This is third lesson of Deploy WordPress on domain course. In this lesson we will fortify our WordPress installation. In lesson 2 we covered wp-config.php security. That single change protects from common attacks. Now we will focus on advanced part of it.
Note WordPress itself is very secure. But using an additional plugin helps you discover common mistakes. For example you might have used admin as Administrator user name. This is not recommended. Plugins helps discover and fix these kind of issues.
Since the site is in Coming Soon mode we can work on securing the site. In case you missed second part of tutorial then please follow below link
To further secure WordPress we will use a dedicated security plugin. Note there are many security plugins out there. But we have chosen below one due to features and ease of use. It also works well and provides you range of options.
Securing your WordPress Site
In this article I will discuss all the configuration options provided by the plugin and recommended settings. Once you have made those changes then your site is secured. So it is better to read this article and make changes to your site in parallel.
Installing Security Plugin
The first step is to install this plugin. Note it is freely available on WordPress.org. After installing and activating the plugin you will see a new Menu WP Security in your WordPress Dashboard (below Settings options of WordPress Dashboard).
Configuring Security plugin
Now that you have the plugin active lets start with plugin configuration. Note I will be discussing step by step every option menu in order they appear. I will skip the options which are not not that important so are self explanatory.
WP Security User Accounts
This options helps you secure your Admin user account. Admin user account is most powerful account. You should protect it.By default people use Admin (admin) as their admin user name. This is security flaw. You can change Admin user name here.
Note User Accounts option has three sub options
- WP Username – Change your Admin user name
- Display Name – Change your user name and display name
- Password – Get strength of password and if you are using weak password change it
Note all the options will lead you to Edit profile page of WordPress dashboard. I have covered Edit profile page in great details on WordPress tutorial for beginners lesson 6. Once you have read and set User Name and Display Name then you can visit this page. It will give you message that no action required (as shown in the image)
WP Security User Login
This option has multiple sub options. I will discuss the ones you need to change. On the Login Lockdown tab enable below options
- Enable login lock down feature
- Display generic error message
- Instantly lockout invalid usernames
After making above change save the settings. User Login page provides one more interesting option under Force Logout. This option will help you log out any user after a specified amount of time. I do not prefer this option.
If you want you can turn it on and set a time as per your requirement. But this options hinder with work. I myself login into site and remain idle for couple of hours.
WP Security User Registration
This option is only applicable if you want to allow user registration. Blogs generally do not require user registration. So you can have user registration disabled. In case you are not aware How to disabled user registration please read this article on User Management in WordPress.
If you have enabled user registration then this option is very important.
- Enable manual approve of new registrations – Do not check the box keep it disabled
- Enable Captcha on Registration page – Enable it by checking the box
- Enable Honeypot on Registration page – Enable it by checking the box
After making above changes save the settings on each page. This will protect your site from any SPAM user registration. This is why I kept manual approve as disabled. The chances of trash user registration is less. So you can auto approve registered users.
But in case you want close control then you can enable the option to manually approve user registrations.
WP Security Database security
This options helps you secure WordPress database. From the DB Backup tab first create backup of current database. You can click on button (shown in below image) of plugin configuration to create backup. On the same page you will see location of your database backup.
On the same page enable Automated Scheduled backup. You can also select option to send backup files via email. After making these changes save the settings.
Now if during installation you have used table prefix other than wp_ then it is fine. If not then you can change this default table prefix. It makes difficult for attacker to guess your database table names. You can change it by selecting option Generate New DB table prefix.
Note you will not be using table prefix iin maintenance or other tasks. So you can give any complex name here. After making changes click on Change DB prefix to change it.
WP Security Filesystem security
This option is divided into multiple tabs. The first one is File Permission. This one is important. The File Permissions scan lists your file and folder names with current permission and recommend permission. Permission means who can view and edit the file and folders.
For all the files or folders except wp-config.php displayed as part of the scan click on the option set Recommended permission. For wp-config.php remember in previous part of this tutorial we set the permissions.
On the next tab PHP file editing do not make any changes. If you enable Disable ability to edit PHP files option then you will not be able to edit theme or plugin file. Personally I do not recommend using this option. But you can enable it if you do not edit theme files that much.
On the next tab WP file access enable the option Prevent Access to WP Default Install Files. This helps you hide some non PHP files of WordPress. All these changes secure your file system.
WP Security Blacklist Manager
This option protects your site from Bad User Agents and Bots. You should enable IP or User Agent blacklisting. Enabling the option will have no impact unless you enter IP address and User agents to block.
You can leave the IP address for now. But you should black list User Agents. Below is list of User Agents you can download.After downloading this list unzip the file and open it in notepad. Then copy the content of file and paste into Enter the User Agents box. After entering the value Save Settings.
This simple action will protect your sites from potential harmful impacts of bad bots. My list has currently 60 bad bots so your site is protected form most common and famous ones.
Download Bad Bot list
Click on Follow button to download Bad bot listFollow @Udinra
WP Security Firewall
This section is divided into multiple sub sections.
Basic Firewall Rules
On this tab select below options and click Save settings.
- Enable basic firewall protection
- Completely block access to XMLRPC
- Disable ping back functionality from XMPRPC
- BLock access to debug.log file
Additional Firewall Protection
On this tab select below options and click save additional firewall settings
- Disable Index Views
- Disable trace and track
- Forbid proxy comment posting
Note below two options should not be activated as they may be incompatible with some plugins. If you enable them and face any issue on your site then first thing is to disable them.
