Secure WordPress Websites
Hackers want control of your WordPress site to, for instance, launch Denial of Service attacks against lucrative targets, such as banks. This article explains how and why the Better WP Security plugin works. Mainly, hackers use two, automated, methods to access your WordPress site. They try to:
- Guess your username and password;
- Access WordPress files, query your database to cause your database to misbehave, which reveals your passwords.
Username and Password Guessing
WordPress’s defaults simplify a hacker’s challenge of accessing your site. The default:
- Filename for logging-in: http://www.yourURL/wp-admin;
- Username is: admin;
- Admin user ID: 1.
So complicate the hacker’s life by changing the http://www.yourURL/wp-admin URL to, for instance, http://www.yourURL/tricky-admin. It’s also worthwhile setting up a new user with admin rights, and deleting the default “admin” username. Next use a hard-to-guess password. Security guru and friend Dan Cvrek recently analyzed hacker’s actual password guesses. Hackers’ password guesses contain:
- Only numbers, with no letters e.g. 23946587;
- Names, e.g. of your child or girlfriend;
- Variations on “password”, e.g. p@55w0rd;
- Letters close together on the keyboard, like: qazwsxedcrfv;
- Names related to your website, e.g. your URL or an author’s name.;
- Names related to entertainment, e.g. from StarTrek or football.
Note, the above passwords probably pass WordPress’s “password strength” tests. Dan’s s-Crib password management USB stick enables you to quickly use incredibly secure passwords.
Since our hacker is just guessing the right username and password, it’s worthwhile preventing too many guesses. WordPress, by default, allows unlimited guesses. So to slow the rate of log-in attempts by:
- Limiting the number of failed log-in attempts from every IP address;
- Limiting the number of times a hacker can fail using the same username with different passwords;
When our hacker reaches these limits:
- Ban, i.e lock out, any log-in attempt using the IP address and/or the username, for a time period;
- Permanently bar repeat offenders.
It’s also worthwhile preventing access to your website from known IP addresses and tools commonly used by hackers. However, the list includes occasionally useful tools like WinHTTrack.
Protect Access to WordPress’s Files
WordPress’s core code is well written. Plug-ins, themes and media files, which maybe poorly written and vulnerable, live in the /wp-content directory. Hackers may try exploiting vulnerabilities in well known plug-ins, by accessing the files directly. So foil the hackers by changing the /wp-content directory’s name.
Core wordpress database files always start with “wp_”. This means hackers can write scripts to automatically target these database files. Their life becomes harder if you change “wp_” to something else.
I change the /wp-content directory name, and the default database file prefix after installing WordPress. Changing the name any later may break the site, as themes and plugins may continue to target the default WordPress /wp-content directory and database files.
Hackers scan your website searching for vulnerable back-end files. Mostly they get “404”, i.e. not found responses from your server. Normal users should only get an occasional “404” response, perhaps because they clicked on a dead link. Someone, from the same IP address, who receives multiple “404” responses within a short period, is more likely to be a hacker.
Most of the “system tweaks” provided by Better WP Security are compatible with the plug-ins I use. The exception is the write permissions for .htaccess and wp-config. This needs to be turned off, whilst setting up W3Total Cache.