To achieve advanced WordPress security, we will be obscuring the standard installation, securing and optimizing it and taking measures for easy disaster recovery.
Advanced WordPress Security Background
Some years ago we set up a WordPress site that was fully secure and made regular automatic backups to a folder on the server. Our client was happy with the setup and we merrily went on to build many more websites with WordPress.
During the Christmas season of 2011, the host this client was with had their server hacked. The result: the entire website was gone, including the database as well as the backups that were stored in the folder on the server. To make it worse, the host was unable to restore their own backup. We had to redo the entire site (and a few others on the same server).
What we’ll be aiming for at the end of this tutorial is a WordPress installation that is secure against both automated and human attacks, fast, and easy to recover in the event of disaster. Of course we don’t want to pay money for this if we can help it, so we will be using absolutely free tools, which could be upgraded to paid versions should the need arise.
Please note that this tutorial presumes that WordPress has not already been installed, but that a database has been created.
Advanced WordPress Security Requirements
What we’ll need:
- WordPress (not installed)
- An FTP client such as FileZilla
- Our Demo Setup Package (download)
- CloudFlare Plugin (do not download)
- CodeGuard Plugin (do not download)
- An e-mail address to create a login at the CloudFlare and CodeGuard sites
Advanced WordPress Security Procedure
Advanced WordPress Security Obscuring
Many WordPress attacks are performed through automation. Code is written to attack a known vulnerability on the default system and sent out on the web to go find websites that use the default system, attack them, and if successful, use them for whatever purpose the human coder wants.
We can thwart most of this type of attacks by changing the defaults. The code attacks are very specific, e.g. the install.php file in /wp-admin/ could be used to reset the blog administrator password. But if we had moved our entire /wp-admin/ folder to another location, the code thinks that either we are not using WordPress, have deleted install.php or have somehow secured it, and moves on to the next site, even if we haven’t deleted or secured install.php specifically.
The Demo Setup Package from above contains a bare-bones structure with some files that will be required. The latest WordPress should be copied into the extracted folder. Once done, we can rename the Demo Setup Package folder names to arbitrary (they can be called whatever you like) ones, as demonstrated in the image below. We have created “demo-config” to contain our actual configuration file, “demo-content” to contain themes and uploads, “demo-plugins” to contain plugins and “demo-site” to contain everything else (the files that make WordPress work).
We will continue by referring to the folders we created; you must correspond them to the new folder names that you created.
The folders “wp-admin” and “wp-includes”, as well as all the files from the WordPress package (excluding the “.htaccess” file included in our download) must be moved to “demo-site”.
In the “wp-content” folder, the “themes” folder and “index.php” file must be moved to “demo-content”.
Inside the “plugins” folder in the “wp-content” folder, the contents must be moved to “demo-plugins”.
Once all of that has been done, we can delete the “wp-content” folder, as it will be empty.
The “index.php” file in the “demo-site” folder must be copied to the “root” folder, which will be the lowest folder on your server where the public will have access to your website.
Once everything has been moved, we must customize the “wp-config.php” files in “demo-config” and “demo-site”. The files are heavily annotated, so we will not go into detail here. Should you get stuck, please contact us and we’ll be glad to assist.
We also need to edit a line in the “index.php” file we just moved to “root” from:
(customize this to your requirements)
Some “.htaccess” files have been included in the Demo Setup Package for your convenience. They do not require editing and should work on most hosting accounts to improve speed and security.
We have now successfully made it slightly more difficult for automated attackers to get into our site and all that remains is to upload everything to our folder, head to the address where our site will be, and begin installation. Please make sure to choose a strong password, or have a random one generated.
Once installation has been completed, we can continue logging in with the login credentials we just created.
Our basic WordPress installation has been completed, and we need to continue with some further steps to secure our site.
Advanced WordPress Security Securing and Optimizing
We have just made sure that any “simple” attack on our website would be thwarted before it even started, but what if it is an advanced attack, or worse, a malevolent hacker? (Yes, there are benevolent hackers.)
Apart from using secure passwords, including the security optimizations in our .htaccess file, we are going to rely on our friends at CloudFlare to help us. You may ask: “Why CloudFlare?”. Well, it’s free, it’s fast, it’s easy, and it’s what hackers hide behind when they are under attack.
To get going, we need to follow these steps:
- Create a CloudFlare Account
- Choose CloudFlare settings
- Update our nameserver records at our domain registrar to point to CloudFlare servers
Once we’ve entered our e-mail address to create a CloudFlare account, we need to enter a website to add to the account.
CloudFlare will then scan your DNS records for appropriate records to add. This takes a short while.
At the bottom of the screen, you will be given an indication of how long it will take before you can proceed.
Once complete, we need to select “Continue” to proceed with the setup.
We need to check that the records retrieved by CloudFlare matches our existing records. Any that are missing should be added manually. Once complete, we select “I’ve added all missing records, continue”.
We are presented with a settings page. The free plan is already good, and unless we need SSL connections, there is no need to subscribe to the paid option. We also have a choice of Performance and Security settings. We will change these.
We have selected “CDN + full optimizations” and “High” security. Make your choice and select “Continue”.
Once complete, we are presented with the current nameserver settings and the new nameservers that should be added to the domain. Please update the nameservers to the new ones. Transfer should take around 24 hours, whereafter we will be secured and optimized by CloudFlare. Once complete, select “I’ve updated my nameservers, continue” so that CloudFlare can start monitoring for the changes to the nameservers.
The last page presented by CloudFlare contains links to further resources to help us get started. It is recommended reading, but not required. We’re all done with CloudFlare and should just keep the login details somewhere safe incase we want to make any changes in future.
It would be a good idea to install the CloudFlare plugin on our WordPress site at this stage.
Advanced WordPress Security Recovering
When disaster strikes, we need to act swiftly to get ourselves back online, otherwise we will lose our visitors. CodeGuard has come up with an excellent solution, providing 2GB of free online storage for an automated backup of our WordPress files as well as database on a daily, weekly or monthly frequency. To set it up, we simply have to install the plugin and create a CodeGuard account, then copy over the access key to our WordPress installation.
First off, we will install the CodeGuard plugin. To do so, we will go to “Add New” under the “Plugins” menu option.
In the search box that is displayed, we type “codeguard” and select “Search Plugins”.
The CodeGuard plugin is displayed, and we select “Install Plugin”.
We are presented with an option to continue with the action or cancel. We select “OK” to continue.
Once the plugin has been installed, we select “Activate Plugin”.
At the create a CodeGuard account Plans & Pricing page, we select the basic option unless SSL is required and click on “Get Started”.
On the next page, we need to enter our details and select “Create Account”.
Once the account is created, CodeGuard requests some more information to add our website to their services, however we don’t need to do any of that, we simply select the “CodeGuard WordPress Plugin” link on the left.
We are taken to our account page, where we need to copy the Access Key provided.
Back in our WordPress installation, under the new menu option for CodeGuard, we paste the Access Key we copied from the CodeGuard website and select “Update”.
CodeGuard has now been set up and will start with an automated backup on a daily basis. If we want to change this schedule to weekly or monthly, we simply have to change our options on the CodeGuard website.
Once the initial backup is complete, CodeGuard will alert us to any changes on the set schedule, and we’ll be able to recover our files from any recent backup very easily to restore our site in any emergency.
Advanced WordPress Security Conclusion
We have taken many steps to ensure that our WordPress site will be secure, fast and easy to restore in an emergency. While this is not an extensive list of available security measures, it has improved our security vastly in comparison with the default. You may also be interested in our Simple WordPress Security setup for further available steps with the Better WP Security plugin.