Guide to WordPress Security Audit

The Definitive Guide to WordPress Security Audit

Working with WordPress is the most common exercise of an online marketer. This has bolstered the WordPress development services significantly.

For a WordPress website, security is a major concern. People often put their website’s security in jeopardy by these activities like weak passwords, use a public wifi without a VPN, low-security hosting, and so on.

Hackers take advantage of this weakness. They rely on common tools and scripts to penetrate the security level of a WordPress website. Because these scripts help them to find a loophole in your website.

Here I present you some golden rules, which will act as a guide to WordPress security audit. So, let’s have a look.

WordPress Security Guide for DIY Users

WordPress Security Guide for DIY Users

Before going any further, allow me to present a DIY list or rather I should say checklist to make sure that we all are on the same page.

  • Change the default username.
  • Disable the File Editing.
  • Limit the Login Attempts.
  • Change the WordPress Database Prefix.
  • Strong Password for WP-Admin and Login.
  • Disable the Directory Indexing and Browsing.
  • Add a couple of Security Questions to WordPress Login.

Now, I guess you understand that’s why I include a DIY in this Security Audit. These all are necessary and you are the only person who can do it. So, let’s get started,

Hire WordPress developers to get a robust, scalable & interactive WordPress website!

Change the Default Username

Change default username in WordPress

During the initial phase, WordPress initial username credential was ‘admin’ by default and at that time there was nothing you could do about that. A lot of things has changed since then. During those time, it was very easy to brute force on any WordPress website as the login credential was known which makes it easy for a hacker to anticipate the password.

However, now WordPress always asks to change the username if you’re a first-time installer. If not, you can change it. Although there is no direct option to change WordPress default username.

  • Create a new username and delete the old one.
  • Use phpMyAdmin to update the username.
  • Use the Username changer plugin.

In conclusion, do not take username ‘admin’ as in for the role, its just the name we are changing, not the administrator role.

Disable the File Editing

Disable the File Editing in WordPress

Now, WordPress is featured with an inbuilt code editor. With this code editor, you can edit your themes and plugins files accordingly from the WordPress Admin area. Imagine if it falls in the wrong hand, I’ve got just one word for that, “CHAOS”. So, I recommend to disable it.

Just add this code in your wp-config.php file and you’re good to move forward.

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Limit the Login Attempts

WordPress Limited Login Attempts

A WordPress user can attempt infinite times by default. Consequently, it is a facility and a vulnerability. Hence a hacker can endlessly attempt to try to guess your password. Brute force is imminent in this case. In order to change the login attempt, you must install a plugin.

I personally recommend some,

We have been catering exceptional website development for years! Contact us now!

Change the WordPress Database Prefix

Change the WordPress Database Prefix

Now, many of you know that the WordPress uses “wp_” as a prefix for all tables in your WordPress Database. So, this makes easy for a hacker to anticipate your table name and inject SQL queries which will ultimately lead to hacking your website.

However, I will tell you how to block those SQL injections as well later. Still, I recommend you to change the prefix for your WordPress database prefix. You can go through this LINK to check a step by step guide for changing your WP Database Prefix.

Strong Password for WP-Admin and Login

Strong Password for WP-Admin and Login

Do you know that any hacker can easily request your Login page and wp-admin page without any restriction at all? Now imagine, a hacker inside your WordPress folder applying all his hacking tricks or running DDoS attacks.

So, secure these pages and folders with a strong password in order to keep your server side protected. You can go through this LINK to learn step by step guide to add a password for WP-Admin and Login page.

Stellen Infotech creates WordPress websites that reflects both the essence of your brand!

Disable the Directory Indexing and Browsing

Disable the Directory Indexing and Browsing

Directory browsing and Indexing can be very resourceful, not for you but for the hackers (CONFUSED?) Let me elaborate.

With Directory browsing and indexing, a hacker can look into your database for any possible vulnerabilities in any WordPress file. Furthermore, this helps them to take advantage of these files to gain access.

Directory browsing can help other in other types of website espionages like your competitor can look into your database to see your files, directory structures, copy images and other important information. So, I recommend turning off directory browsing and indexing is a must to be on the safer ground.

