WordPress is undoubtedly an amazing Platform to run business, create beautiful blogs and websites. But the main issue we face with using WordPress is ‘it frequent becomes hacked.’ Also, MySQL server frequently goes down due to DDoS and Brute Force Attack if proper precautionary steps aren’t taken. Though WordPress core is very secure, we need to use many third party plugins or themes to achieve our needs which make it vulnerable.
How to Secure WordPress Site From Hacking, DDoS and Brute Force Attack:
Step by Step Process of Securing Your WordPress Site:
Hardening WordPress:
The first step comes with ‘Harding Your WordPress Site.’ Make sure to give your WordPress files correct permissions. Here are WordPress.org recommended file permissions for directories and files. Login to your server with SSH and run the following commands.
For Directories:
|
1 |
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \; |
For Files:
|
1 |
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \; |
Securing wp-includes:
Adding this piece of codes in your .htaccess file will prevent hackers from accessing files within your wp-includes directory. (Paste it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file as WordPress can overwrite codes within these two tags.
|
1 2 3 4 5 6 7 8 9 10 11 |
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress |
Securing wp-config.php file:
You can secure your wp-config.php file by denying everyone surfing for it.
|
1 2 3 4 |
<files wp-config.php> order allow,deny deny from all </files> |
Disable File Editing:
Disabling file editing via wp-admin dashboard ‘Editor’ (‘Appearance’ >> ‘Editor’) is an effective way to protect your WordPress file from being modified by hackers even if they manage to get an administrator password. Add this piece of code in your wp-config.php
|
1 |
define('DISALLOW_FILE_EDIT', true); |
Disable Remote Access for the ‘root’ User:
It’s important to disable remote access for the root user to secure your database. Login to your server with SSH and run the following commands:
|
1 |
mysql -u root -p |
Then enter your MySQL root password and run the following commands:
|
1 |
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1'); and then FLUSH PRIVILEGES; |
Disable All Remote Connections:
Open your MySQL config file (usually it’s my.cnf) and add the following codes:
|
1 2 3 4 |
[mysqld] port=3306 sql-mode="STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION" skip-networking |
Changing Important File Permissions in WordPress:
According to WordPress.org file permission suggestions these important files should have such permissions for enhancing security (I have shown with commands you should run for it).
.htaccess file: chmod -v 604 .htaccess
wp-config.php: chmod -v 644 .wp-config.php
Disable XML-RPC if not required:
XML-RPC is used to interact with your WordPress site remotely. Such as if you use a Mobile App for your WordPress site or use remote service like IFTTT or create or delete a post remotely, then you will need XML-RPC enabled. If you are not using such things, then I highly recommend to disable it. It is important to prevent MySQL server from being shut down due to too many requests by hackers.
Method 1 of disabling XML-RPC: There is a plugin available for it or you can put this piece of code in your functions.php:
|
1 |
add_filter('xmlrpc_enabled', '__return_false'); |
Method 2 with of disabling XML-RPC with .htaccess: Simple paste the following piece of codes at the top of your .htaccess file.
|
1 2 3 4 5 6 |
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> |
CloudFlare to Prevent DDoS and Brute force attack:
You can protect your website from numerous DDoS and Brute force for free using CloudFlare. You can go ahead with creating a free account and add your site there in CloudFlare. Here is an easy and illustrative tutorial on how to enable CloudFlare DDoS and Brute force protection for your website.
If you need any help with securing your WordPress site feel free to contact me directly at zubaerahammed223 [at] gmail.com or via this contact form.
