Wordpress Security

Perhaps in the future I’ll expand on the topics below, but for the sake of brevity and simplicity here are some easy to implement Wordpress security tricks.

• Delete the xmlrpc.php file from your server, or at the very least make sure its disabled (do that by going to Writing under Settings in the administration area). If you need the file (it’s require for desktop blogging tools) then at least rename the file to something unique.
• Disable user registration if you don’t require the functionality. Go to the General page under Settings and verify that “Anyone can register” is not checked.
• Rename your /wp-admin folder to something unique, and make sure there are no references to the renamed version in your robots.txt or .htaccess file.

By default wp-config.php, which contains all your most sensitive data, is stored in the top level directory of your blog. What few people know however is that you can actually move this file to the directory above its default location.

If WordPress is installed in the /public_html directory this allows you to move the file completely out of public access.

Cookie hijacking is a security threat for your blog, but because of my inability to explain such complex topics simply, here’s an explanation from Wikipedia:

“During normal operation cookies are sent back and forth between a server (or a group of servers in the same domain) and the computer of the browsing user. Since cookies may contain sensitive information (user name, a token used for authentication, etc.), their values should not be accessible to other computers. Cookie theft is the act of intercepting cookies by an unauthorized party.

Cookies can be stolen via packet sniffing in an attack called session hijacking. Traffic on a network can be intercepted and read by computers on the network other than its sender and its receiver (particularly on unencrypted public Wi-Fi networks). This traffic includes cookies sent on ordinary unencrypted http sessions. Where network traffic is not encrypted, malicious users can therefore read the communications of other users on the network, including their cookies, using programs called packet sniffers.”

Oddly enough, this complex topic has a simple solution.

Open up your wp-config.php file, and scroll down to this code:

define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(’NONCE_KEY’, ‘put your unique phrase here’);

Now, go over to http://api.wordpress.org/secret-key/1.1/ and copy the randomly generated output. Replace the original 4 lines of code with this newly copied set.

And that’s it! Now your cookies are encrypted, and thus protected against cookie hijacking. Nice and simple.

By default if you type your username or password incorrectly when trying to login, Wordpress lets you know what mistake you’ve made. This can provide a hacker with confirmation that they know one half of the login equation.

Edit the functions.php file in your /wp-content/themes folder and add this code to prevent these errors from showing up:

<?php add_filter(’login_errors’,create_function(’$a’, “return null;”)); ?>

Note: This can be done automatically with the Login Lockdown plugin.

Wordpress has a very fast development cycle, and often there are 2 or more major updates each year, along with minor updates spread in between these. Something you need to remember is:

Major updates can be huge security risks.

When upgrading Wordpress from, say Wordpress 2.7 to 2.8 a large amount of changes in the software have been made. These changes generally bring with them new parts in the code that can be exploited.

Luckily, there is a simple solution. If there is a major update:

Wait.

Wait for 1-2 minor updates to be released, and then upgrade to that version. Security becomes the foremost concern for developers after a major update, so the first couple of minor updates following will eliminate most of the exploits that are found.

Granted, I’m quite the hypocrite as I write this because I’m often too impatient and will upgrade my Wordpress straight away just to play around with the new features. But it’s important to understand the risk you’re introducing.

Something I should do is setup a separate installation of Wordpress, only used for playing around with new features, and then upgrade the original copy of Wordpress at a safe time. That’d be the smart way to approach it.

The version number of your Wordpress installation can tell a hacker a lot of information. Different version numbers have different exploits so making the information public effectively speeds up the process of someone getting into your system.

Don’t help them by eliminating some of the work.

Place the follow code in your functions.php, which should be in your current themes folder. If the file isn’t there, create it.

<?php remove_action(’wp_head’, ‘wp_generator’); ?>

This code was found at: http://gist.github.com/167926