Security Hardening-WordPress
Vulnerabilities
1.SQL injection :
Most WordPress installations are hosted on the popular Apache web server. Apache uses a file named .htaccess to define the access rules for your web site. A thorough set of rules can prevent many types of SQL Injection and URL hacks from being interpreted.
The code below represents a strong set of rules that you can insert into your web site’s .htaccess file that will strip URL requests of many dangerous attack injections:
<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ - [F,L] RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ - [F,L] </IfModule> |
2.Access Permissions
A typical WordPress install contains a number of files which you don’t want outsiders to access. These files, such as the WordPress configuration file, install script, and even the “readme” file should be kept private.
Add the following lines to the .htaccess files
Options All -Indexes <files .htaccess> Order allow,deny Deny from all </files> <files readme.html> Order allow,deny Deny from all </files> <files license.txt> Order allow,deny Deny from all </files> <files install.php> Order allow,deny Deny from all </files> <files wp-config.php> Order allow,deny Deny from all </files> <files error_log> Order allow,deny Deny from all </files> <files fantastico_fileslist.txt> Order allow,deny Deny from all </files> <files fantversion.php> Order allow,deny Deny from all </files>
3.Default Admin User Account.
Log into WordPress and create a new user with an unpredictable name. Assign administrator privileges to this user. Now delete the account named “admin”. A hacker would now need to guess both the username and password to gain administrator access, a significantly more challenging feat.
4: Default Prefix for Database Tables
When setting up a new WordPress install, you can specify the database table prefix yourself. This gives you the opportunity to choose something unique and unpredictable. If WordPress is already installed, you can retroactively change the table names. Although this can be done manually, the process requires directly manipulating the database in several places.
An easier way to change table prefixes for an existing WordPress installation is by using the plugin named Better WP Security. This plugin contains several defenses including some discussed elsewhere in this article, with a simple point-and-click interface to change your table names to include a randomly-generated prefix.
5: Brute-Force Login Attempts
should start with always using strong passwords. A longer, mixed-type password will take longer for a brute-force attack to decode. These attacks typically use combinations of dictionary words and numbers. An even more effective defense is to install a login limiter for WordPress. A login limiter can essentially block or quarantine an IP address or username which tries and fails to send login requests above a threshold rate. For example, a login limit of 10 attempts per 5 minutes can be backed up with a penalty timeout of 1 hour.
Two WordPress plugins which let you enforce a login limiter are Limit Login Attempts and the aforementioned Better WP Security.