Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
WordPressSecurityComplete17StepGuide
WordPress is the most popular CMS on the web and is now powering over 26.5% of all websites
(http://w3techs.com/technologies/details/cm-wordpress/all/all). Since it holds such a large piece of the market share it brings additional
security concerns and increases your risk of attack when vulnerabilitiesare discovered. Follow our complete guide below on what you can
do to harden your WordPress security and help prevent yourself from getting hacked orbecoming a victim of the next brute-force
attack.
WordPress Vulnerabilities
Where are you at risk the most when it comes to WordPress? Well, according to WP Scan (http://wpscan.org/), a black box WordPress
vulnerability scanner, there are have been 4618vulnerabilities (2,355unique) reported to date. 52% of the vulnerabilities reported
were WordPress plugins.WordPress core accounts for 37% and WordPress themes account for 11%. This has also been conrmed by
Wordfence ndings where they discoveredthat 55.9% of vulnerabilities came from plugins
(https://www.wordfence.com/blog/2016/03/attackers-gain-access-wordpress-sites/).
https://www.keycdn.com/blog/wordpresssecurity/
1/17
22/11/2016
WordPressSecurityComplete17StepGuide
What types of vulnerabilities are they? According to WP Scan, 39% of WordPress vulnerabilities arecross-site scripting (XSS
(https://en.wikipedia.org/wiki/Cross-site_scripting)). Here is the breakdown of the rest in order:
SQLI: 15%
Upload: 11%
CSRF: 7%
Multi: 6%
Unknown: 6%
LFI: 3%
RCE: 3%
FPD: 2%
Auth bypass: 2%
RFI: 2%
Bypass: 2%
Redirect: < 1%
XXE:< 1%
DOS< 1%
SSRF:< 1%
And below are the top WordPress versions with the most vulnerabilities. As you can see WordPress 3.8.1 and 3.7.1have the most
security vulnerabilities.
https://www.keycdn.com/blog/wordpresssecurity/
2/17
22/11/2016
WordPressSecurityComplete17StepGuide
Here are some recommended sites to stay on top of all of the WordPress security vulnerabilities.
WP Security Bloggers (http://www.wpsecuritybloggers.com/blog)An aggregate feed of over 15 security sources
WP Scan Vulnerability Database (https://wpvulndb.com/)
Sucuri WordPress Security Blog (https://blog.sucuri.net/category/wordpress-security)
CVE Details (http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/)
WordPress Security2016
As you can see there are probably a lot more security vulnerabilities than you even thought! They are constantly popping up which means
you are always at risk of being attacked or hacked. You can never prevent these things from happening 100% of the time, the best thing
you can do is implementthe bestsecurity practices to protect yourself. Follow the recommendations below to harden your
WordPress security.
https://www.keycdn.com/blog/wordpresssecurity/
3/17
22/11/2016
WordPressSecurityComplete17StepGuide
(https://wordpress.org/). Since WordPress 3.7, WordPress has added automatic updates, which means you will most likely see the update
in your dashboard and you can simply click to update.
It is also recommended to only use trusted WordPress plugins and themes. Get your plugins and themes from the WordPress
repository or from well-known companies. This will cause less problems for you in the future.
Always back up your website!If you maintain regular backups (http://codex.wordpress.org/WordPress_Backups) this allows you to
easily rollback if you are attacked, and restore your website. We also recommend running backups before you update your WordPress
version and plugins.If you happen to be on a managed WordPress host many of them now oer one-click staging areas which are perfect
for testing updates before you touch your production site.