- Deny bad query strings
- Enable advanced character string filter
6G blacklist firewall rules
On this tab there are two options only. You should select the below option and click on save button.
- Enable 6G Firewall protection
There is only single option here. There are many bots which fake themselves as Google bot. Google bot is bot form Google which crawls websites. It should be allowed but fake bots should not be allowed.So enable the option Block Fake Googlebots and Save the option.
Image hotlinking is linking to your images by other sites. This is a kind of bandwidth misuse. For example the image is on your site. But some site without downloading it on their server link to you image. So when their web page is requested the image is downloaded from your server.
This increases your server load. It also steals your bandwidth. But most hosting providers are now providing unlimited bandwidth so it is not an issue. The other site will not link back to your page with image. So you will not get traffic.
This is the reason people prevent hotlinking. Some sites use your images for their benefit and you do not get anything in return. So check on option Prevent Image hotlinking and Save the option
404 Detection and Custom rules
I recommend you to leave the setting as it is. I do not prefer enabling them.
WP Security Brute Force
There are few sub options on this page. You can ignore below sub options.
- Rename login page
- Cookie based brute force prevention
- Login Whitelist
Below options should be enabled. Note we will discuss Google Authenticator later in this post.But Google Authenticator is recommended for single user blogs. If your is multi user blog or enable registration then you can use below two settings.
- Login Captcha
Enable all the options present under these two sub options. It wil help you eliminate any random attack on your login pages.
WP Security SPAM Prevention
SPAM prevention is very important for every site. Comment SPAM is one major issue with all websites mainly blogs. On Comment SPAM page enable both the settings and click on Save button
- Enable Captcha on comment form
- Block Spam bot comments
Other two sub options of this page can be left as they are. The Comment SPAM IP Monitoring is helpful. But it increased load on your database. So I prefer disabling this option.
WP Security Scanner
File Change detection setting helps you detect if any file was changed. You can schedule a scan which tells you files changed between last scan and current scan.Under file change detection settings you should make below changes
- Enable Automated File Change Detection Scan
- Scan time interval can be kept one month or 4 weeks
- You can ignore below file types one entry per line jpg , png , bmp , gif , txt
- Also select the option to send mail when change detected so that you are aware of any changes made.
Note mostly hackers made changes to PHP file of JS file. So you can skip other file types from scan. Scan is time consuming server heavy task so do not schedule it too often.
WP Security Maintenance
Remember in previous post we discussed Coming Soon mode and Maintenance mode. This plugin helps you with Maintenance mode. So you do not have to install one more plugin for Maintenance mode message.
You have to enable front end lock and enter the message and save settings. You can enter message like this website is under maintenance and will be back after (give some time here). This gives visitor idea when the site will be live again.
WP Security Miscellaneous
This menu offers three sub options. The first sub option is Copy Protection. Copy Protection helps you protect content of your website. That is visitors will not be able to use CTRL + C to copy text from your pages. They will not be able to select your page content.
I do not prefer enabling this option. It would not be user friendly. But many people want to use these features. For example someone which Questions and Answers site. They do not want anyone to steal the questions. They can use this option.
The other two options are Frames and User enumeration. I recommend you to turn on these two options. There is no need to get your site displayed in iframes. So you can safely turn this option off.
WP Security Dashboard
With this setting we came to end of this plugin configuration. Your website is now secured. You can view your security score on WP Security Dashboard option. This page has Security Strength meter. The score of this meter is generated based on options selected by you above.
Two Factor Authentication
Two factor authentication solves all login related issues. This is recommend for all one user websites. You can use it for multi user websites as well if others are also comfortable using this or willing to use this. In this method you have to enter a random code generated on your Mobile Phone while login.
So for login you have to enter your user name, your password and a random code generated on your mobile. Probably you have used this feature on other websites. Here in this lesson we will see how to enable this for your WordPress blog.
The first step is installing and activating this plugin. This is free plugin available on WordPress repository. After installing go to Your Profile option of Users menu in WordPress dashboard. You will see Google Authentication options there as shown in below image.
Note make same settings as shown in below image. You need to check Active and Relaxed mode. Relaxed mode gives you more time to enter Google Authenticator code. In palce od description you can enter your site name.
Entering meaningful name here is recommended. This name will show in Google Authenticator Mobile App. So you can relate which code you need to enter if you have multiple codes displayed in Google Authenticator mobile app.
After that you need to scan the QR code with your Authenticator mobile app. In step 2 we will discuss from where you can get the Google Authenticator mobile app.
Above we have configured Google Authenticator on your website. Now it is tme to install the App on your mobile. It is free app created by Google for both Iphone and Android. So you can be sure of reliability. This official link of Google explains everything about the app and directions of its use.
Since the article is detailed and App installation is similar to other App so I am not covering it there. You can read the article for details on installation and configuration based on your operating system Android or iOS.
After App installation scan the QR code. You will now see random code generated by description name you gave on Google Authenticator Setting page of your website. Now log out of your site. You will now have to enter your Google Authenticator code along with User Name and password while logging.
So any one who does not have access to your phone can not login to your site.
If you have configured your site in parallel to this article then your site is secured. We can now focus on next things your site needs.This initial configuration is launched pad of your website.A successful site has lot more things to be taken care of.
You can now read next set of tutorials which focus on different things needed by your website. We will focus on making your site Social and SEO aspect of it. After that we will discuss creation of different kind of websites. So stay tuned. You can get list of all WordPress courses on below page