WordPress Security Advanced Setup

Advanced WordPress Security Install

To achieve advanced WordPress security, we will be obscuring the standard installation, securing and optimizing it and taking measures for easy disaster recovery.




Advanced WordPress Security Background

Some years ago we set up a WordPress site that was fully secure and made regular automatic backups to a folder on the server. Our client was happy with the setup and we merrily went on to build many more websites with WordPress.

During the Christmas season of 2011, the host this client was with had their server hacked. The result: the entire website was gone, including the database as well as the backups that were stored in the folder on the server. To make it worse, the host was unable to restore their own backup. We had to redo the entire site (and a few others on the same server).

What we’ll be aiming for at the end of this tutorial is a WordPress installation that is secure against both automated and human attacks, fast, and easy to recover in the event of disaster.  Of course we don’t want to pay money for this if we can help it, so we will be using absolutely free tools, which could be upgraded to paid versions should the need arise.

Please note that this tutorial presumes that WordPress has not already been installed, but that a database has been created.

Advanced WordPress Security Requirements

What we’ll need:

Advanced WordPress Security Procedure

Advanced WordPress Security Obscuring

Many WordPress attacks are performed through automation.  Code is written to attack a known vulnerability on the default system and sent out on the web to go find websites that use the default system, attack them, and if successful, use them for whatever purpose the human coder wants.

We can thwart most of this type of attacks by changing the defaults.  The code attacks are very specific, e.g. the install.php file in /wp-admin/ could be used to reset the blog administrator password.  But if we had moved our entire /wp-admin/ folder to another location, the code thinks that either we are not using WordPress, have deleted install.php or have somehow secured it, and moves on to the next site, even if we haven’t deleted or secured install.php specifically.

The Demo Setup Package from above contains a bare-bones structure with some files that will be required. The latest WordPress should be copied into the extracted folder.  Once done, we can rename the Demo Setup Package folder names to arbitrary (they can be called whatever you like) ones, as demonstrated in the image below.  We have created “demo-config” to contain our actual configuration file, “demo-content” to contain themes and uploads, “demo-plugins” to contain plugins and “demo-site” to contain everything else (the files that make WordPress work).

WordPress Security Advanced Setup: Create Installation Folders

We will continue by referring to the folders we created; you must correspond them to the new folder names that you created.

The folders “wp-admin” and “wp-includes”, as well as all the files from the WordPress package (excluding the “.htaccess” file included in our download) must be moved to “demo-site”.

WordPress Security Advanced Setup: Move wp-admin, wp-includes and the Base Files to the Site Folder Created

In the “wp-content” folder, the “themes” folder and “index.php” file must be moved to “demo-content”.

WordPress Security Advanced Setup: Move themes and index.php to the Content Created Folder

Inside the “plugins” folder in the “wp-content” folder, the contents must be moved to “demo-plugins”.

WordPress Security Advanced Setup: Move the Content of the Plugins Folder to the Plugins Created Folder

Once all of that has been done, we can delete the “wp-content” folder, as it will be empty.

The “index.php” file in the “demo-site” folder must be copied to the “root” folder, which will be the lowest folder on your server where the public will have access to your website.

WordPress Security Advanced Setup: Copy index.php to the Top Folder

Once everything has been moved, we must customize the “wp-config.php” files in “demo-config” and “demo-site”.  The files are heavily annotated, so we will not go into detail here.  Should you get stuck, please contact us and we’ll be glad to assist.

We also need to edit a line in the “index.php” file we just moved to ”root” from:

(customize this to your requirements)

Some “.htaccess” files have been included in the Demo Setup Package for your convenience.  They do not require editing and should work on most hosting accounts to improve speed and security.

We have now successfully made it slightly more difficult for automated attackers to get into our site and all that remains is to upload everything to our folder, head to the address where our site will be, and begin installation.  Please make sure to choose a strong password, or have a random one generated.

WordPress Security Advanced Setup: Complete the Form and Hit 'Install WordPress'

Once installation has been completed, we can continue logging in with the login credentials we just created.

WordPress Security Advanced Setup: We can now Log In with the User Name and Password Previously Selected

Our basic WordPress installation has been completed, and we need to continue with some further steps to secure our site.

Advanced WordPress Security Securing and Optimizing

We have just made sure that any “simple” attack on our website would be thwarted before it even started, but what if it is an advanced attack, or worse, a malevolent hacker? (Yes, there are benevolent hackers.)

Apart from using secure passwords, including the security optimizations in our .htaccess file, we are going to rely on our friends at CloudFlare to help us.  You may ask: “Why CloudFlare?”.  Well, it’s free, it’s fast, it’s easy, and it’s what hackers hide behind when they are under attack.

To get going, we need to follow these steps:

  • Create a CloudFlare Account
  • Choose CloudFlare settings
  • Update our nameserver records at our domain registrar to point to CloudFlare servers

Once we’ve entered our e-mail address to create a CloudFlare account, we need to enter a website to add to the account.

