Security Blog
Security Blog
Posted By Gregory

Turn your WordPress into Fort Knox

How to turn WordPress into the protected fortress like Fort Knox


This article assumes that we want to create a bulletproof protected website powered by WordPress. It’s not necessarily to do all the following steps word for word and point by point exactly as described. But I do recommend that if you want to create your own Fort Knox.

Some of the following steps might be a cause of some incompatibility issues with some weird plugins that try to modify files directly in the WordPress folders. I recommend ignoring any plugins that kind, because using them may lead to a lot of problems and security issues immediately or in the future, when hackers studied holes in the plugins or theme which is installed on your site. I’ve created this article in the hope that it will be useful, but without any warranty.

Note: this article is not applicable if you are using shared hosting. You need to have, at least, VPS hosted site.

Requirements: root access to the Linux server where your website is hosted on. If you don’t have shell access with root privileges you can’t do anything useful to create a real protected website. There are no way or any plugin that can protect WordPress and files in its directories at a PRO level. All security plugins have the same level of privileges (permissions) as hackers and bots have. No exception. If some security plugin made some changes in files of your website to protect them, any hacker or malicious code can UNDO those changes or remove protection.

Here are some important points about my approach

  • All code files (PHP code) and all .htaccess files must be write protected. No exception
  • We need to change all defaults (folder, cookies, login path, any other landmarks) to different values
  • We must not use plugins or themes that operate with and try to change PHP or .htaccess files in the WordPress folders

Step one. Installing WordPress

Don’t use the default wp_ prefix for database tables. Use couple or three alphabet symbols instead. Some WordPress-specific attacks and attackers make the assumption that the table prefix is wp_. Changing prefix helps us to block some SQL injection attacks.

Step two. Hardening a website at the WordPress core level

  1. Move the uploads folder up one level, from the inside of /wp-content/ folder to the root of your WordPress installation folder.
  2. Rename the uploads folder to media (or something like that, whatever you want).
  3. Rename the wp-content folder to content (or something like that, whatever you want).
  4. Rename the plugins folder to mod (or something like that, whatever you want).
  5. Add the following lines to the beginning of the wp-config.php file, don’t forget to change media , content , mod to actual values you previously choose.
    define('AUTOMATIC_UPDATER_DISABLED', true ); // yes, it's safe to do it manually
    define('DISALLOW_FILE_EDIT', true ); // we never allow anyone touch your files
    define('DISALLOW_FILE_MODS', true ); // yes, it's safe to do it manually
    define('FS_METHOD', 'direct'); // no FTP of course
    define('WP_HTTP_BLOCK_EXTERNAL', true );
    define('UPLOADS', 'media' ); // we renamed uploads and moved it level up
    define('WP_CONTENT_DIR', '/path/to/wordpress/dir/content'); // no host name, no trailing slash
    define('WP_CONTENT_URL', 'http://example.com/content');
    define('WP_PLUGIN_DIR', '/path/to/wordpress/dir/content/mod'); // no host name, no trailing slash
    define('WP_PLUGIN_URL', 'http://example.com/content/mod');
    ini_set('display_errors',0); // turn Off display PHP errors on the front-end
    

Step three. Change default cookies name.

Add these lines to the beginning of the wp-config.php file

define('USER_COOKIE', 'my_user_cookie' ); // change it to something different
define('PASS_COOKIE', 'my_pass_cookie' ); // change it to something different
define('AUTH_COOKIE', 'my_auth_cookie' ); // change it to something different
define('SECURE_AUTH_COOKIE', 'my_sec_cookie' ); // change it to something different
define('LOGGED_IN_COOKIE', 'my_logged_cookie' ); // change it to something different
define('TEST_COOKIE', 'my_test_cookie' ); // change it to something different

Step four. Install a security plugin immediately after WordPress has been installed

Protect your login page with WP Cerber Security. Even with those protection steps above, hackers will be trying apply brute force attacks (login attempts) to crack the door on your WordPress website. Hide and close this door with WP Cerber.

Step five. Hardening a website at the OS level.

On this step I assume that you are using server with Apache as http server. We need to change owner of all WordPress files including plugins and themes. By default this user is apache. We need to change it to another user, you have created for this purpose before. Let’s say this user is cerber.

  1. Put .htaccess file to the media folder (your new uploads folder) with following directive in it. That prevents website from executing uploaded malicious PHP code.
    php_flag engine off

    Note: Apache configuration file must contain  AllowOverride Options directive for your uploads folder or any of its parent folder to get this directive working.

  2. For entire website directory (/path/to/wordpress/dir) change owner and permissions for all files. To do that execute follow commands in the shell.
    find /path/to/wordpress/dir -exec chown cerber:root {} +
    find /path/to/wordpress/dir -type d -exec chmod 755 {} +
    find /path/to/wordpress/dir -type f -exec chmod 644 {} +
  3. For uploads directory (/path/to/wordpress/dir/media) we need special permissions. Let’s do that using exec commands in the shell
    find /path/to/wordpress/dir/media -exec chown cerber:apache {} +
    find /path/to/wordpress/dir/media -type d -exec chmod 775 {} +
    find /path/to/wordpress/dir/media -type f -exec chmod 664 {} +
  4. Setup permalink structure in the WordPress Settings and then change permission for .htaccess file to write protect it.
    chown cerber:root /path/to/wordpress/dir/.htaccess
    chmod 644 /path/to/wordpress/dir/.htaccess
  5. Move the wp-config.php file to the directory above your WordPress installation directory.

Step six. Hardening a website at the NGINX server level

Read here: Hardening WordPress with WP Cerber and NGINX

Step seven. Hardening a website with Fail2Ban

Read here: How to protect WordPress with Fail2Ban

Last posts from WordPress security blog


I'm a team lead in Cerber Tech. I'm a software & database architect, WordPress - PHP - SQL - JavaScript developer. I started coding in 1993 on IBM System/370 (yeah, that was amazing days) and today software engineering at Cerber Tech is how I make my living. I've taught to have high standards for myself as well as using them in developing software solutions.

View Comments
There are currently no comments.