There are also many backup plugins availablewhich you can use to backup your WordPress site and database. Here are some popular
ones:
VaultPress (https://wordpress.org/plugins/vaultpress/)
UpdraftPlus Backup and Restoration (https://wordpress.org/plugins/updraftplus/)
blogVault (https://wordpress.org/plugins/blogvault-real-time-backup/)
BackWPup Free (https://wordpress.org/plugins/backwpup/)
Around8%ofhackedWordPresswebsitesaredowntoweakpasswords.WPTemplate
(http://www.wptemplate.com/features/safetyandsecurityofwordpressblog
infographic.html)
We recommend using a free program like KeePass (http://keepass.info/) or KeePassX (https://www.keepassx.org/) which allow you to
generate secure passwords and store them in a database locally on your computer.
https://www.keycdn.com/blog/wordpresssecurity/
4/17
22/11/2016
WordPressSecurityComplete17StepGuide
(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-two-factor-authentication.webp)
Your login page will then have an additional option for your Google Authenticator code.
(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/two-factor-login-wordpress.webp)
Here are some additional plugins that feature two-factor auth.
Clef Two-Factor Authentication (https://wordpress.org/plugins/wpclef/)
Wordfence Security (https://wordpress.org/plugins/wordfence/)
Two-Factor Authentication (Google Authenticator) (https://wordpress.org/plugins/miniorange-2-factor-authentication/)
Simple Security Firewall (https://wordpress.org/plugins/wp-simple-rewall/)
https://www.keycdn.com/blog/wordpresssecurity/
5/17
22/11/2016
WordPressSecurityComplete17StepGuide
There are a lot of good WordPress security plugins which will lock down your site andhelp protect you from brute-force attacks. These
plugins allow you to block malicious networks, view WHOIS reports on visitors, rate limit or block security threats, enforce strong
passwords, scan for vulnerabilities, see which les have changed, implement a rewall to block common security threats, monitor DNS
changes, view real-time trac and much more.
https://www.keycdn.com/blog/wordpresssecurity/
6/17
22/11/2016
WordPressSecurityComplete17StepGuide
RewriteEngineOn
RewriteCond%{HTTP_USER_AGENT}^.*(agent1|Wget|CatallSpider).*$[NC]
RewriteRule.*[F,L]
BrowserMatchNoCase"agent1"bots
BrowserMatchNoCase"Wget"bots
BrowserMatchNoCase"CatallSpider"bots
OrderAllow,Deny
AllowfromALL
Denyfromenv=bots
if($http_user_agent~(agent1|Wget|CatallSpider)){
return403;
}
KeyCDN also now has a feature which you can enable to block bad bots (https://www.keycdn.com/blog/block-bad-bots/) on the CDN side
to save money on bandwidth.
https://www.keycdn.com/blog/wordpresssecurity/
7/17
22/11/2016
WordPressSecurityComplete17StepGuide
Note: Some FTP clients store passwords encoded or in plain text on your computer. Even some encoded passwords can be converted
back to the original. We recommend not saving FTP passwords in the client, or setting up what some call a master password
(https://winscp.net/eng/docs/master_password).
It is also important to make sure your rewall rules (http://www.techworld.com/tutorial/security/home-router-security-2015-9-settingsthat-will-keep-bad-guys-out-3609122/) are setup properly on your home router. And remember whenever you work from a public place
like an internet cafe or Starbucks these are not trusted networks.
Your web host where your website resides should also be running secured hosting. This means they should be running up to date and
supported versions of PHP, MySQL, account isolation, web application rewalls, etc. Be careful with cheap shared hosts as you can run
into issues if they are overcrowding servers and sharing IPs.
https://www.keycdn.com/blog/wordpresssecurity/
8/17
22/11/2016
WordPressSecurityComplete17StepGuide
find/path/to/site/typefexecchmod664{}\;
find/path/to/site/typedexecchmod775{}\;
chgrpRwwwdata/path/to/site/
8. Database Security
Not only do you need to check permissions on your les but there are also things you can do to harden the security on your WordPress
database. The rst thing we recommend is using a dierent table prex. By default WordPress uses wp_ .If you change this to something
like x3sdf_ it will make it much harder to guess by an intruder.
You can change your table prex on the setup screen when you are installing WordPress.
If you already have WordPress installed, you can use of these popular WordPress plugins below to change the prex or change the
database prex via phpMyAdmin (http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prex-to-improvesecurity/).
