Hardening your WordPress site (Part 1)

There are several action we should take before publishing our wordpress site.

In this post we will explain how to configure the Apache server in order to block access to restricted resources on our wordpress and hide and integrate ‘wp-login/wp-admin’ panels with Google Authenticator:

+Hardening Apache config:

To block malicious HTTP requests we need to change the config of our Apache server modifying the file “/etc/httpd/conf/httpd.conf”.

NOTE: If we are not the owners of the server, we must create “.htaccess” files on our wordpress directories and write there the directives.

If possible, it is strongly recommended to add the directives in “/etc/httpd/conf/httpd.conf” file instead of creating .htaccess files due to performance issues as Apache developers state on the following link: Apache documentation

So, below are shown several directives to include in the file “/etc/httpd/conf/httpd.conf”:

1- The following lines prevent .htaccess and .htpasswd files from being viewed by Web clients:

<Files ".ht*">
    Require all denied
</Files>

Require all denied

</Files>

2- Inside the directive <Directory “/var/www/html/<WP_INSTALLATION_PATH>”> write the following line in order to avoid directory listing, avoid CGI scripts execution and avoid Server Side Includes (SSI) execution:

Options +FollowSymLinks -Includes -Indexes -ExecCGI

1	Options +FollowSymLinks -Includes -Indexes -ExecCGI

3- Restrict files that can be uploaded into “wp-content” directory in order to avoid .php backdoors and malicious binaries:

<Directory "/var/www/html/wp-content">
	Require all denied
	<FilesMatch "\.(xml|png|gif|jpe?g|htm|html|css|js)$">
		Require all granted
	</Files>
</Directory>

Require all denied

Require all granted

</Files>

</Directory>

4- Block the access to “wp-includes” directories in order to avoid alteration of wordpress core files. These lines must be added into the directive <Directory “/var/www/html/<WP_INSTALLATION_PATH>”>:

RewriteEngine on
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

RewriteEngine on

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

5- Block author scans in order to avoid that automatic scans can guess our wordpress usernames. These lines must be added to the directive <Directory “/var/www/html/<WP_INSTALLATION_PATH>”>:

RewriteBase /
RewriteCond %{QUERY_STRING} ^?author=\d+$ [NC]
RewriteRule .* - [F]

RewriteBase /

RewriteCond %{QUERY_STRING} ^?author=\d+$ [NC]

RewriteRule .* - [F]

+Hide wp-admin/wp-login panel:

In order to avoid brute force attacks, it is highly recommended to hide the wp-admin/wp-login panel from the default URL and create our custom URL to access this panel.

1- Save a copy of “wp-login.php” and “/wp-includes/general-template.php” files of your wordpress installation.

2- Rename your file “wp-login.php” with a name of your choice, for example “custom-login.php”.

3- Open the renamed file and replace all strings “wp-login.php” with the new name “custom-login.php”

4- Open “/wp-includes/general-template.php” and replace the line

$logout_url = add_query_arg($args, site_url('wp-login.php', 'login'));

1	$logout_url = add_query_arg($args, site_url('wp-login.php', 'login'));

with this one:

$logout_url = add_query_arg($args, site_url('custom-login.php', 'login'));

1	$logout_url = add_query_arg($args, site_url('custom-login.php', 'login'));

After that, if you try to access /wp-admin/ or /wp-login.php files you will get a 404 Not Found. Now the URL to access your wp-admin panel will be “https://<your_domain>/custom-login.php”

+Install Google Authenticator plugin:

To avoid brute force attacks on your wp-admin panel, you can install this plugin

This way, you will have to enter an additional one time password each time you want enter to the admin console.

After installing and activating the plugin you must to activate this function for each user under the “Users tabs”:

Finally install the app “Google Authenticator” on your phone and enter yout secret key or scan the QR code. Now your wp-login panel should look like this:

+ Avoid SPAM on comments:

In order to avoid SPAM comments in your posts you can follow the next steps:

1- Activate the default Akismet WordPress plugin with the free version

2- Install the Google Captcha plugin

3- Delete the website field on comments. This is because when you click on comment author name, that will redirect you to his website which was placed in the website field of comments. Because of this, many bloggers use comments area for getting back links.

Add the followin code to the end of your theme “functions.php”:

//* Remove URL field from comments
function remove_url_comments($fields) {
unset($fields['url']);
return $fields;
}
add_filter('comment_form_default_fields','remove_url_comments');

//* Remove URL field from comments

function remove_url_comments($fields) {

unset($fields['url']);

return $fields;

}

add_filter('comment_form_default_fields','remove_url_comments');

+ Install Wordfence plugin:

This is one of the most useful WordPress plugins. You can find it here

With this plugin you will have the following features:

WAF (Web application firewall)
Live traffic logs
Automatic malware scans looking for infected files on your wordpress like backdoors, bitcoin miners, etc

With all measures from above you should be protected against most of wordpress attacks. We will continue with more security measures in another post.

And finally, you must always have your WordPress, theme and plugins updated!