Carlosmdh

Making your WordPress secure (part 2)

In that previous article I showed you the first steps to achieve a secure WordPress, creating secure passwords and making it difficult for a "friend of the stranger" to easily find out which is the administrator user of your website.

Today I am going to focus on two important points: Protecting the wp-admin folder and the wp-config file, two of the keys inside every WordPress installation. And, as an extra, a very interesting plugin to add more security to our website: Limit Login Attemps

Protect the wp-admin folder

We will start by securing access to our WordPress administration panel.

We are facing one of the main targets of any hacker who wants to attack a website, if he gets access, and even more in the case of doing so with administrator privileges, he will be able to do whatever he wants, so its protection must be a priority task for us.

As we talked about in the previous article we can protect access to the administration area of our WordPress with plugins or code. Here I am going to be a bit more careful, since what we are going to touch with code is more delicate and directly affects our server.

To not allow unwanted access to the administrator of our WordPress we must touch a file that is not part of it, but it is "the mother of the lamb" of any Web server mounted on Apache, this is important, you will only find it if your Web server is Apache, but relax, most of the hosting are mounted on Apache, and we have already spoken on previous occasions. We are talking about the .htaccessfile.

To access and modify this file, the steps to follow are as follows:

1.- Access your server via FTP with a client such as Filezilla or Coda (the former is free and the latter costs $99).

2. - Once you access via FTP, in the wp-admin folder of our WordPress installation we must create, if it did not exist before, a file with the name .htaccess (the starting point before the h is not a mistake, it is named this way so that it remains hidden). If this file already exists, we make a backup copy of it, so that if something goes wrong, we can go back to the previous version.

Something important, we are creating this file in the wp-admin folder , yes I know that possibly there is another .htaccess in the root, but that is not touched, for now. The .htaccess files work in a hierarchical way, having preference the one closest to the folder we are in, that is, the one in the wp-admin folder will rule over the one in the root.

3.- To return to the focus, we are trying to protect the wp-admin directoryto avoid unwanted access. To do this, in the .htaccess of the wp-admin folder we will write the following lines.

4.- You will see that I have left highlighted line 5, there is a reason. The path that we must put in that line and that defines where the .htpasswd file is must be an absolute path inside your server. Normally that path is home/login_user_in_your_panel/public_html/your_WordPress_folder/wp-admin/.htpasswd. If you do not have it clear, you can create a file with the lines that I leave below this paragraph to your wp-admin/.htpasswd folder via FTP and run in the browser the following url http://Tu_Web/wp-admin/.htpasswd/ruta_absoluta.php obviously modifying "Tu_Web" by your domain, that will return the absolute path of your wp-admin folder, or any other where you upload this file. IMPORTANT, once you get the path, delete the file.

<?php
/* Devuelve la ruta absoluta en el servidor del archivo*/
Echo dirname(__FILE__);

We are not finished yet, we have one final step to go.

With what we have done, we have completely blocked access to the wp-admin folder, now it turns out that if we have a Theme, Plugin or Widget in our WordPress that has to make calls to the WordPress Ajax API will not be able to do so, since this API is in this folder, so it will stop working, we have made a bread with some wafers. Calm down, it can be fixed and it involves adding some additional lines to our .htaccess to allow these elements to have access to this file.

# Establece una restricción a la carpeta wp-admin mediante un archivo .htpasswd
AuthName "Sin acceso"
AuthType Basic
AuthUserFile /home/jfougtnp/public_html/carpeta_wordpress/wp-admin/.htpasswd
AuthGroupFile /dev/null
require valid-user
# Permite a los archivos css, js, jpg, jpeg, gif y png de Themes, Widgets o plugins en acceso al archivo admin-ajax.php para poder ejecutar llamadas a la API Ajax de WordPress
<FilesMatch “\.(css|js|jpg|jpeg|gif|png)$”>
Order Allow,Deny
Allow from All
Satisfy Any
</FilesMatch>
<Files admin-ajax.php>
Order Allow,Deny
Allow from All
Satisfy Any
</Files>

Finally, you can also restrict access to the folder by IP, that is, only allow access to the IP or IPs (fixed) that you want, and restrict access to that folder to the rest of IPs. However, if we are in the previous case, we must enable the access of Themes, plugins and Widgets to the AJAX API.

In the lines below, which you should add to your .htaccess file, the IP access restriction lines are commented out, so you can decide which method to use (password protection or IP address restriction).

