity. Exploit Scanner doesn’t directly repair any issues, but it will leave you a detailed log to troubleshoot with.
If you ever suspect cracking, that’s also a good time to run that particular plugin.

5: Disable Custom HTML When Possible

WordPress can use custom HTML for various functions. But if it isn’t absolutely necessary for the form and function of your website, you may want to disable unfiltered HTML by adding “define( ‘DISALLOW_UNFILTERED_HTML’, true ); “ to your wp-config.php file.

6: Don’t Look Brand New

Remove all default posts and comments. If malicious hackers find those on your site, it may indicate to them you have a new WordPress site, and brand new sites are often easier to crack into.
It’s easier to crack into a WordPress site when you know which version is installed, so be sure to hide it. This is done in two places:
The first is the meta generator tag in your template. That’s found in “wp-content/{name of your WordPress theme}/header.php”. Look for something like “” and remove it.
The other element is in your RSS feed. Open up “wp-includes/general-template.php” and look around line 1858. Find:
function the_generator( $type ) {
echo apply_filters(‘the_generator’, get_the_generator($type), $type) . “\n”;
}
Make sure a hash is applied next to the “echo” command so that it looks like this:
function the_generator( $type ) {
#echo apply_filters(‘the_generator’, get_the_generator($type), $type) . “\n”;
}
Also, remove all instances of “Powered by WordPress” footers, as crackers use the phrase to find sites to crack into via search engines. That line in the footer also indicates new WordPress sites, or sites developed by newbies, whether or not that actually applies to you.
Also, be sure to delete /wp-admin/install.php and /wp-admin/upgrade.php after every WordPress installation or upgrade. Those scripts are only ever used during the installation and upgrade processes, and aren’t used in the everyday development of your site. You can still upgrade without those files, as all upgrades contain those scripts.
And change a couple of the file and directory name defaults. Go to Settings > miscellaneous in your admin console and change the names of “wp-content/ directory “ and “wp-comments-post.php”. Make sure to change the template URL within the template and “wp-comments-post.php” accordingly, to maintain the function of your site.

7: Hide Indexes

Be sure to disable public access to indexes whenever possible. If people can find the files in your site’s “wp-content/plugins/” directory without being authenticated, it’s a lot easier to crack into your site through plugin vulnerabilities.
If your web server runs Apache or another OS that uses .htacess files, it’s simple to do. Find the .htaccess configuration file in your site’s main directory. That’s the directory that contains “index.php”. Insert the text “Options -Indexes” anywhere in the file.
Alternatively, if you can’t alter a .htaccess file, upload an “index.html” file into your main directory. You could make that web page have a similar look to your site’s PHP web pages and insert a hyperlink to your “index.php” file if you’d like. But obviously, in a site that uses WordPress as a CMS, visitors won’t see your “index.html” file unless they type a specific path to it in their web browser address bar. Alternatively, you could make your “index.html” file a 0 byte placeholder.
In case your web server ever has problems computing PHP files, it’s crucial to block directories that are only accessed by your server. If the PHP source code is ever displayed in a visitor’s web browser rather than the web page it’s supposed to render, they may find database credentials or in depth information about the PHP/mySQL programming of your site. Your site’s “wp-includes/ “ directory is the most important one to block. Find the .htaccess file there and insert:
“RewriteRule ^(wp-includes)\/.*$ ./ [NC,R=301,L]”
If there are or will be subdirectories of “wp-includes/”, insert the following code for each one in the same .htaccess configuration file:
“RewriteRule ^(wp-includes|subdirectory-name-here)\/.*$ ./ [NC,R=301,L]”

8: Back It Up!

WP-DB Manager is excellent for backing up your entire WordPress site, but it’ll also alert you to mySQL vulnerabilities and let you know when parts of your database are publicly accessible.
Always be sure to properly back up the content of your site. In a worst-case scenario, at least keeping backups will allow you to easily restore your site.
With WP-DB Manager, you could also use Online Backup for WordPress. The backup this plug-in creates can be stored in your e-mail inbox, on your PC, or you can use the 100MB of free storage space on developer Backup Technology’s own secure servers.

9: Vet Plugins Properly

When you choose and install plugins on your site, be sure to only install plugins offered through your admin panel or under the plug-in directory at wordpress.org.
Outside plugins may be secure, but it’s best to mitigate the risk. Officially released plugins are audited for security and scanned for malware.

WordPress Security an Ongoing Responsibility

Keeping your WordPress site hardened for security is an ongoing responsibility, just like all other areas of IT and development security.
You can’t just configure a number of settings or programs and then forget about it. Your WordPress site should be on a schedule for malware and vulnerability scanning, and logs should be kept and analyzed. [Editor's note: Synthesis performs nightly server-side malware scans of every WordPress install we host.]
By keeping your WordPress site secure, you’re doing your part to prevent malicious activity that could not only harm websites, but also web servers and users’ PCs, tablets, and smartphone devices.
As WordPress is such a common CMS on the web, knowledge about the design and configuration of the console is readily available, and certain hacks could work on perhaps millions of websites. Fortunately, knowledge about WordPress security is abundant, for much the same reasons.
In the ongoing maintenance of your website and web server, always be security minded. You can then have proper control over your web content, and do your part to make the Internet a better place.
Kim Crawley is a security researcher for InfoSec Institute. InfoSec Institute is a security certification company that has trained over 15,000 people including popular CEH and CCNA certification courses 
.
References:
Infographic : History of WordPress
N.S Gautham Raj
http://devlup.com/tech-articles/wordpress/infographic-history-of-wordpress/1197/
Hardening WordPress, wordpress.org
http://codex.wordpress.org/Hardening_WordPress
Exploit Scanner, wordpress.org
http://wordpress.org/extend/plugins/exploit-scanner/
6 simple steps to hardening WordPress
Sam Devol
http://samdevol.com/6-simple-steps-to-hardening-wordpress/
Hardening WordPress Security: 25 Essential Plugins + Tips
Daniel Smeek
http://www.hongkiat.com/blog/hardening-wordpress-security/
How to Stop Your WordPress Blog Getting Hacked
David, SEM Labs
http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked
Hardening WordPress Security
Brian Haddock
http://www.brianhaddock.com/2010/hardening-wordpress-security
6 Tips to Secure WordPress from Hackers
Jophn Phillips
http://www.orphicpixel.com/6-tips-to-secure-wordpress-from-hackers/
Vulnerability Report: WordPress 3.x
Secunia.com
http://secunia.com/advisories/product/33191/

This post first appeared on websynthesis