https://idea-hack.com/en/blog/19542/
【Complete Guide】 WordPress 22 Security Measures and Instant Code Collection / Plugin List

【Complete Guide】 WordPress 22 Security Measures and Instant Code Collection / Plugin List

Are you using WordPress that is attacked by 90,978 sites in one minute and have not taken any security measures? If not, bad people like me will use it like mischief, so I put together security measures and instant code that can be done immediately with Wordpress.

Today, I will introduce the techniques including basic security measures and advanced one that you should do to operate the WordPress site safely.

Security measures should be done unconditionally. In fact, my friend’s WordPress has undergone a security attack and has been taken over. Let ‘s do it right now.

Security attacks and types

Before doing security measures, let ‘s learn a simple method of security attack easily because it is troublesome.

  • SQL Injection (SQLI): This is an attack done when there is a database operation vulnerability based on the URL of the site. The content of the site will be rewritten.
  • Cross-site Scripting (XSS): It is used for hackers when there is a vulnerability that can execute malicious code in an input frame such as inquiries.
  • File Upload: This happens when a malicious file is uploaded, for example, when anyone can upload a file to a file server with WordPress.
  • Cross-Site Request Forgery (CSRF): This happens when there is a vulnerability in the execution of a specific script from the URL of the site.
  • Brute Force: An attack that repeats a login attempt with random values using a machine to break the user name and password of the admin screen.
  • Denial of Service (DoS): This is an attack that drops a site by making more access to a specific site.
  • Distributed Denial of Service (DDoS): This is the same as DoS, but there are multiple attackers, most of attacker devices are hacked computers and smartphones in advance. It is an attack which can not specialize the real criminal, it is preferred by a hacker.
  • User Enumeration: We can acquire the user name of the administrator account through the URL structure of the archive page of “Author archive”.
  • Remote Code Execution (RCE): This is an attack that provides malicious themes and plugins beforehand and takes over the site where it is installed.
  • Remote File Inclusion (RFI) & Server Side Request Forgery (SSRF): This is also a technique to provide an plugin or theme that allows hackers to run malicious themes and plugins in advance and execute favorite scripts at any time.

This is not a complete list, but it covers mostly the main ones.

According to WP White Securitythe main attacks are XSS, SQLI, File upload.

Security measure

The common measure which is not necessary to tell you.

  1. Insert security software on your computer.
  2. SSL the site.
  3. Use strong passwords.
  4. Do not access the management screen from a network that can not be relieved (such as Wi-Fi on the starter).

Next, security measures that require code insertion and other supplements are as follows.

  • Use wp-config.php to keep WordPress · plugin theme latest
  • Transfer location of wp-config.php file
  • Disable plug-in and theme file editing function using wp-config.php
  • Change Database Prefix
  • Use .htaccess to prohibit access to important files
  • Use .htaccess to prohibit access to unnecessary PHP files
  • Use .htaccess to restrict the execution of PHP.
  • Use .htaccess to prohibit access to / wp – includes /.
  • Use .htaccess to prohibit access to WordPress related files from browsers.
  • Using .htaccess, insert code to prevent Username Enumeration.
  • Delete files containing security information
  • Change the default user name to something other than “admin”
  • Hide WordPress login page
  • Set 2-step verification on WordPress login page
  • Hide WordPress version number
  • Invalidate XML-RPC using .htaccess file
  • Use .htaccess so that JS scripts can not be inserted even if there is vulnerability by any chance.

Well, there are many, but let’s do it one by one.

【Supplement】
.htaccess is to edit what is in the root directory.

Keep WordPress · plugin · theme up to date

Let’s update automatically so that WordPress and plugin themes are kept up to date.

php
define('WP_AUTO_UPDATE_CORE', true); 
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

Transfer location of wp-config.php file

Actually, the wp-config.php file can be moved to the directory one level above the default location. WordPress should look for wp-config.php in the default folder firstly, but if wordpress can’t find it, it will look above directory.

So, moving to a directory above one makes hackers harder to access.

Disable plug-in and theme file editing function using wp-config.php

Add the following code to wp – config.php.

php
define('DISALLOW_FILE_EDIT', true);

Change Database Prefix

This is very important for SQL measures, but since it is necessary to manipulate the database directly, it is difficult for many users, so we recommend using plugins.

Use .htaccess to prohibit access to important files

By writing this code in .htaccess, we prohibit access to the following code.

  • wp-config.php
  • error_log
  • php.ini
  • .htaccess
htaccess
<FilesMatch "^.*(error_log|wp-config.php|php.ini|.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

If you are using php5.ini or php7.ini, please change the part of php.ini.

Use .htaccess to prohibit access to unnecessary PHP files

Write the following code.

htaccess
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*.php)$ - [R=404,L]

Use .htaccess to restrict the execution of PHP.

Let’s prohibit not only access but also execution. It is double defense.

htaccess
<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>

Use .htaccess to prohibit access to / wp – includes /.

The wp-include folder is a directory that you do not normally need access to.

Write the following code.

htaccess
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Use .htaccess to prohibit access to WordPress related files from browsers.

Use the following code.

htaccess
Options All -Indexes

Using .htaccess, insert code to prevent Username Enumeration.

Use the following code.

htaccess
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

Delete files containing security information unnecessarily.

Delete the following three files.

  • readme.html
  • /wp-admin/install.php
  • wp-config-sample.php

Change the default user name to something other than “admin”

This is also a nuisance substitute that requires database operation. Please refer to WPMUDEV because it describes how to do it.

Hide WordPress login page

Please refer to this article.

https://ug.idea-hack.com/blog/wordpress/cutom-login-page/

Set 2-step verification on WordPress login page

It can be done with the following plugin.

Hide WordPress version number

Let’s write the following code in functions.php.

php
/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query[‘ver’]) && $query[‘ver’] === $wp_version ) {
$src = remove_query_arg(‘ver’, $src);
}
return $src;
}
add_filter( ‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’ );
add_filter( ‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’ );

/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpmudev_remove_version’);

Invalidate XML-RPC using .htaccess file

Let’s write the following code.

htaccess
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>

Use .htaccess so that JS scripts can not be inserted even if there is vulnerability by any chance.

Now, let’s also block malicious code related to JS.

htaccess
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Popular Security Plugins

Well, how long have you been doing?

It seems that security measures to WordPress site are important.

However, it is difficult to do all these without causing an error. I will introduce a useful plugin for such a person.

There is no plugin that does all these things. So, you need to combine, choose one, and you need to take care of the rest yourself.

Summary

WordPress is easy for anyone to see all the code. Also, 30% of all the sites in the world are using WordPress, so let’s take countermeasures that can be done.