How To Harden your WordPress security

Listed below are many changes that can be implemented on any host and will greatly increase the security of your wordpress installations. If your WordPress is already hacked, please send an e-mail to support@ndchost.com and we can assist you.

Enable WordPress auto updating

In order to stay secure you should always use the latest version of WordPress. You can enable auto-updates by adding or changing a line in your wp-config.php file.

Add or change to match the following line:

define( 'WP_AUTO_UPDATE_CORE', true );

Limit Read Access with SuPHP

You must have the SuPHP module in apache installed to use this, SuPHP must also be selected as your PHP Handler

SuPHP allows you to run your processes as your User ID, which restricts access to files that only you should normally be able to access. This means that on a shared server, you can protect other sites under different users by locking down the permissions for each user's directory.

find ./ -iname "*.php" -exec chmod 600 {} \;
find ./ -type d -exec chmod 711 {} \;

.htaccess Rules

xmlrpc and wp-config are two vulnerabilities that can be safely locked down.

Add the following to your .htaccess file in your Web Root. Note that this file may be hidden because if begins with a . so you may need to work with your Administrator for help with modifying this file.

<files wp-config.php>
order allow,deny
allow from 127.0.0.1
deny from all
errordocument 403 "This file is forbidden"
</files>

<files xmlrpc.php>
order allow,deny
allow from 127.0.0.1
deny from all
errordocument 403 "This file is forbidden"
</files>

Another vulnerability is the WordPress Heartbeat. This is the script that automatically refreshes your dashboard while you are logged in. Unfortunately this script will use up extra resources and open a vulnerability to some attack types. You can restrict access to this file by adding a rule to your .htaccess files as follows:

<files admin-ajax.php>
order allow,deny
allow from 127.0.0.1
deny from all
</files>

Additionally, you can prevent people from snooping through your files by adding another rule to the .htaccess file:

Options -Indexes

Finally, you can prevent attackers from being able to see author information (which could be used to find out your identity) by adding the following:

RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

Plugins for WordPress

The Wordfence plugin can be installed from inside of WordPress and has a very small memory footprint. It will scan your installation and any files in your web root (if you set it to do that) to look for malware kits that are used to infect your files.

Additionally, it will check your core WordPress files against the public repositories to make sure that your files have not been modified.

How to Install Wordfence