Ultimate Security Checker

A few weeks ago I helped Frances Clements Fawcett Art get her blog back online after it was infected with Malware. After we got the site back up I wrote the article “What to do if Your WordPress site Gets Hacked”

In this article I list some measures you can take to prevent your site being hacked in the first place; thanks to Ultimate Security Checker. This list is quite detailed and may not make sense to some of you who are not use to working behind the WordPress code. I would be more than happy to implement the following for you.

WordPress/Themes/Plugins Upgrades

You should upgrade your software often to keep it secure.
However, you shouldn’t upgrade WordPress yourself if you don’t know how to fix it if the upgrade process goes wrong.

Here’s why you should be afraid to upgrade your WordPress:

  • WordPress might run out of memory or have a network problem during the update
  • There could be a permissions issue which causes problems with folder rights
  • You could cause database problems which could cause you to lose data or take your entire site down

Step-by-step explanations are available at WordPress Codex.

You can let the professionals do the work for you and upgrade your blog with plugins. See details.

Config file is located in an unsecured place.

The most important information in your blog files is located in wp-config.php. It’s good practice to keep it in the folder above your WordPress root.

Sometimes this is impossible to do because:

  • you don’t have access to folder above your WordPress root
  • some plugins were developed incorrectly and look for the config file in your WordPress root
  • there is another WordPress installation in the folder above

Editing global variables or keys in config file.

Some of keys AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY are not set.
Create secret keys from this link https://api.wordpress.org/secret-key/1.1/ and paste them into wp-config.php

It’s better to turn off file editor for plugins and themes in WordPress admin.
You’re not often editing your theme or plugins source code in WordPress admin? Don’t let potential hacker do this for you. Add DISALLOW_FILE_EDIT option to wp-config.php

define('DISALLOW_FILE_EDIT', true);

WP_DEBUG option should be turned off on LIVE website.
Sometimes developers use this option when debugging your blog and keep it after the website is done. It’s very unsafe and allow hackers to see debug information and infect your site easily. Should be turned off.

define('WP_DEBUG', false);

Removing the WordPress version from your website.

When WordPress version which is used in your blog is known, hacker can find proper exploit for exact version of WordPRess.

To remove WordPress version you should do two things:

  • check if it’s not hardcoded in header.php or index.php of your current theme(search for )
  • add few lines of code to functions.php in your current theme:
    function no_generator() { return ''; }
    add_filter( 'the_generator', 'no_generator' );

Removing unneeded files.

Users can see version of WordPress you are running from readme.html file.

When WordPress version which is used in your blog is known, hacker can find proper exploit for exact version of WordPress.

Remove readme.html file which is located in root folder of your blog.
NOTE: It will appear with next upgrade of WordPress.

Installation script is still available in your WordPress files.
Remove /wp-admin/install.php from your WordPress.

Removing unnecessary error messages on failed log-ins.

By default WordPress will show you what was wrong with your login credentials – login or password. This will allow hackers to start a brute force attack to get your password once they know the login.

Add few lines of code to functions.php in your current theme:

function explain_less_login_issues(){ return '<strong>ERROR</strong>: Entered credentials are incorrect.';}
add_filter( 'login_errors', 'explain_less_login_issues' );

Securing blog against malicious URL requests.

Malicious URL requests are requests which may have SQL Injection inside and will allow hacker to broke your blog.

Paste the following code into a text file, and save it as blockbadqueries.php. Once done, upload it to your wp-content/plugins directory and activate it like any other plugins.

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
if (strpos($_SERVER['REQUEST_URI'], "eval(") ||
  strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
  strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
  strpos($_SERVER['REQUEST_URI'], "base64"))
  {
    @header("HTTP/1.1 400 Bad Request");
    @header("Status: 400 Bad Request");
    @header("Connection: Close");
    @exit;
  }
?>

Changing config file rights.

According to WordPress Codex you should change rights to wp-config.php to 400 or 440 to lock it from other users.

In real life a lot of hosts won’t allow you to set the last digit to 0, because they configured their webservers the wrong way. Be careful hosting on web hostings like this.

Changing .htaccess file rights.

.htaccess rights should be set to 644 or 664(depending if you want wordpress to be able to edit .htaccess for you).

Changing rights on WordPress folders.

According to WordPress Codex right for next folders should be set like this.

Insufficient rights on wp-content folder!
/wp-content/ should be writeable for all(777) – according to WordPress Codex. But better to set it 755 and change to 777(temporary) if some plugins asks you to do that.

Insufficient rights on wp-content/themes folder!
/wp-content/themes/ should have rights 755.

Insufficient rights on wp-content/plugins folder!
/wp-content/plugins/ should have rights 755.

Insufficient rights on core wordpress folders!
/wp-admin/ should have rights 755.
/wp-includes/ should have rights 755.

Changes in database.

Default admin login is not safe.
Using MySQL frontend program(like phpmyadmin) change administrator username with command like this:

update tableprefix_users set user_login='newuser' where user_login='admin';

Default database prefix is not safe.
Using MySQL frontend program(like phpmyadmin) change all tables prefixes from wp_ to something different. And put the same into wp-confg.php

$table_prefix  = 'tableprefix_';

Your uploads directory is browsable from the web.

Put an empty index.php to your uploads folder.

Your server shows too much information about installed software.

If you’re using Apache web server and have root access (or can edit httpd.conf) – you can define ServerTokens directive with proffered options (less info – better). See details.

Keep your blog secure with automated checks.

A lot of the security vulnerabilities are put back in place when themes and the WordPress core version is updated. You need to run regular checks using “Ultimate Security Checker”  or register for their service and they will check your blog for you weekly and email you the results.

Ultimate Security Checker also has a paid service which automatically fixes these vulnerabilities. Another exceptionally good Malware remove service and scanner is Sucuri Scanner. Sucuri also has a paid service that removes Malware in an extraordinary short turn around time, they understand the urgency.

Sucuri Scanner will automatically harden 3 of the most vulnerable penetration points of a WordPress site with the click of a button. With the built in Malware Scanner you can scan your site on demand which provides a tremendous amount of peace of mind.

The content for this post is information provided by Ultimate Security Checker. I install, run and fix with both Ultimate Security Checker and Sucuri Scanner on all client sites.

RELATED POST: How to delete the “admin” user in WordPress

Comments

comments

2 thoughts on “Ultimate Security Checker”

  1. Hi Kim,

    Great article – you touch on a lot of very important points.

    I recently did a lot of research into WordPress Security, and ended up writing up a comprehensive Checklist. It can be downloaded for free from http://www.wpsecuritychecklist.com and would be a great complement to your list here…

    Perhaps your readers would benefit from that list too…

  2. Great post, Kim.

    I have bookmarked this post, and will be going through your list of security tips a little later today…

    Even though, I have security plugins installed, and a premium paid(site)security service from my web host, I have noticed way too many attempts to add malicious codes, among other things…

    That on top of the endless thousands of spammers who try to add bad code(hacks) or bad links through comments(none have got through so far)…

    Then there is the attempts buy similar spammers and hackers who “go the extra mile” and actually subscribe to my Newsletter(I do a background check and they are deleted or unsubscribed)……

    It is a real pain, as we can often spend so much time with our hands tied up doing security checks and repairs, when we should be getting other onsite offsite tasks done….

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>