Improving WordPress Security

Improving WordPress Security

Blogs, commonly WordPress sites, are targets for online hackers. Hackers target blogs for many reasons such as infecting visitors, collecting information (physical location, passwords, favorite places) for identity theft, or to purposely take up server resources to take the blog down.

In order to gain access, and achieve their goal, hackers need to log into WordPress. Once hackers attain access, securing the site can become incredibly difficult and can sometimes require completely erasing everything. In order to mitigate the chance of intrusion, an extra layer of security can be applied to the WordPress login page.

Hackers automate their attacks. They want to gain access as quickly as possible before they are noticed, and slowing down their attempts makes you an unfavorable target. To slow down hackers accessing the login page, example.com/wp-admin, we can enable a Two Step Authentication through Apache’s Web Authentication. This requires the user to enter a seperate password before being able to access the WordPress Admin page. Below is an example rule configuration saved in the ‘.htaccess’ file located outside of the WordPress installed directory.

ErrorDocument 401 "Authorization Required"
<FilesMatch "wp-login.php">
  AuthName "Restricted"
  AuthType Basic
  AuthUserFile /home/user/.wp-admin
  require valid-user
</FilesMatch>

The passwords are stored in /home/user/.wp-admin and stored outside of WordPress as well. The password can be generated using either the Apache tool, htpasswd, or online using a generator such as http://www.htaccesstools.com/htpasswd-generator/ . It is recommended to use the Apache tool since the password is generated locally rather than online where it is possible that the data is stored. Below is an example entry for the user ‘nohackers’ with the password ‘hj8ULmn+90!et’.

nohackers:$apr1$htAxQuUE$4lg0bdEB0Z0rYb3/Ne8Ej.

To generate a password using htpasswd, the following command can be used:

/usr/local/apache/bin/htpasswd -b -c /home/user/.wp-admin nohackers "hj8ULmn+90!et"

Using the two step authentication requires the attacker to become a valid user before accessing wp-login.php (This is the administrative login page for WordPress). Using a strong password such as the one above, will slow down the attacker to be caught by the firewall, or System Administrator preventing further attempts to gain access.

We can go another step further on restricting the visitor to their online IP address. WARNING: Using the following method can lock you out as well as hackers, and relies on you having a static IP address.

Using the above configuration, we will include the following rules:

allow from 192.168.0.12
Satisfy all

This is the complete configuration:

ErrorDocument 401 "Authorization Required"
<FilesMatch "wp-login.php">
  AuthName "Restricted"
  AuthType Basic
  AuthUserFile /home/user/.wp-admin
  require valid-user
  allow from 192.168.0.12
  Satisfy all
</FilesMatch>

This restricts access to the IP address 192.168.0.12, and having successfully logged in via the Apache Web Authentication. Using this method requires a valid user to have a static IP address, or risk losing access. ‘Satisfy all’ can be changed to ‘Satisfy any’, allowing the user to access the login page either after successully validating through Apache’s Web Authentication or valid IP address bypassing the Web Authentication.

Using these techniques will provide extra security keeping you safe and your visitors safe. WordPress has many plugins available that achieve similar results, however, they rely and burden WordPress. The method explained in this article, is fast and light, keeping WordPress speedy and error free.