WordPress Security Advanced Setup: Register Domain on CloudFlare

CloudFlare will then scan your DNS records for appropriate records to add.  This takes a short while.

WordPress Security Advanced Setup: Wait for CloudFlare to read DNS

At the bottom of the screen, you will be given an indication of how long it will take before you can proceed.

WordPress Security Advanced Setup: Wait for CloudFlare to read DNS

Once complete, we need to select “Continue” to proceed with the setup.

WordPress Security Advanced Setup: Continue to DNS Setup

We need to check that the records retrieved by CloudFlare matches our existing records.  Any that are missing should be added manually.  Once complete, we select “I’ve added all missing records, continue”.

WordPress Security Advanced Setup: Ensure all Settings are Correct and Continue

We are presented with a settings page.  The free plan is already good, and unless we need SSL connections, there is no need to subscribe to the paid option.  We also have a choice of Performance and Security settings.  We will change these.
WordPress Security Advanced Setup: Change CloudFlare Settings as Required

We have selected “CDN + full optimizations” and “High” security.  Make your choice and select “Continue”.

WordPress Security Advanced Setup: Change to Full Optimizations and High Security

Once complete, we are presented with the current nameserver settings and the new nameservers that should be added to the domain.  Please update the nameservers to the new ones.  Transfer should take around 24 hours, whereafter we will be secured and optimized by CloudFlare.  Once complete, select “I’ve updated my nameservers, continue” so that CloudFlare can start monitoring for the changes to the nameservers.

WordPress Security Advanced Setup: Update NameServers

The last page presented by CloudFlare contains links to further resources to help us get started.  It is recommended reading, but not required.  We’re all done with CloudFlare and should just keep the login details somewhere safe incase we want to make any changes in future.

WordPress Security Advanced Setup: Once NameServers are Updated, CloudFlare Setup is Complete

It would be a good idea to install the CloudFlare plugin on our WordPress site at this stage.

Advanced WordPress Security Recovering

When disaster strikes, we need to act swiftly to get ourselves back online, otherwise we will lose our visitors.  CodeGuard has come up with an excellent solution, providing 2GB of free online storage for an automated backup of our WordPress files as well as database on a daily, weekly or monthly frequency.  To set it up, we simply have to install the plugin and create a CodeGuard account, then copy over the access key to our WordPress installation.

First off, we will install the CodeGuard plugin.  To do so, we will go to “Add New” under the “Plugins” menu option.

WordPress Security Advanced Setup: Select 'Add New' under Plugins

In the search box that is displayed, we type “codeguard” and select “Search Plugins”.

WordPress Security Advanced Setup: Type 'CodeGuard' in the search box

The CodeGuard plugin is displayed, and we select “Install Plugin”.

WordPress Security Advanced Setup: Select 'Install Now' next to the plugin

We are presented with an option to continue with the action or cancel.  We select “OK” to continue.

WordPress Security Advanced Setup: Select 'OK' to continue

Once the plugin has been installed, we select “Activate Plugin”.

WordPress Security Advanced Setup: Select 'Activate Plugin'

At the create a CodeGuard account Plans & Pricing page, we select the basic option unless SSL is required and click on “Get Started”.

WordPress Security Advanced Setup: Select 'Get Started' at the Basic Plan of CodeGuard

On the next page, we need to enter our details and select “Create Account”.

WordPress Security Advanced Setup: Enter details and select 'Create Account'

Once the account is created, CodeGuard requests some more information to add our website to their services, however we don’t need to do any of that, we simply select the “CodeGuard WordPress Plugin” link on the left.

WordPress Security Advanced Setup: Select 'CodeGuard WordPress plugin' link on the left

We are taken to our account page, where we need to copy the Access Key provided.

WordPress Security Advanced Setup: Copy the access key displayed

Back in our WordPress installation, under the new menu option for CodeGuard, we paste the Access Key we copied from the CodeGuard website and select “Update”.

WordPress Security Advanced Setup: Pase the access key copied in WordPress and select 'Update'

CodeGuard has now been set up and will start with an automated backup on a daily basis.  If we want to change this schedule to weekly or monthly, we simply have to change our options on the CodeGuard website.

WordPress Security Advanced Setup: CodeGuard Setup complete

Once the initial backup is complete, CodeGuard will alert us to any changes on the set schedule, and we’ll be able to recover our files from any recent backup very easily to restore our site in any emergency.

Advanced WordPress Security Conclusion

We have taken many steps to ensure that our WordPress site will be secure, fast and easy to restore in an emergency.  While this is not an extensive list of available security measures, it has improved our security vastly in comparison with the default.  You may also be interested in our Simple WordPress Security setup for further available steps with the Better WP Security plugin.

Windows or Mac?
Creative Commons License Photo Credit: Mitchell Joyce via Compfight

You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.