WordPress Security Part II
In Part II we further examine how you can make your WordPress installation more secure including passwords, login plugin to prevent brute force attacks, .htaccess to restrict access to wp-admin and more. Part I can be found here.
Even if you have done everything so far, it might be easy for someone to get into your site if you have not secured it with a good password.
Password Security
The simplest way for an attacker to break in would be to attempt a brute force attack and guess your password. To be safe, you need to follow the standard advice: your password needs to be more than 8 -characters in length, a random mixture of upper and lowercase letters, preferably with symbols. Don’t choose any words that is in the dictionary or try to be clever and choose easily guessed pattern of keys on the keyboard. If you can’t think of a password try this password generating extension for Firefox.
A post on the 10 most common passwords show people’s inability to choose secure passwords. Among the most common passwords are: password, 123456, qwerty, abc123, letmein, monkey, myspace1, password1, blink182.
We laugh and think, ’stupid people. How can they choose such easy to guess passwords?’ It is not surprising that people will try to use easy to remember passwords. What is more surprising is the fact that logins will allow anyone unlimited attempts to enter your password making brute force attacks a realistic possibility.
LimitLogins – is a WordPress plugin that helps prevent this by locking by imposing a delay after an administrator definable number of wrong passwords. It will also lock you out for a longer period of time if you persist in trying to guess the password.
Secure your wp-admin Area with .htaccess
Assuming your host is secure, your network trusted the admin area of the blog should be given an extra layer of protection by making it available to you alone.
- Extra security is given by restricting the admin page to certain IP addresses.
- Keep your WordPress updated. If you don’t enjoy the prospect of frequent update, the Automatic update plugin.
Restrict Access to wp-admin by IPAddress
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Limit>
Limiting access to the wp-admin directory using an .htaccess file this is fine if you have a static IP address but wil not let you work on your blog from multiple locations unless you add each IP address.
Password Protect wp-admin
A better solution in this case would be to password protect your wp-admin directory. Store an encrypted password in a file called .htpasswd out of the reach of browsers (in a directory above the www or public_html).
To make an .htpasswd file:
The htpasswd command in Unix does this. You should put the password file outside of your web directory.
(replace user with a username and password with your chosen username and password).
So a command like:
htpasswd -bc /home/ned/.htpasswd ned 123456
will create a new file using a username of ned and a password of 123456 into the file
/home/ned/.htpasswd
Create and upload an .htaccess file to the wp-admin folder with the following code:
AuthName EnterPassword
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
Hide Directories
Another .htaccess trick is to hide your directories from view. In the .htaccess file at the site root add:
This will prevent listing of the files in a directory if there is no default page to go to.
Restrict Access to Anything other than wp-content
Place the following in an .htaccess file in the wp-content folder:
Deny from all
<files ?\.(jpg|gif|png|js|css)$? ~>
Allow from all
</files>
Don’t Show your WordPress Version
Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one). The wp-security-scan plugin also does this.
?>
Salt with your Cookies?
As from v2.6 WordPress introduced three secret keys. You should create a long random string of characters which cannot easily be guessed these are used to generate more secure passwords, cookies or use this secret key generator. These keys are used to ’salt’ the password hashes and make them more difficult to crack. There are four keys in the code of the wp-config.php file as of version 2.7.
define('SECURE_AUTH_KEY', 'TufWOuA _.t>#+hA?^|3RfGTm>@*+S=8\"\'+\"}]<m#+}V)p:Qi?jXLq,<h\\`39m_(‘);
define(‘LOGGED_IN_KEY’, ‘S~AACm4h1;T^\”qW3_8Zv!Ji=y|)~5i63JI |Al[(<YS<2V^$T])=8Xh2a:b:}U_E’);
define(‘NONCE_KEY’, ‘k1+EOc-&w?hG8j84>6L9v\”6C89NH?ui{*3\\(t09mumL/fFP_!K$JCEkLuy ={x{0′);
The random strings of characters are added by the user. You don’t need to remember them ever so make them as complicated and difficult to guess as possible to get the maximum benefit. Best to user the key generator.
Extra Information if you get Hacked
If all of the above fails and you still get hacked then you can get some extra information on what happened before your before your blog went down which might be useful as an additional source of information to take to the WordPress developers. A sort of black-box for login attempts.
PostLogger logs the $POST variables that users are submitting when they submit comments.
Other Good WordPress Security Plugins
http://wordpress.org/extend/plugins/wp-security-scan/ – will let you generate strong passwords, check your site for file the correct file permissions and change default table prefix.
AskApache provides an extra layer of security around using .htaccess . Note: some people have experienced problems which have locked them out of their admin area.
Manned Guarding here
Intercom Systems
![[Valid RSS]](http://www.seothegame.com/wp-content/uploads/2008/11/valid-rss.png "Validate my RSS feed")
[...] In part II of this post, I will explain how to lock down the wp-admin area and other measures to make those pesky hackers lives more difficult. [...]