A few weeks ago, a website I had worked on became unavailable, and I investigated to find that it had been compromised, or hacked. A file, ‘indix.php’, was added to the root directory on the fileserver. The file contained some referral to a Ukrainian website, but it was enough to take the site down.
The site was a WordPress website. WP is quite renown for poor security, but that’s not to say you can’t make it secure. I’d like to now write about how I have increased the security of this website to prevent future problems.
The first thing I can recommend is to install the WP Security Scan plugin to see how secure your site is currently from here.
The general rule for WordPress file permissions is to keep file directories as 755, which means that a user can read, write and execute, and to keep individual files as 644. This means that the owner can read/write the file and other users (the world) can only read it. One exception to this rule is the ’.htaccess’ file, which you should keep on 400 permission, meaning that only you and the server can read the file.
A very important file to web development. You can use ’.htaccess’ to control security throughout your site.
Prevent directory browsing:
Options All -Indexes
Protecting wp-config.php file:
Order Allow,Deny Deny from all
Restrict access to any .php file:
AuthUserFile /etc/httpd/htpasswd AuthType Basic AuthName "restricted" Order Deny,Allow Deny from all Require valid-user Satisfy any
AskApache Password Protection Plugin
Another great plugin that will add a brick wall to your PHP files. Download from here.
Moving the wp-config.php file from the root
You should move the ‘wp-config.php’ file one directory up from the root WordPress folder.
This tip is quite controversial, but after reading through the answers posted here I’m convinced this is a good decision.
Keeping passwords secure
I’m sure this was the reason the site I worked on was hacked; poor passwords. I guess that a hacker ran a pass on millions of WordPress sites using a large word list, effectively guessing the user/password combination. The solution to this is simple: use a better password. One with numbers, capital letters, symbols. I feel this comic illustrates the idea well.
Keeping WordPress up-to-date
This is self-explanatory. Always check for updates.