Advertisement

Imposing SSL and Other Tips for Impenetrable WP Security

by

This Cyber Monday Tuts+ courses will be reduced to just $3 (usually $15). Don't miss out.

Internet security has always been as important as your personal security. If you are making money through your blog or website, the security of your website becomes as critical as securing your bank account. Luckily, WordPress strives to ensure better security with every new version. Besides, there are plenty of plug-ins you can use to fortify your website or blog’s security.

However, not all users, including developers, are as security savvy as they can and should be.

The most interesting part is that optimizing a WordPress blog/website for better security requires only small tweaks, most of which are previously covered in one of our posts. Today, we share a few more interesting and effective tips to help you secure your website/blog against information theft, breaches, intrusions and interception.


Enforce SSL Usage

SSL or Secure Sockets Layers are cryptographic algorithms that are used for securing communication over the internet. It is a widely used protocol especially on ecommerce websites. The good thing is that while securing your blog or website, you only need a little technical knowledge. With SSL implemented, hackers and intruders fail to eavesdrop, tamper or forge the data even if they are able to access it. It may sound like an exaggeration but many developers do regard it as the epitome of internet security. Not to mention, an SSL certificate will make your website/blog appear more credible and trustworthy even for users who aren’t tech savvy.

The bad news is, only a few hosting services such as WP, WebHost or HostGator allow you to use SSL. So, make sure your host allows SSL as well. Once you have checked with your host, consult them and acquire an SSL certificate. Now follow these steps to force SSL on your website.

Open the wp-config.php file from the files directory. This is the most important configuration file in the whole directory. Once opened, paste the following piece of code in the wp_config.php file.

/* Enable SSL Encryption */

define(‘FORCE_SSL_LOGIN’, true);

define(‘FORCE_SSL_ADMIN’, true);

Save and close the file. SSL encryption is now enabled on your website’s administration area. The admin area will now load with ‘https’ instead of ‘http’. Since most websites require confidential information to be used only in the admin area, enabling SSL for the frontend is not necessary.


Protection Against Script Injections

SQL injection has become one of the major threats to websites today. In script injection, attackers inject a piece of malicious code into user input variables that are later parsed and executed by the SQL server. Even a single infected page can make put the whole website at risk and might corrupt all the data.

In order to protect your website/blog against such attacks, you must protect PHP GLOBALS and _REQUEST variables. You can do so by following these instructions given below.

Open the .htaccess file located in the files directory of your WordPress installation. Now paste the following code.

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

This code will check the incoming request for any script that attempts to modify the value of PHP GLOBALS or _REQUEST variables. If an attack is detected, the code will block the request and return a 403 error.

An important point to mention here is that editing the .htaccess file is not recommended until you are absolutely sure you are doing it the correct way. If you edit the file incorrectly, custom pages will be set up on your site or the URLs will redirect to another location. In some cases, you may not even be able to access it anymore or corrupt your entire database. However, if you have a backup of the file and your database, then you can edit it without any worries.

If you are using a nginx server, then you’ll have to make use of other methods to secure your site. This is because .htaccess file is not supported by nginx server.


Protection Against Content Scrapers & Hotlinking

Content has always been the king but with Panda and Penguin, content has become ever so important. Your content is always at a risk of being plagiarized by others. This holds true for all types of content including text and images. Content scrapping also involves image hot-linking, which in turn weakens the server’s bandwidth.

The truth is, only a few people put enough effort and dedication to generate high quality original content. If you have gone through all the hard work, you must protect your content against scrappers. Do this by following the following procedure.

Open the single.php file and get to the line where the title is displayed. All you need to do is to replace that line with the following code.

<h1>

<a href="<?php the_permalink(); ?>"><?php the_title(); ?></a>

</h1>

This code puts a link on your post’s title. Therefore, when the scrappers use your content along with that title, there stolen post will actually link to your post automatically.

For hotlinkers, create an image by the name of nohotlink.jpg and upload it to the Images folder.  Open the .htaccess file and paste the following code. Before doing this, you should place the image in the Images folder.

RewriteEngine On

#Replace ?mysite\.com/ with your blog url

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]

RewriteCond %{HTTP_REFERER} !^$

#Replace /images/nohotlink.jpg with your "don't hotlink" image url

RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

The hot-linking website will now display any image you have named as nohotlink.jpg. Once again, do this with extreme care and make sure you have necessary backups because editing the .htaccess file can be risky.


WordPress Updates

One of the best and simplest ways to secure your WordPress site is to regularly update your software. Like any other program, WordPress often configures security measures, and releases new updates.


Protection against Brute-Force Attacks

WordPress puts no restrictions on the login attempts if a wrong password is provided. However, unlimited tries makes it easier for a hacker to crack the password, and gain entry. Therefore, you should limit the number of login attempts. To do this, download the plug-in available on the WordPress site, and extract it to the wp-content/plugin directory. The plug-in then can be activated from the admin interface.


Strong Passwords

The easiest rules of securing are often forgotten among the so many advanced ways to do it. Most the people have the habit of implementing the toughest procedure first instead of the simplest. Same is the case with the passwords you set for your admin account. Try to choose a complex password which is alphanumeric, and contains punctuation marks as well. Also, change the username of the ‘admin’ account to something else.


Login Errors

WordPress displays errors of an invalid username or wrong password if the login details are incorrect. This should be disabled so that hackers cannot track their progress. This can be done by writing the following line in your functions.php file.

add_filter(‘login_errors’, create_function(‘$a’, “return null;”));

Database Prefix

The prefixes of all databases are the same by default, and so they are known to others. You should change them in order to increase security. This can be done by adding the given line to the wp-config.php file.

$table_prefix = 'wp_a123456_';

File Permissions

Just like databases, file permissions are also the same for all users until you change them. You should add the give line of code to all files to prevent unwanted access.

chmod who=permissions filename

Theme and Plug-in Editor

The theme and plug-in editor should be disabled so that no one can modify your content. Open the wp-config.php file, and paste the following line.

define('DISALLOW_FILE_EDIT', true);

Conclusion

Internet security, as is proved time and time again, is of the utmost importance and too many people don't take it seriously enough. The steps provided here are simple, yet make for a more secure environment. Let us know in the comments below of any further simple and effective security tips you use.

Advertisement