Add Security Questions to WordPress Login

Add Security Questions to WordPress Login

Now, how about adding some security questions to make your website more secure? This is very efficient when we talk about securing a WordPress website from an unauthorized access.

For adding security questions, you can install WordPress plugin, such as WP Security Questions. As a result, this will add an extra ingredient to your WordPress security.

Also read – Top QA Practices For Web Applications To Deliver Software Fast!!

Hosting Level and Server Level Security of WordPress Website

Hosting Level and Server Level Security of WordPress

When I say securing WordPress website, that means to start from ground zero. So, the first thing that you will put into consideration is your website hosting services. If your hosting company is not serious enough then trust me you’re doomed.

But don’t worry, I will give you some pointers which will help you to narrow down your problem. Look for these features when selecting your hosting services. If you have a web hosting company, don’t worry it is never too late for good things.

  • Your hosting service must have a server-level firewall.
  • Must run the stable and secure version of your web server.
  • Always keep it in mind, never access your server from an unsecured network.
  • Use an SFTP via a prestigious program.
  • Always make sure that the MySQL installation was secure.
  • Make Backup a part of your habit.
  • Make sure that your database table prefix is not wp_.
  • Always use complex and unpredictable passwords (Obviously!!!)

Finally, after cross checking these points you’ll have to configure some server rules. So, let’s see what modification can be done, in order to make these security changes worth.

Before going any further I want to clear, this step requires heavy coding. So, if you’re not comfortable with the coding, you’re not obliged to do this step. Hence, you can let your developer do that for you.

Some of you have access to the main server configuration file, while some of you don’t. So, let’s start doing it by editing .htaccess file.

This code will block the SQL injection hacking, Use it in your .htaccess file,

## SQL Injection Block ##

RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ – [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|”|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(“|’|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ – [F,L]

In addition, I would like to tell you that there are some plugins which can limit the login attempts of any user from a particular IP address. This will neutralize any kind of brute force attack on your website.

You can also block manually a particular IP address if someone is bothering you, just edit the IP address after “deny from” as one IP per line,

## Malicious IP Blocking ##
order allow,deny
deny from 1.1.1.1
deny from 2.2.2.2
allow from all

So, these are the server level enhancement which you can do, in order to secure your WordPress website.

Now, it’s time for WordPress itself!!!

Hire WordPress plugin developers to add essential features & functionality to your website!

Your WordPress Security Ammunition

WordPress Security Ammunition

In your WordPress installation, I recommend some of the security plugins which will make sure that your WordPress website is not vulnerable. Moreover, some of them are free some are paid. So, let’s have a look,

Better WP Security: It is a free WordPress security plugin. Although it can overlap with other plugins, So I reckon little caution while using this plugin.

Akismet: It is a paid plugin. Akismet is an advanced hosted anti-spam service which can be used to filter spammy crap.

Sucuri Security: I will not say that it is not a good service. However, if you’re using Akismet and Better WP Security, I wouldn’t recommend you to use Sucuri. But you should useSucuri if you’re not using the other plugins. It can be the ultimate salvation for your WordPress security.

Your Personal WordPress Security

Your Personal WordPress Security

Hacker always thrives on one mistake of a website, i.e., human error. The psyche of a human always betrays him. A hacker can easily anticipate many things such as passwords, small human mistakes that can make you pay too much.

So, just keep these points in mind and nothing will go wrong.

  • Never access a Wifi hotspot without a secure VPN.
  • Get a good firewall.
  • Get a good and paid antivirus.
  • Always keep your hard disks physically secure.
  • Use good and unpredictable passwords. (I suggest you use password generator plugins for more secure passwords.)
  • Always use two-factor authentication in order to avoid any type of blunder.
  • Keep your WordPress updates.
  • Your plugins should be always up to date. If any plugin is two years old and still got no updates, then uninstall it.
  • Always monitor your server login files.
  • Change your passwords periodically.

Make them your habit and always follows these steps once in a month to continuously keep a check on your WordPress website.

Tell me what do you think about these points. If you have any new point of view I would love to here about it.

Leave a Reply

Your email address will not be published. Required fields are marked *