Blog security 101, how to lock down your WordPress site. Most of
these techniques are easy to implement for a beginner or recover from if
something goes wrong. If your new to WordPress please read our basic guide before proceeding with this one.
1. Delete the Admin login
The default Admin login and privileges makes an easy target for any
exploit. You should delete this user account right away. The steps:
1. Login with the default Admin account
2. Create a new user with a unique name with Admin privileges <— very important
3. Login with “new” user and delete the Admin user.
Note: This step can also be quickly done on a fresh install by changing the default user name to something other than “Admin”.
1. Change your WordPress Nickname
Bots will scrape your sites posts looking for author tags and then
use the names it find as your login username, this is a very effective
attack vector for guessing through brute force. In your WP admin click
your Profile or Users and add a Nickname ( or First Name) and then
select “Display name publicly as” something different from your actual
login username!
2. Schedule regular backups
Regular backups are a must and having tiered backups is even better.
That means backing up the WordPress database and also your server disk.
There are several backup plugins and services that will back your data
up. It is also very advisable to ask your host about disk based backups
and remember to read the fine print.
3. Get some WordPress security keys
WordPress has implemented encrypted security keys for information stored in your cookies.
These keys go into your wp-config.php and you can find a random number key generator on the official wordpress.org site here
https://api.wordpress.org/secret-key/1.1/salt/ . Hit refresh on your browser to get new keys and copy/paste the whole thing into your wp-config.php.
4. Rename the database prefix pre-installation only!
This is for PRE-INSTALL ONLY. We cover doing this to a live site in
the advanced guide as doing this wrong will kill your site. If your
starting with a fresh new install, you have an option during the install
screen to change the database prefix. All default WordPress installs
use the database prefix of
“wp_” which makes any exploiter’s job much easier, change this prefix to something unique.
5. Limit your plugin and theme use and delete unused ones.
Not only are many plugins and themes insecure but they can slow your
site down to a crawl. Limit your plugin use as much as you can, delete
unused plugins and themes and keep them updated. Keeping your system
clean not only reduces fingerprinting and rogue code from being
exploited but if something does happen to infect your site, it is much
easier to manage.
6. Move wp-config up one directory and lock it down
The wp-config.php file contains all your WordPress database
credentials, you can move this file up one directory on your server,
outside the web root which can protect it from any browser based
attacks. It it also a good idea to change the permissions on it to 600.
7. Limit login attempts
Plugin use for security can be an afterthought, and relying on
something to protect what is already insecure is bad practice. The
plugin
Limit Login Attempts
on the other hand is very useful as it prevents too many failed logins
to your site and locks out brute force attacks. It can even log IP’s
that are failing to get in.
8. Check your file and directory permissions
File and directory permissions can be tricky depending on the host.
In the majority of cases you want to have files set to 644 or 640 and
folders set to 755 or 750. You should never have to set anything to .777
unless your host has been mis-configured, EVER! The golden rule with
permissions is to set them as low as you can while keeping the site in
working order.
9. Hide version info
Hiding the WP version info is a small step to prevent bots from
crawling your site, it does not prevent fingerprinting, but every
little bit helps. In your theme’s functions.php add the following:
10. Enable ssl login
Enable ssl login if your site has an ssl certificate. To enable ssl
your site must be reachable by using https. You can enable this just for
the login or for the whole Admin in your wp-config.php. SSL login will
encrypt the data you send to WordPress and is especially helpful to
thwart man-in-the-middle attacks.
11. Don’t allow search bots to browse your directories
Google search can crawl unwanted urls and expose them to hackers.
It’s best to prevent Google bot and any other bots that follow
robots.txt ( not all of them do) from indexing anything but your
content. The robot.txt goes in your site’s root folder and is just a
text file.
12. Disable user registration.
Yes you can disable user registration in the Admin, so if your
running a small blog or CMS and don’t have multiple people sharing, go
ahead and disable user registration completely under your General
settings.
13. Basic .htaccess Rules
Some basic rules that you can add to your root .htaccess file, more
advanced rules are covered in the advanced guide as messing around here
can break your site, but these won’t do much other than protect you.
14. Delete the readme and any unnecessary files.
WordPress has a default readme.html, and many plugins and themes also
come with one. It’s best to just delete them as they can be used for
fingerprinting or general snooping and often contain version info. Also
keep your folders clean of any junk files.
0 komentar:
Posting Komentar