Thinking about Security is not a luxury, it is essential. You ignore it at your peril until that one day disaster strikes and you’re buggered. My theory on it is much like the old adage where two blokes encounter an angry Cheetah and one guy begins to put on his running shoes. His friend comments that he’ll never outrun the Cheetah to which the first replies “No, but I can outrun you”.
Thus, to me security is a matter of running faster than my friends or the blog around the corner. Make others an easier target. My strategy is to at least eliminate the common ways by which you can get attacked by bots which are a lot more pervasive and common than their human inventors. I think that it’s important to recognise that whatever you do, there will always be some l33t out there who will find a hack around if they get it into their head that you are today’s teatime snack.
Thus, I don’t go too overboard and focus on bang for buck. If you are running the typical environment of WordPress / PHP / MySql there are some simple yet effective steps you can take to minimise the size of the bullseye on your forehead. If you haven’t done at least some of these I strongly recommend that you do.
Users: When you create your MySQL database also create a new database user with a nonstandard name and strong password. Assign this user an administrator role and then delete the default admin user. Do the same thing in wordpress. By default WordPress creates an ‘admin’ user. Create yourself a new user with admin credentials and then nuke the old admin. Sorry, pal.
Database: Change your database table prefix. The default wp-config.ini creates all tables with a wp_ prefix and the easiest time to change this is by editing the config file before wordpress installation. It’s also a fairly simple matter to change it after installation if you need to. The reason for changing this prefix is that assuming the h4ckb0t has had a chance to see your database, the bulk of attacks will probably come from some kind of SQL injection attacks using standard scripts. Having a different and unguessable prefix on your tables gives you some sanctuary from bots but not necessarily from a person.
Access: Lock down your public web directories. Make sure that only the files and users you want to see your content have access to them. There are a series of good guides on how to do this easily via .htaccess files. You certainly want to restrict wp-admin (I only allow connections from specific IP addresses to this and deny all else), but you should look into restricting wp-content and wp-include directories as well. Above all else protect your king the wp-config.php file in the root. This seems straight forward but I’m having a bit of a problem when I do this on the wp-content. For some reaons when I use the following file it seems to break the css formatting on the whole site… Suggestions anyone?
Order Allow,Deny
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
Hide Plug-ins: Some plug-ins (especially older ones) have quite a few vulnerabilities in them that can be exploited. While you definitely want to stay on top of the iterations of new releases, you also want to prevent the plug-in directory listing. Simply drop an empty index.html file into the wp-content directory.
So that’s it. As anyone who is worth their salt can tell you, this is a beginning. If you want a truly secure installation, I am not your man. But the above steps should enable you to not get eaten by the most common Cheetah.
