Security Blog
Security Blog
Posted By Gregory

Turn your WordPress into Fort Knox

How to turn WordPress into the protected fortress like Fort Knox


This article assumes that we want to create a bulletproof protected website powered by WordPress. It’s not necessarily to do all those steps word for word and point by point exactly as described. But I do recommend that if you want to create your own Fort Knox.

Some of the following steps might be a cause of some incompatibility issues with some weird plugins that try to modify files directly in the WordPress folders. I recommend ignoring any plugins that kind, because using them may lead to a lot of problems and security issues immediately or in the future, when hackers studied holes in the plugins or theme which is installed on your site. I’ve created this article in the hope that it will be useful, but without any warranty.

Note: this article is not applicable if you are using shared hosting and, of course, you can’t build high protected website on a shared hosting. You need to have, at least, VPS hosted site.

Requirements: root access to the Linux server. If you don’t have shell access with root privileges you can’t do anything useful to create a real protected site. There are no way or any plugin that can protect site and files in the WordPress directories at the PRO level. All security plugins work with the same level of privileges (permissions) as well as hackers and bots. No exception. If some security plugin made some changes in files of your website to protect them, any hacker or malicious code can UNDO those changes.

Here are some important points about my approach

  • All code files (PHP code) and all .htaccess files must be write protected. No exception
  • We need to change all defaults (folder, cookies, login path, any other landmarks) to different values
  • We must not use plugins or themes that operate with and try to change PHP or .htaccess files in the WordPress folders

Step one. Installing WordPress

Don’t use the default wp_ prefix for table prefix ever. Use couple or three alphabet symbols instead. Some WordPress-specific attacks and attackers make the assumption that the table_prefix is wp_. Changing prefix helps to block some SQL injection attacks.

Step two. Hardening site at the WordPress core level

  1. Move uploads folder up one level, from the inside of /wp-content/ folder to the root of your WordPress installation folder.
  2. Rename the uploads folder to media (or something like this, whatever you want).
  3. Rename the wp-content folder to content (or something like this, whatever you want).
  4. Rename the plugins folder to mod (or something like this, whatever you want).
  5. Add the following lines to the beginning of the wp-config.php file, don’t forget to change media , content , mod to actual values you have selected.
    define('AUTOMATIC_UPDATER_DISABLED', true ); // yes, it's safe to do it manually
    define('DISALLOW_FILE_EDIT', true ); // we never allow anyone touch your files
    define('DISALLOW_FILE_MODS', true ); // yes, it's safe to do it manually
    define('FS_METHOD', 'direct'); // no FTP of course
    define('WP_HTTP_BLOCK_EXTERNAL', true );
    define('UPLOADS', 'media' ); // we renamed uploads and moved it level up
    define('WP_CONTENT_DIR', '/path/to/wordpress/dir/content'); // no host name, no trailing slash
    define('WP_CONTENT_URL', 'http://example.com/content');
    define('WP_PLUGIN_DIR', '/path/to/wordpress/dir/content/mod'); // no host name, no trailing slash
    define('WP_PLUGIN_URL', 'http://example.com/content/mod');
    ini_set('display_errors',0); // turn Off display PHP errors on the front-end
    

Step three. Change default cookies name.

Add these lines to the beginning of the wp-config.php file

define('USER_COOKIE', 'my_user_cookie' ); // change it to something different
define('PASS_COOKIE', 'my_pass_cookie' ); // change it to something different
define('AUTH_COOKIE', 'my_auth_cookie' ); // change it to something different
define('SECURE_AUTH_COOKIE', 'my_sec_cookie' ); // change it to something different
define('LOGGED_IN_COOKIE', 'my_logged_cookie' ); // change it to something different
define('TEST_COOKIE', 'my_test_cookie' ); // change it to something different

Step four. Install security plugin immediately after WordPress have installed

Protect your login page with WP Cerber Security. Even with those protection steps above, hackers will be trying apply brute force attacks (login attempts) to crack the door on your WordPress website. Hide and close the door with WP Cerber.

Step five. Hardening site at the OS level.

On this step I assume that you are using server with Apache as http server. We need to change owner of all WordPress files including plugins and themes. By default this user is apache. We need to change it to another user, you have created for this purpose before. Let’s say this user is cerber.

  1. Put .htaccess file to the media folder (your new uploads folder) with following directive in it. That prevents website from executing uploaded malicious PHP code.
    php_flag engine off

    Note: Apache configuration file have to contain  AllowOverride Options directive for your uploads folder or any of its parent folder to get this directive working.

  2. For entire website directory (/path/to/wordpress/dir) change owner and permissions for all files. To do that execute follow commands in the shell.
    find /path/to/wordpress/dir -exec chown cerber:root {} +
    find /path/to/wordpress/dir -type d -exec chmod 755 {} +
    find /path/to/wordpress/dir -type f -exec chmod 644 {} +
  3. For uploads directory (/path/to/wordpress/dir/media) we need special permissions. Let’s do that using exec commands in the shell
    find /path/to/wordpress/dir/media -exec chown cerber:apache {} +
    find /path/to/wordpress/dir/media -type d -exec chmod 775 {} +
    find /path/to/wordpress/dir/media -type f -exec chmod 664 {} +
  4. Setup permalink structure in the WordPress Settings and then change permission for .htaccess file to write protect it.
    chown cerber:root /path/to/wordpress/dir/.htaccess
    chmod 644 /path/to/wordpress/dir/.htaccess
  5. Move the wp-config.php file to the directory above your WordPress installation directory.

Step six. Hardening site at the NGINX server level

Read here: Hardening WordPress with WP Cerber and NGINX

Step seven. Hardening site with Fail2Ban

Read here: How to protect WordPress with Fail2Ban


I’m a self-employed developer who builds software products and services using WordPress. I’m available for hire and enjoy partnering with others for interesting and challenging projects. If you’re interested in hiring me, feel free to contact me.

View Comments
There are currently no comments.