How to Harden Both WordPress and Your Server's Security

AngryWarrior · Wed, 24 Aug 2022 15:24:11 +0000

How to your harden WordPress the right way A short guide to prevent you from being hacked Below you find a list with some very good tricks to harden your server and WordPress installation which will help with preventing your system from being hacked by script kiddies and other lame bad people that which you mess up peoples hard work; including yours. Remember that there isn’t a fool proof way to secure your system. Internet security is an on-going process and never stops. Place .htaccess files in all folders that should not be accessed. In your control panel shut down all directory listing and browsing access. Login to your control panel at your web host and search for “Indexes” and then chose the directory folders that needs to be protected Prevent editing core files from WordPress itself. Add the code to your wp-config.php file in wordpress which then will disable the ability to edit WordPress server files from the WP dashboard. Move the wp-config file above the WP root directory e.g. public_html Move the content of the wp-config file to another secret location above the public_html so that the wp-config file is just a fake file. Once you done that then you need to create a new directory in C-panel (home/your-account-name/) where you place your real wp-config file in. The real WP-config should be locked with 400 file permission and the .htaccess file should use 404 file permission. Delete the first user (The first administrator user) and create new one that do not have ID number 1. The WordPress admin user that is automatically created for you when you first install WordPress is known as WordPress user with id of 1. This is because in the _users database table, the record id for the admin user is 1. As you can see here: The user can be easily replaced that you create a new user in the WordPress control panel and then set that new user to be the administrator. Once you have done that then logout of the first admin with ID1 and login to your new administrator account and then delete the first account. This can of course be done from the database too and delete the user with ID1. But it just easier to do it directly from the WP backend. Install and configure a security plugin/firewall such as for example: WPMU Dev’s Defender https://wpmudev.com/project/wp-defender/ or iThemes Security https://wordpress.org/plugins/better-wp-security/. You can of course find other firewalls too here if you search at WordPress.org: https://wordpress.org/plugins/search/firewall/ Harden the server itself. Use Patchman: If it is your own hardware/VPS server, (Which you should run anyway in the first place and not a shared hosting environment), then installing an additional security layer in Linux itself such as Patchman makes perfect sense: https://www.patchman.co , (Patchman is a Premium service). Patchman will scan and monitor 24/7/365 not just your WPMU (WPMU=WordPress Multisite) or single/stand-alone WordPress installation, but the whole Linux server itself and all other web applications you might run off your server and Patchman does this down deep from the OS core itself. If any mischief things are found then Patchman will automatically correct and patch it to close the security hole. Pretty neat, right? Also always remember to delete the files upgrade.php and install.php from your wp-admin and license.txt and readme.txt from the wp-root directory each time you upgrade. Make sure to have access to real host backups: No backup plugin can ever substitute and beat host backups which is based on real server backup infrastructure taking full backups of your whole server on a daily basis, (and it makes your site faster too because one less plugin to bog down your server which is an additional bonus.). Having access to a reliable solid backup system with retention points that goes months back will save your sorry skinny butt when the sky falls down on you and it will. It is not a question of “if it will happen“, but when it happens. You need to be ready for that situation when things fail in regards to your website. How to Configure Secure WordPress Database Permissions,(After WordPress installation): Never run your WordPress Installation with full database user permissions. The WordPress database is the most important component of your WordPress website. It contains all the content of your website, such as information about your users and all your posts, etc. In order to access the database, a database user should have specific privileges that allow him or her to manipulate it. The WordPress database is built using MySQL/MariaDB and contains privileges which allow users to make certain changes. The ‘grant access privileges’ give users full privileges. This is a very convenient option for a user if they want to have full control over the WordPress database. However, from the security point of view, this is extremely dangerous, since if a hacker gains access to the database then he or she will have full control over the WordPress database and the stored data, which can have catastrophic consequences on your website security. Therefore it’s not recommended to grant a user full access, unless the user needs to be able to use the DROP or DELETE SQL commands. Below is an example of the minimum privileges a database user needs to have. Other database permissions are regarded as “extra” privileges that in most cases are not needed. A typical WordPress user should be granted the following database privileges only: • SELECT • INSERT • UPDATE If you are upgrading WordPress, the above database permissions might not suffice between versions, WordPress might need to make further changes to the database. In this case, if you are only upgrading to the latest version of WordPress, add the below privileges to the WordPress database user: • CREATE • ALTER NOTE: Some plugins might require additional database privileges such as CREATE, DROP or DELETE and in those cases these privileges should be granted. In addition to securing your WordPress database permissions, you should make sure that each database of your website is accessed through a separate account and not through the root account. You should lock mission critical files with 400 or 404 file permissions You can read more about why that is so important here in this article: https://support.shorturl.gg/business-marketing-and-seo-forums/topic/why-you-should-lock-your-wordpress-mission-critial-files/ Finally but last: Remember to set and apply the .htaccess files to your WordPress installation to further secure it and harden it: .htaccess | wp-admin folder .htaccess | wp-includes folder .htaccess | wp-content folder .htaccess | wp-content plugin folder .htaccess | wp-content MU-plugin folder .htaccess | wp-content theme folder

- 2 years, 3 months ago AngryWarrior
  How to your harden WordPress the right way
  
  A short guide to prevent you from being hacked
  
  Below you find a list with some very good tricks to harden your server and WordPress installation which will help with preventing your system from being hacked by script kiddies and other lame bad people that which you mess up peoples hard work; including yours.
  Remember that there isn’t a fool proof way to secure your system. Internet security is an on-going process and never stops.
  
