Securing your WordPress website

Securing your WordPress website

Posted on Categories Data Protection, Security, Tips

Additional Free Files:

WordPress Database Switcher

*please note I have replaced database switcher v1.0 with v1.05 – if you previously downloaded that you may want to use 1.05 instead.

Make sure your servers are updated regularly

Normally your hosting company would take care of this for you on a regular basis, however if you do run your own server from your office or home it is important to make sure you back up and update your server for the latest patches.

In windows this is done from the Windows Update window, and these are automatic unless otherwise specified.

On Linux however, you have different ways of staying up to date:

for Debian based systems
apt-get update && apt-get upgrade

for RedHat based systems
yum update

or OpenSUSE and SUSE based systems
zipper update

This is a useful line of code that updates and cleans out the old packages on Ubuntu 16.04 after:

sudo -- sh -c 'apt-get update; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; apt-get autoclean -y'

Make sure you are on the latest PHP version ruunning that works with the website

If you are on a hosting platform its good to regularly check your website and go into your control panel and update to the latest most secure version.

Unless you really need to stay on an old version of PHP you should regularly select the latest version

If your website goes down you can always switch back to the version you were on and check the error logs to see why you were not able to upgrade, and unless there is a real reason (depreciated functionality) you should not be on a version lower than 5.6. Anything below that is not very secure.

Obfuscate Database Tables with prefix

If you didn’t change your WordPress table prefeixes in wp-config.php from $table_prefix = ‘wp_’; to something more obscure like $table_prefix = ‘xjps__’; before you installed WordPress then you should look to see how you can update your table prefixes.

http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/

This is much more complex than this tutorial will allow for now but you can follow the examples in this one to see how to update this.

Just be careful and take a backup first!

Create two database users and use a switcher to switch between them

Ok to make the website a little more secure you can create a mysql admin user & a select only user that has only basic Select, Insert, Update and Delete priveleges.

Then in WP-Config you can check if you are logged in or not and select the correct MySQL user.

In the same way as when you installed WordPress you may have created a blank MySQL Database Schema (or instance) you will have created an MySQL Admin user with full access rights.

You should now create a new WordPress user with just SELECT, INSERT, UPDATE and DELETE priveleges only.

Then in your wp-config.php file you can use this snippet of code to switch between the users. Note the first time you install WordPress you want to set the START_SECURE to true

define('START_SECURE', true); \/\/\/ 1st time set up requires full MySQL admin rights to create the database etc... Turn to false or delete if already setup
function siteURL() {
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
$domainName = $_SERVER['HTTP_HOST'].'/';
return $protocol.$domainName;
}
define( 'SITE_URL', siteURL() );
$siteurl = SITE_URL;
define( 'COOKIEHASH', md5( $siteurl ) );
$cookiename = "wordpress_logged_in_" . COOKIEHASH;
if (isset($_COOKIE[$cookiename]) || EGG_SECURE !== true) {
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'admin_username_here');
/** MySQL database password */
define('DB_PASSWORD', 'admin_password_here');
/** MySQL hostname */
define('DB_HOST', 'IPADDRESS');
} else {
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'IPADDRESS');
}
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

If you want things a little more complex you can try our WordPress Database Switcher which has everything in a config folder.

This also contains a version for development as well so you have essentially you can have the same on your local machine for testing purposes.

In the config folder you have three files.
db.php – You do not need to touch this, this switches between inclusion of the two files below:
db.staging.php – This is the database switcher set up for your local copy of the website
db.live.php – This is the database switcher set up for your live copy of the website

Again in your config file you now have this – Overall its just a bit neater and caters for live or development depending on whether or not you switch DEV_ENVIRONMENT to true…

define('DEV_ENVIRONMENT', false);
define('START_SECURE', false); /// 1st time set up requires full MySQL admin rights to create the database etc... Turn to false or delete if already setup
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
require_once('config/db.php');

Use WordFence to limit login attempts

Install this plugin https://en-gb.wordpress.org/plugins/wordfence/ to limit the number of times a user can attempt to log in. Its a three-shot attempt, after three failed attempts it puts a lock on your admin for a period of time before you can try again.

add this to your .htaccess file and stop bots

Here is a little snippet to prevent bots crawling libwww-perl folder, and a few other bits, thanks to this tutorial at https://community.spiceworks.com/how_to/1443-how-to-block-libwww-perl

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]
</IfModule>

If you own the server or have full access rights you can also add this in your httpd.conf or /conf.d directory

SetEnvIfNoCase User-Agent "^Wget" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot
<Location />
Order allow,deny
Allow from all
Deny from env=bad_bot
</Location>

Don’t save your WP-Admin passwords in your browser

I know its easy to click remember me in your browser but it far more secure to not save your password in your browser.
Other people can jump on your machine and log in if you are in an environment where you are public and start deleting stuff!

If you need a method you can check out our other guide to creating unique passwords that you can remember.

Leave a Reply

Your email address will not be published. Required fields are marked *