Sucuri Security (https://wordpress.org/plugins/sucuri-scanner/)
iThemes Security (https://wordpress.org/plugins/better-wp-security/)
Change DB Prex (https://wordpress.org/plugins/db-prex-change/)
The second recommendation would be to change your database name (https://premium.wpmudev.org/blog/change-database-name/) to
make it harder to guess.
https://www.keycdn.com/blog/wordpresssecurity/
9/17
22/11/2016
WordPressSecurityComplete17StepGuide
And if you are using admin as your username, which you shouldnt be, dont be surprised to see a very high number! What can you do?
Well, there are a couple things. One is that many of the security plugins allow you to limit the login attempts allowed in their
conguration pages.
The second thing you could do is actually changeyour login URL. There is a great little free WordPress plugin called WPS Hide Login
(https://wordpress.org/plugins/wps-hide-login/) which will do just that. Feel free to get creative and make your login URL something hard
to guess. You will instantly see the number of login attempts drop dramatically after doing this.
Using the security plugins you can also limit access to your login URL by restricting it to an IP address in your .htaccess le or even
password protect your login page (http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admindirectory/).
https://www.keycdn.com/blog/wordpresssecurity/
10/17
22/11/2016
WordPressSecurityComplete17StepGuide
<Fileswpconfig.php>
orderallow,deny
denyfromall
</Files>
2. You can also move your wpconfig.php le to a non-www accessibledirectory. Some have argued about the benets of this, but
here is a good explanation (http://wordpress.stackexchange.com/questions/58391/is-moving-wp-cong-outside-the-web-root-reallybenecial/74972#74972).
To move your wpconfig.php le simply copy everything out of it into a dierent le. Then in your wpconfig.php le you can place the
following snippet to simply include your other le. Note: the directory path will dier based on your web host and setup.
<?php
include('/home/yourname/config.php');
3. WordPress Security Keys handle the encryption of information stored in users cookies. By default these are generated randomly for
each WordPress install. But if your WP site has gone through a couple migrations or changed hands it can be good to regenerate
fresh encryption keys. WordPress actually provides aSalt Key Generator (https://api.wordpress.org/secret-key/1.1/salt/)which you
can use to obtain a fresh random set of keys.
(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/secret-keys-wp-cong-le.webp)
#Blocktheincludeonlyfiles.
<IfModulemod_rewrite.c>
RewriteEngineOn
RewriteBase/
RewriteRule^wpadmin/includes/[F,L]
RewriteRule!^wpincludes/[S=3]
RewriteRule^wpincludes/[^/]+\.php$[F,L]
RewriteRule^wpincludes/js/tinymce/langs/.+\.php[F,L]
RewriteRule^wpincludes/themecompat/[F,L]
</IfModule>
location~*wpadmin/includes{denyall;}
location~*wpincludes/themecompat/{denyall;}
location~*wpincludes/js/tinymce/langs/.*.php{denyall;}
location/wpincludes/{internal;}
https://www.keycdn.com/blog/wordpresssecurity/
11/17
22/11/2016
WordPressSecurityComplete17StepGuide
We wrote a guide on how to migrate from HTTP to HTTPS (https://www.keycdn.com/blog/http-to-https/). Once you are running on HTTPS
it is recommended to force SSL usage by adding the following to your wpconfig.php le.
define('FORCE_SSL_ADMIN',true);
With theSEO advantages of HTTPs and performance benets of HTTP/2 (https://www.keycdn.com/support/http2/) there is no reason not
to be using an SSL certicate. And with the Lets Encrypt project moving forward, web hosts and CDNs are already starting to oer free
certs.
