A few years ago, only hackers where able to crack websites and bring them down due to their level of knowledge in systems, networking and coding. In recent times, however, things have changed and just about anyone can find tutorials on the Internet that show step by step procedures to penetrate a websites running vulnerable software.
At Kualo, we take security seriously, and have implemented several systems to protect your applications from being exploited. We cannot, however, protect every piece of software that clients operate on their sites, as there is no guaranteed way to protect your websites from being exploited due to vulnerabilities resulting from not upgrading to the latest releases, poorly coded plugins or custom code.
This tutorial aims to focus on a common web application used by our clients - WordPress. We'll provide some tips and suggestions that will help you add an extra layer of security to your WordPress installations.
Below is a list of recommended modifications or adjustments to make to your WordPress installations. Read it carefully and if you have any questions feel free to get in touch with our support team before proceeding.
1) Hide your WP version. Hiding the WP version makes it harder for bots collecting information about your site from identifying whether or not you run a vulnerable version. You can use the following plugin to do it for you: http://wordpress.org/extend/plugins/hide-wordpress-version/
2) Limit the access to the admin area (the wp-admin directory) using the password protection tool in your account's cPanel interface
For steps 3 and 4, please bear in mind that any changes made to the .htaccess file needs to be placed outside the tags # BEGIN WordPress and # END WordPress. Anything written between those tags, can be overwritten by the WordPress application.
3) Secure access to key files by adding add the following lines to the .htaccess file in your WordPress installation directory:
<files .htaccess wp-config.php>
deny from all
4) Secure access to your wp-includes directory. This is often used by hackers to place malicious files when they find a vulnerable installation. Add the following lines to the .htaccess file in your WordPress installation directory:
# Block include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L] # End block include-only files
Note that this won't work well on Multisite WordPress installations, as RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
5) Block search engine bots from browsing your directories. Google and other search engines can crawl unwanted urls and expose them to hackers. It's best to prevent Google bot and any other bots that follow robots.txt ( not all of them do) from indexing anything but your content. The robot.txt goes in your site's root folder and is just a text file. Edit/Create your robots.txt files at your public_html folder and ensure it has the following parameters
We recommend that you consider installing the following plugins into your WordPress installation to add an extra layer of security. Please note that you don't have to install them all, just choose the ones that best suit you:
We hope you enjoyed this tutorial. Remember, that our technical team are on hand 24/7 for any questions that you may have.