  Place .htaccess files in all folders that should not be accessed.
  
  In your control panel shut down all directory listing and browsing access. Login to your control panel at your web host and search for “Indexes” and then chose the directory folders that needs to be protected
  
  Prevent editing core files from WordPress itself. Add the code to your wp-config.php file in wordpress which then will disable the ability to edit WordPress server files from the WP dashboard.
  
  Move the wp-config file above the WP root directory e.g. public_html
  
  Move the content of the wp-config file to another secret location above the public_html so that the wp-config file is just a fake file.
  
  Once you done that then you need to create a new directory in C-panel (home/your-account-name/) where you place your real wp-config file in. The real WP-config should be locked with 400 file permission and the .htaccess file should use 404 file permission.
  
  Delete the first user (The first administrator user) and create new one that do not have ID number 1. The WordPress admin user that is automatically created for you when you first install WordPress is known as WordPress user with id of 1. This is because in the _users database table, the record id for the admin user is 1. As you can see here:
  
  The user can be easily replaced that you create a new user in the WordPress control panel and then set that new user to be the administrator. Once you have done that then logout of the first admin with ID1 and login to your new administrator account and then delete the first account. This can of course be done from the database too and delete the user with ID1. But it just easier to do it directly from the WP backend.
  
  Install and configure a security plugin/firewall such as for example:
  WPMU Dev’s Defender https://wpmudev.com/project/wp-defender/ or
  iThemes Security https://wordpress.org/plugins/better-wp-security/.
  
  You can of course find other firewalls too here if you search at WordPress.org: https://wordpress.org/plugins/search/firewall/
  
  Harden the server itself. Use Patchman:
  
  If it is your own hardware/VPS server, (Which you should run anyway in the first place and not a shared hosting environment), then installing an additional security layer in Linux itself such as Patchman makes perfect sense: https://www.patchman.co ,
  (Patchman is a Premium service).
  
  Patchman will scan and monitor 24/7/365 not just your WPMU (WPMU=WordPress Multisite) or single/stand-alone WordPress installation, but the whole Linux server itself and all other web applications you might run off your server and Patchman does this down deep from the OS core itself. If any mischief things are found then Patchman will automatically correct and patch it to close the security hole. Pretty neat, right?
  
  Also always remember to delete the files upgrade.php and install.php from your wp-admin and license.txt and readme.txt from the wp-root directory each time you upgrade.
  
  Make sure to have access to real host backups:
  
  No backup plugin can ever substitute and beat host backups which is based on real server backup infrastructure taking full backups of your whole server on a daily basis, (and it makes your site faster too because one less plugin to bog down your server which is an additional bonus.). Having access to a reliable solid backup system with retention points that goes months back will save your sorry skinny butt when the sky falls down on you and it will.
  
  It is not a question of “if it will happen“, but when it happens. You need to be ready for that situation when things fail in regards to your website.
  
  How to Configure Secure WordPress Database Permissions,(After WordPress installation):
  
  Never run your WordPress Installation with full database user permissions.
  
  The WordPress database is the most important component of your WordPress website. It contains all the content of your website, such as information about your users and all your posts, etc.
  
  In order to access the database, a database user should have specific privileges that allow him or her to manipulate it. The WordPress database is built using MySQL/MariaDB and contains privileges which allow users to make certain changes. The ‘grant access privileges’ give users full privileges. This is a very convenient option for a user if they want to have full control over the WordPress database.
  
  However, from the security point of view, this is extremely dangerous, since if a hacker gains access to the database then he or she will have full control over the WordPress database and the stored data, which can have catastrophic consequences on your website security. Therefore it’s not recommended to grant a user full access, unless the user needs to be able to use the DROP or DELETE SQL commands.
  
  Below is an example of the minimum privileges a database user needs to have. Other database permissions are regarded as “extra” privileges that in most cases are not needed. A typical WordPress user should be granted the following database privileges only:
  
  • SELECT
  • INSERT
  • UPDATE
  
  If you are upgrading WordPress, the above database permissions might not suffice between versions, WordPress might need to make further changes to the database. In this case, if you are only upgrading to the latest version of WordPress, add the below privileges to the WordPress database user:
  
  • CREATE
  • ALTER
  
  NOTE: Some plugins might require additional database privileges such as CREATE, DROP or DELETE and in those cases these privileges should be granted.
  
  In addition to securing your WordPress database permissions, you should make sure that each database of your website is accessed through a separate account and not through the root account.
  
  You should lock mission critical files with 400 or 404 file permissions
  
  You can read more about why that is so important here in this article: https://support.shorturl.gg/business-marketing-and-seo-forums/topic/why-you-should-lock-your-wordpress-mission-critial-files/
  
  Finally but last:
  Remember to set and apply the .htaccess files to your WordPress installation to further secure it and harden it:
  
  .htaccess | wp-admin folder
  
  .htaccess | wp-includes folder
  
  .htaccess | wp-content folder
  
  .htaccess | wp-content plugin folder
  
  .htaccess | wp-content MU-plugin folder
  
  .htaccess | wp-content theme folder