##blockanyattemptedXMLRPCrequests
<Filesxmlrpc.php>
orderdeny,allow
denyfromall
allowfrom123.123.123.123
</Files>
##blockanyattemptedXMLRPCrequests
location=/xmlrpc.php{
denyall;
}
You can test to see if XML-RPC is successfully blocked by running it through the WordPress XML-RPC validation service
(http://xmlrpc.eritreo.it/).
https://www.keycdn.com/blog/wordpresssecurity/
12/17
22/11/2016
WordPressSecurityComplete17StepGuide
add_filter('json_enabled','__return_false');
add_filter('json_jsonp_enabled','__return_false');
Alternatively you can also download and install the free Disable JSON API (https://wordpress.org/plugins/disable-json-api/) plugin if you
arent comfortable with editing your code.Note: Theplugin onlyuses the lters built into the ocial WordPress REST API meant for
disabling its functionality. So long as your other REST API does not also use those lters to allow itself to be disabled (and it shouldnt), you
should be safe.
To disable this method of le editing, simply add this following snippet to your wpconfig.php le.
define(DISALLOW_FILE_EDIT,true);
https://www.keycdn.com/blog/wordpresssecurity/
13/17
22/11/2016
WordPressSecurityComplete17StepGuide
(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-security-headers.webp)
Content-Security Policy (https://www.keycdn.com/support/content-security-policy/)
X-XSS-Protection (https://www.keycdn.com/blog/http-security-headers/)
Strict-Transport-Security (https://www.keycdn.com/support/http-strict-transport-security/)
X-Frame-Options (https://www.keycdn.com/blog/http-security-headers/)
Public-Key-Pins (https://scotthelme.co.uk/hpkp-http-public-key-pinning/)
X-Content-Type (https://www.keycdn.com/blog/http-security-headers/)
Make sure to check out our in-depth post on HTTP security headers (https://www.keycdn.com/blog/http-security-headers/).
(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-security-remove-version-number.webp)
WPBeginner (http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpress-version-number/), came up with a good
solution. Simply add this to your functions.php le.
functionwpversion_remove_version(){
return'';
}
add_filter('the_generator','wpversion_remove_version');
Also, you need to delete the readme.html le located in the root of your WordPress install because this also contains the WordPress
version.
https://www.keycdn.com/blog/wordpresssecurity/
14/17
22/11/2016
WordPressSecurityComplete17StepGuide
(https://blog.keycdn.com/blog/wp-content/uploads/2015/12/wordpress-readme-le.webp)
Simply login via FTP and delete it.
domain.com/readme.html
Summary
As you can see there are many ways you can harden your WordPress security. From keeping WordPress and plugins up to date, being
smart with usernames and passwords, using security plugins, secure connections, database security tricks, locking down your WordPress
login page, securing your wp-cong.php le, using an SSL certicate and more. Many of these recommendations can be implemented
within a matter of minutes and you can rest easy knowing your WordPress site a little more secure from intruders and hackers.
Have any other good WordPress security tips that you think we missed? If so, let us know below in the comments!
Related Articles
Complete Guide: How to Migrate from HTTP to HTTPS (https://www.keycdn.com/blog/http-to-https/)
Complete Guide: How to Speed Up WordPress (https://www.keycdn.com/blog/speed-up-wordpress/)
#PERFMATTERS
10Comments
KeyCDNBlog
Recommend
Share
Login
SortbyBest
Jointhediscussion
LiewCF4monthsago
ThanksfortheWPpluginrecommendations.WPfail2ban+WPSHideLoginmakeagoodsecuritycombo!
4
Reply
https://www.keycdn.com/blog/wordpresssecurity/
15/17
22/11/2016
WordPressSecurityComplete17StepGuide
4
Reply Share
BrianJackson>LiewCF4monthsago
Definitelyagree,thatisagreatcombo.
Reply Share
EtVeritasLiberabitVosamonthago
Forhidewpversionthereisalso:
remove_action('wp_head','wp_generator')
Reply Share
EtVeritasLiberabitVosamonthago
thanksforpost.aboutreadme.htmlmaybeisbettertohideitlikexmlrpc.phpbecauseafterupgradeIsupposethisisaddedagain.
<filesreadme.html="">
Orderallow,deny
Denyfromall
</files>
Reply Share
TyrohnWhite3monthsago
Articlewithgoodinfographicsandwhichexplainedeverydetail.KeeppostingarticlestospreadmoreinformationaboutWordPress.
