Basic WordPress Security

The most important file in every WordPress install is wp-config.php, this file contains all of you database settings as well as other configuration settings.  It is important to understand how to secure this file and how to use it to secure your site further.

Of course none of this matters if you don’t follow the basic security rules.  Use secure passwords, update and backup often etc.

Securing wp-config.php

Lets first take a look at securing the wp-config.php file itself.

File permissions

Permissions for this file should be as secure as possible, read only to the web server process if possible.  Either 400 or 440 depending on what your host supports.

Deny access

In addition to changing the permissions you should also deny remote clients the ability to access wp-config.php.  To do this edit the .htaccess file and add the following lines.

<files wp-config.php>
order allow,deny
deny from all
</files>

Move wp-config out of the WordPress root folder

WordPress supports the configuration file being moved to the parent directory of your WordPress installation.

For example if your WordPress is installed in /var/www/wordpress then you can move the configuration file to /var/www.

There are a lot of arguments for and against this one, the fact remains however that more layers of security is always better.  This is really about protecting against mistakes and bugs such as altering the permissions by accident or resetting configuration during updates.

Security features of wp-config.php

The wp-config.php file itself supports a number of security enhancing commands you should use.

Table prefix

By default WordPress table prefixes are wp_ this means tables will have predictable names such as wp_users.

$table_prefix  = 'dfgjf_';

This adds an extra layer of obscurity for any hackers trying to gain access.

Disable file editing

WordPress allows administrators to directly edit plugin and theme files.  While this can be convenient at times you should disable it for several reasons.  Firstly 3rd party themes/plugins are maintained by their owners and updating them will overwrite any changes you make. Secondly if hackers are able to gain access to your server though an exploit it provides an easy way for them to add additional code to these files.

define('DISALLOW_FILE_EDIT',true);

Disable theme/plugin installation

This setting goes hand in hand with disabling file editing as it prevents the installation of new themes/plugins though the admin panel.  This is important as disabling file editing only stops hackers from editing existing files not installing new plugins/themes altogether.

define('DISALLOW_FILE_MODS',true);

This can feel a little restrictive, but it is worth noting this setting doesn’t stop the activation and deactivation of exiting plugins.  If you have SSH access to the host you can still SCP the files into the correct directory and then active them. Alternatively you can use application deployment software such as AWS CodeDeploy to push new plugins/themes.

Security keys

Ok, this one is simple and WordPress themselves tell you to change these values in the wp-config.php file itself.  WordPress uses cookies to track users logged into the website, to ensure these are secure it uses a salt to generate the cookie name.

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

It requires almost no effort to do this as WordPress even provide a webpage that can generate the secure code for you:

https://api.wordpress.org/secret-key/1.1/salt/

Require ssl for admin and logins

There is a setting to force HTTPS for all admin pages and login pages.

define('FORCE_SSL_ADMIN', true);

I have included these setting as this article is focusing on the wp-config.php file. However, my advice is just to force HTTPS at the CDN, load balance or web server level and protect the whole site.

Disable debug

Debug files can reveal information about your setup you might not want available to hackers.  On production sites I would recommend disabling all debug logging unless you actually need it.  Even then only enable it for the duration of the work requiring it.

@ini_set( 'log_errors', 'On' );
@ini_set( 'display_errors', 'Off' );
define( 'WP_DEBUG', false );
define( 'WP_DEBUG_LOG', false );
define( 'WP_DEBUG_DISPLAY', false );

The above will configure both PHP and WordPress to not display or log debug information.

Other things to consider

FTP

I haven’t mentioned ftp so far in this article.  Generally speaking I recommend not installing an FTP server.  It just provides an extra vector of attack and another piece of software you need to maintain and patch. Once it is compromised hackers can do anything they want to your web server root directory.

Use a more secure method such as SSH/SCP implement using private keys.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s