Security Tips for Securing WordPress
With more and more websites being created using WordPress, it is no wonder that WordPress has become the target of hackers. Therefore we wanted to pull together a list of steps you can take to better secure your WordPress websites.
1) Protecting against script injection
One of the more common methods for compromising a WordPress system is by trying to inject other code which could reference external scripts on other websites. Or even cause your web page to redirect to a different website.
Solution: Modify your .htaccess file to block these type of patterns by checking for specify query strings. However always backup your .htaccess file before making changes.
<pre>Options +FollowSymLinks</pre>
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Source:
Protect your WordPress blog using .htaccess
2) Protect your Plugins Directory
Since WordPress has over 10,000 plugins to extend it’s functionality, and there have already been 100 Million downloads of these plugins, sometimes these popular plugins have security weaknesses of their own. Most website owners running WordPress will remember to protect WordPress as much as possible, however the plugins directory is often times overlooked.
Solution: By protecting the plugin directory itself and only allowing certain files to be requested you can prevent other people from trying to access these plugins files directly using another .htaccess method.
NOTE: Make sure you add the following inside of the Plugins directory and not in the root directory. Example: /wp-content/plugins
<Files ~ "\.(js|css)$"> order allow,deny allow from all </Files>
Source:
WordPress tip: Quickly secure plugin files
3) Create a Plugin to Protect Against Long Query Strings and Script Injection
One of the most common ways for inserting content into a page is to try and submit it through the query string at the end of they website address in the URL text field for the web browser. By checking for this scenario using the plugin you can help to prevent these types of attacks.
Solution: Create a file called “blockbadqueries.php” using the following code snippet, and then upload it to the /wp-content/plugins folder. And now activate this new plugin.
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
global $user_ID;
if($user_ID) {
if(!current_user_can('level_10')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
}
?>
Source:
Protect WordPress Against Malicious URL Requests
4) Install a WordPress Security Plugin
Probably the easiest recommendation would be to install a WordPress specific security plugin to help you both scan your current installation and make recommendations.
Plugin Name: WP Security Scan
Visit the WP Security plugin website for more information.
Image Credit: CarbonNYC (via Flickr)
Possibly Related Posts:
- WordPress plugins to check for security threats
- Reasons Customers Don’t Trust Websites
- Google Analytics Event Tracking Explained
- New Study: Small Businesses Not Updating their Websites
- Tools you can use to Mockup your Website