Reply Share
LucyBarret3monthsago
SecurityofyourWordPresswebsiteistheprimeconcernforeverysiteorblogowner.Sucharticlesdohelpingreatdealforthosewhoarenewto
WordPress.
Reply Share
VladaSmitka4monthsago
IhavejusttranslatedmyslidesaboutWPsecurityfromWordCampPrague2016,hopeitcanbehelpfulhttp://www.slideshare.net/vsmi...
Reply Share
KasparLavik5monthsago
Outstandingpost!Thanksforsharingyourgreatexperiencethroughthiseffectiveandhelpfultips.
Reply Share
TonyPerez5monthsago
Nicearticle@BrianJackson
ThanksforreferencingSucuri,becauseyoureferencestatsIthoughtyoumightalsowanttotakealookatourQ1Trendreport:
https://sucuri.net/websitesec...itmightprovidebetterinsightsintotheimpactsvulnerabilitiesarehavinginthecommunity.
Also,asI'msureyouknow,notallvulnerabilitiesareequal.Sosayingtherehavebeenalotofvulnerabilitieswouldbeseendifferentifdifferentiating
betweenlowandhighlevelissues.XSSisaperfectexampleofthat,halfofthosedisclosuresarelowlevelseverityissuesandnotexploitableat
scale.Foodforthought..:)
Thanksfortheshare,andnicetoseeKeyCDNsharingtheseinsights.
Tony
Reply Share
charles5monthsago
Hello,thisisaverygoodpostonsecurity.
Ilikeespeciallythepartonmovingwpconfigfiles,
however,itseemsthatihaveencounteredsomeproblemofgettingittoworkaspertheabovestatedsettingsandmethods:
"Tomoveyourwpconfig.phpfilesimplycopyeverythingoutofitintoadifferentfile.Theninyourwpconfig.phpfileyoucanplacethefollowing
snippettosimplyincludeyourotherfile.Note:thedirectorypathwilldifferbasedonyourwebhostandsetup."
Reply Share
ALSOONKEYCDNBLOG
WhatIstheDifferenceBetweenIPv4andIPv6?
OptimizeImagesforWebUltimateGuide
3comments11daysago
5comments6monthsago
AvatarThankyou!YouarethebestCDNintheworld!
FromRussiawithlove=)
AvatarIbrahimNergiz Nicearticle,thankyouallguys!
TheLowdownonCDNDynamicContent
WaterfallAnalysisDivingIntoYourWebsitesRequests
10comments4monthsago
1comment5monthsago
Avatarkingkool68IwroteapluginforWordPressthatdoesexactlywhatthis
articledescribeshttps://github.com/kingkool68/...Youcanrun
AvatarPaulBrarenWhataterrificcollectionofspeedoptimizationtips,thank
you!
Subscribe d AddDisqustoyoursiteAddDisqusAdd
https://www.keycdn.com/blog/wordpresssecurity/
Privacy
16/17
22/11/2016
WordPressSecurityComplete17StepGuide
Subscribe d AddDisqustoyoursiteAddDisqusAdd
Privacy
Product
Features (/features)
Network (/network)
Benets (/benets)
Pricing (/pricing)
Sign Up (/signup)
Login (/login)
Company
About Us (/about)
Careers (/careers)
Blog (/blog)
Aliate (/aliate)
Contact (/contacts)
Legal (/legal)
Support
Knowledge Base (/support)
Network Status (https://status.keycdn.com)
Community (https://community.keycdn.com/)
FAQ (/faq)
Tools (https://tools.keycdn.com)
Open Source (/open-source-cdn)
Solutions
Website Performance (/website-performance)
Software Distribution (/software-distribution)
Game & App Delivery (/game-app-delivery)
CDN Hosting (/cdn-hosting)
Video CDN (/video-cdn)
Ad Serving (/ad-serving)
Connect
LinkedIn (https://www.linkedin.com/company/keycdn)
Facebook (http://www.facebook.com/keycdn)
Twitter (https://twitter.com/keycdn)
https://www.keycdn.com/blog/wordpresssecurity/
17/17