Via an .httpasswd file

# Establece una restricción a la carpeta wp-admin mediante un archivo .htpasswd o mediante restricción de IP.
#Opción 1. MEDIANTE UN ARCHIVO .HTTPASSWD
AuthName "Sin acceso"
AuthType Basic
AuthUserFile /home/jfougtnp/public_html/capeta_wrodpress/wp-admin/.htpasswd
AuthGroupFile /dev/null
require valid-user
# Permite a los archivos css, js, jpg, jpeg, gif y png de Themes, Widgets o plugins en acceso al archivo admin-ajax.php para poder ejecutar llamadas a la API Ajax de WordPress
<FilesMatch “\.(css|js|jpg|jpeg|gif|png)$”>
  Order Allow,Deny
  Allow from All
  Satisfy Any
</FilesMatch>
<Files admin-ajax.php>
  Order Allow,Deny
  Allow from All
  Satisfy Any
</Files>

Through IP access control

# Establece una restricción a la carpeta wp-admin mediante un archivo .htpasswd o mediante restricción de IP.
#Opción 2. MEDIANTE CONTROL DE ACCESO POR IPS
#Habilita el acceso a wp-admin desde una dirección IP concreta y deniega el acceso desde cualquier otra IP que no este en el listado
#Dejo estas líneas comentadas para que, en caso de no querer habilitarlas, no afecten al acceso
#order deny,allow
#allow from XXX.XXX.XXX.XXX (tu ip)
#allow from XXX.XXX.XXX.XXX (tu otra ip)
#deny from all
# <Files admin-ajax.php>
#  Order Allow,Deny
#  Allow from all
#  Satisfy Any
# </Files>

As I said at the beginning, this can also be done through plugins.

Two of them allow you to configure your WordPress .httacces file and limit certain aspects: WP .htaccess Editor is basically just that, an editor of the .htaccess file, with the only addition of allowing you to make a backup of the file.

Protect the wp-config file

Located in the root of our hosting, or in the folder where we install our WordPress, wp-config is one of the first files to be modified during installation and one of the most sensitive in terms of security.

This file contains the basic configuration of WordPress, namely four fundamental settings:

  • Those referring to the MySQL database, the real heart of our site.
  • The prefixes of the tables that make up our database (11 in a clean installation without plugins, 12 from WordPress 4.4 onwards).
  • The secret keys of our server, the famous Keys and Salts.
  • The absolute path to our installation, which is called ABSPATH.

Of these, the first three are critical and, taking into account that this file is stored and saves data in plain text without any kind of encryption, it is one of the priority targets for anyone who wants to gain malicious access, since, as you can see in the image below, the information it provides is quite exhaustive and profitable for someone with knowledge... and bad intentions.

Example of the wp-config file

About how to generate a new keys and salt and the table prefix, and how to change it if you already have your WordPress installed and we didn't do it at the beginning, I'll talk later. Now I'm going to focus on how to prevent this info from being available to the "friends of others".

As always, there are several ways to protect this file:

  • Protect it from the .httaccess file.
  • Assign read-only permissions to the wp-config file.
  • Change the location of the file.

Protect it from the .htaccess file.

The first and simplest option. By means of this rule inserted in the .htaccess file of the root or the folder where the WordPress installation is located, we disable access to all users. If at any time we need to modify something, it will be enough to enter and comment the lines, modify what we need and, once saved, remove the "#" from the comment in the rule.

# Deshabilita el acceso al archivo wp-config
<files wp-config.php>
    order allow,deny
    deny from all
</files>

Assign read-only permissions to the wp-config file.

By default, this file has a configuration of 644 permissions (read and write for the admin and read-only for the rest of the users, both logged in users who are not admin, as well as the rest of the world). It is advisable to change these permissions to 444 (read for everyone). If we need to modify it, we will do as before, change again these permissions to 644.

To modify the permissions, we must access the website via FTP and, once the file has been selected, go to the context menu and select the option "permissions" in Filezilla or "get info" in Coda (in other FTP clients the option will be quite similar). Once the window appears, we can modify the permissions, either from the available checks or by modifying the numbers.

wp-config permissions

Change the file location.

The last option to protect the wp-config file is to "remove" it from the WordPress installation path.

As I said at the beginning, this file is located in the root of our WordPress installation (html_public/web_name for example). We can move it to the root html_public. WordPress will detect it and it will work perfectly.

Limit Login Attemps

And finally, a highly recommended plugin, regardless of whether we restrict access to the wp-admin folder, Limit Login Attemps, which will allow us to configure the number of failed login attempts in our WordPress, blocking access with that user and also define the time in which that user will be disabled to retry the login.

Limit Login Attemps

Don't go yet

With this I leave you to think until the next article. We still have a few more steps to go, to wit:

  • Change the database prefix.
  • Schedule a backup system.
  • Disable the WordPress file editor.
  • Assign the appropriate permissions to the folders and files on our Web server.
  • Add HTTP security headers to our server.
  • Set keys and security jumps to strengthen cookies.
  • Make your WordPress not look like a WordPress, and not give clues.

I invite you to leave your impressions and/or doubts in the contact form and to suggest new topics that you would like me to cover in these tutorials. I will be happy to answer you by email and write in this blog.