WordPress is a very popular website creation tool. It can be used to create anything from a simple blog to a full-blown e-commerce site.
Because of that it is the most dominant CMS (Content Management System) on the market. According to a survey, 35% of all websites (62% of CMS websites) – or around 455,000,000 websites are using WordPress.
This is great for you, it means that there is a lot of support and plenty of plugins (addons) available – often free.
At the same time it could be a problem for you. It is the most attacked type of system on the web. Anybody using WordPress must use a security plugin.
The one that I use – and have been using for a number of years on sites that I have built – is iThemes Security previously known as Better WordPress Security. According to the Bloggers Roadmap, “iThemes Security is the best overall security plugin you can find”. Although there is a paid version, the free version does an excellent job. In this post I will take you through the options and configurations of the free version.
The first thing you should do after installing and activating the plugin is to run the security check.
- This will enable and initially configure:-
- Banned Users
- Database Backups
- Local Brute Force Protection
- Network Brute Force Protection
- Strong Passwords
- WordPress Tweaks
You then have basic protection – from a single click of a button.
Now it’s time to visit the various modules to really tighten thing up by checking (and possibly changing) the following configurations
- The configuration that I use is as follows:
- Allow iThemes Security to write to wp-config.php and .htaccess – this will ensure that your security settings are always properly updated.
- The three lockout messages can be left as standard, or you can enter your own.
- Enable Blacklist Repeat Offender – people who fail blacklist checks several times are automatically added to the banned list. I use these thresholds: Permanently Ban after 3 lockouts within 21 days, Lockout Period 15 minutes (before they can retry).
- Lockout Whitelist: Enter Your own IP address – done automatically if you click the button. This is very important – it means that you cannot accidentally be blacklisted from your own site.
You may need to update this periodically if your internet provider changes your address – I am on a cable service and have had the same IP address for a few years.
Here you can configure notification of security warnings
Can be left at the defaults
This catches people looking for files to exploit. 404 (not found) errors are shown when a requested file is not found on your system.
I set ‘Remember 404 Error’ to 15 minutes and ‘Error Threshold’ to 5. I leave the ‘Whitelist’ and ‘Ignored File Types’ as is.
I don’t enable this but it can be used to disable WordPress dashboard access at certain times.
- Here you can give a list of IP addresses or address blocks to ban completely.
- Enable HackRepair.com’s blacklist feature.
- Enable Ban Lists
- Ban Hosts. I tend to use the lockout notifications (especially for people trying to log in as Admin) to block the whole ISP for hackers from places like Russia, China etc.
If you need help with this, ask via comments and I will add a short explanatory post
- Configure your backups. I use the following:
- Backup Full Database Off
- Backup Method Email Only – backups will be emailed to me
- Backups to Retain doesn’t matter as I am not storing them on the machine
- Zip Database Backups
- Exclude Tables I leave as is
- Enable Scheduled Database Backups
- Backup Interval 3 days (if your site is very busy, with many posts, you may wish to shorten this interval).
File Change Detection
I leave this as is, but you can choose not to flag changes to some files, or to include some of the exclude file types.
This will give the current and recommended permissions for various files. If the site is working a lower level than recommended doesn’t hurt, but they need some explanation.
- Assuming a Linux host (the most common) each file or folder has 3 sets of permissions:
- What the owner of the file can do
- What people in the same group of users as the owner can do
- What anyone else can do.
These permissions are represented as 3 numbers in the order owner, group member, anyone else.
- The numbers have the following meaning.
- 0 can do nothing
- 1 can enter the folder or execute the program (e.g. a php file)
- 2 can write to the file (or folder)
- 3 can write to the file (or folder) and can enter the folder or execute the program (e.g. a php file)
- 4 can read the file (or folder)
- 5 can read the file (or folder) and can enter the folder or execute the program (e.g. a php file)
- 6 can read or write to the file (or folder)
- 7 can read or write to the file (or folder) and can enter the folder or execute the program (e.g. a php file)
Local Brute Force Protection
This is to protect against those who attempt to break in by guessing passwords.
Note: Set yourself up as an administrator, set up another user as an editor, remove the user ‘admin’ (if present) and never post using your admin login. If you have posted with this name you can choose quick edit for the post and change the author.
I set Max Login Attempts Per Host and Max Login Attempts Per User to 5
I set Minutes to Remember Bad Login (check period) to 15 minutes (some hackers anticipate the normal 10 minute period)
Always set Automatically Ban “admin” user
Network Brute Force Protection
make sure that you have generated an API key and selected Automatically ban IPs reported as a problem by the network
Enable strong passwords for Administrator and Editor. You can also enable for lower categories if you wish.
Leave unless you have a security certificate to run your site under https
- More advanced settings. I recommended
- Protect System Files
- Disable Directory Browsing
- Disable PHP in Uploads
I leave this alone
- I enable the following:
- Reduce Comment Spam
- Disable File Editor It says that if you enable this you will need to manually edit theme and other files using a tool other than WordPress, but you can disable this and re-enable after editing.
- XML-RPC You can set this to disabled. If you use jetpack you will need it enabled, and follow the jetpack security settings
- Block Multiple Authentication Attempts per XML-RPC Request
- REST API is the better, newer replacement for XML-RPC. Use the recommended Restricted Access
- Disable login error messages
- Force users to choose a unique nickname – makes the displayed post name different from the login name. This would allow you to
- post as administrator user but I still recommend that you don’t
- Prevent attachment thumbnails from traversing to other files.
Once this is done your WordPress site will be quite strongly protected.
Let me know of this post was helpful. Your comments or corrections are always welcome