Tech/Horsepower

For me, half (or more!) of the fun of any new project is the setup. Even something as vanilla as this shiny new WordPress blog, I just love getting in and putting it together. After the initial joy of making it look and function the way you want, hardening the software is a fundamental that should be addressed but often overlooked – especially with self-hosters. I host ~20 WP blogs and we’ve learned and continue to learn much of this the hard way.

Let’s start with a couple absolutely necessary plugins:

Login Lockdown
- Surprisingly hard to find on the Wordpress extend site, this one is a gem at stopping brute-force attacks (works with 2.7!).

WP Security Scan
- WP Security Scan does a few pretty cool things just by activating it, including masking your WP version and DB errors. It will help you identify proper permission settings for the most critical files, change your DB table prefixes, and some other cool stuff.

Now to the easy steps that should absolutely be done:

- Choose strong passwords. There are so many great password checkers out there, WP Security Scan even includes one!

- Stay on top of the latest version! As of writing, if you’re not on version 2.7 start there. You can’t begin to be protected unless you’re on the latest version. This is so critical. You should subscribe to the feeds of the developers of your plugins and templates and make sure to keep these updated too!

- Delete your “admin” user. You never use it anyway, and you can always request a new password through the blog if you lose yours. If you MUST have a last-resort user, change the name. Your dog needs a user on your blog anyway.

- Setup your wp-config.php secret keys using the WordPress generator. There is a link on that page to a great writeup with more information, including a lot of good information on setting up and/or forcing SSL.

Now here is a couple not-so-easy steps, but take them into serious consideration for deployment.

Take regular backups of your files and databases. There are myriad plugins available to assist with this, be sure to choose one that allows you to download your database. I’ve seen quite a few that create a copy of your DB inside the production DB, if your DB is corrupted or hacked it doesn’t do much good to have a backup inside of it, does it?

Change your database table prefixes from the default wp_ to somethingelse_ – WP Security Scan has a built in tool for this, but I was not able to get it work so I did it manually.

Create a robots.txt file in your root that denies search indexing of your wp-* directories:
Disallow: /wp-*

There is a really cool plugin called AskApache that will add a second level of authentication to your dashboard and admin functions. Note that it may require a few extra config steps or modules depending on your configuration. Definitely worth playing with!

Edit your virtual host definition or .htaccess file:

- Deny directory index browsing (if you don’t already globally)
Options All -Indexes
This goes into your <VirtualHost> container or root .htaccess.

- Lock out your wp-config.php file for good.
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
When placed inside a <Directory /> container in your vhost or the .htaccess file in your website root it will absolutely deny any web access to your config file.

Further:

These plugins+steps are by no means a foolproof way to keep baddies out of your blog. They will go a long way to stopping bots, the most common attack vector, but if someone wants in they’re probably going to find a way. It’s important to be vigilant and look over your blog often, view source and check for anything you didn’t put there. Having mysterious load issues? Check your server /tmp and site /uploads directories for mysterious files especially php files. Google anything you’re worried about. If you want to read more on WordPress security, check out this sweet whitepaper.

P.S. If you want to actually display code in your posts when in a <code> tag, get this plugin.

First “real” post FTW!