CarmaBlog

Agility, Java programming, New technologies and more…
  • rss
  • Home
  • Management
  • Agile Programming
  • Technology
  • Linux
  • Event
  • Android app
  • Contact
  • About the author
  • English
  • Francais

Tips to make your WordPress website secure

Fabian Piau | Wednesday October 10th, 2018 - 06:43 PM
  • Print
  • Twitter
  • LinkedIn
  • Facebook
  • Pocket

 Version française disponible

WordPress is one of the most popular CMS (Content Management System). That popularity also means that it is a target of choice for hackers.
In this article, I will give you some tips to keep your website secure and avoid being attacked.


1. Use latest versions

This is true for WordPress itself but also for all your extensions. There are new versions available regularly. If a plugin has not been updated for a while, it is probably not maintained anymore and you might need to remove or replace it. This is also applicable for your theme.
The version of PHP is also important, check with your hosting provider that you are running the latest version of PHP (7.X), especially the versions 5.X won’t be supported by the end of the year.
Also, note that the more extensions you have installed, the more risk you are taking, as your WordPress configuration will rely on more 3rd party code. You should only keep the plugins that you really need. If a plugin is disabled, don’t keep its source code and remove all its associated files.


2. Use secure login details

Never use the default admin user. If you do, disable this account and create your own account with a personalized username.
Choose a strong password. If several users are managing your website, make sure the permissions are valid and avoid giving the admin permission to everyone.


3. Scan your website

This is an easy and quick way to find vulnerabilities and see if one of your plugins is vulnerable or not. You can use these 2 online tools:

  • WordPress Security Scan (my favourite with a detailed report)
  • WPScans


4. Use .htaccess files to protect your directories

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow.

For example, in /wp-content/uploads, I have created the following .htaccess:

# Deny access to everything by default
Order deny,allow
Deny from all

# Allow access to media files
<FilesMatch "\.(jpg|jpeg|png|gif|bmp|zip|rar|pdf)$">
    Allow from all
</FilesMatch>

This config ensures only media files are accessible from the browser, any JavaScript, PHP files will be discarded. It is not 100% bulletproof as only the extension is checked, but it is better than nothing.

To avoid execution of malicious PHP in some folder (e.g. in /wp-includes), you can create another .htaccess file with the following content:

<Files *.php>
Order allow,deny
Deny from all
</Files>


5. Review file and directory permission

Make sure the critical files (wp-config.php, php.ini…) are not writable publicly, only readable. Only owners should be able to write.


6. Use security headers

You can check which security headers you currently use with this online tool.

At the root folder, update the .htaccess file and add:

# Extra Security Headers
<IfModule mod_headers.c>
	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	Header set X-XSS-Protection "1; mode=block"
	Header set X-Frame-Options "sameorigin"
	Header set X-Content-Type-Options "nosniff"
	Header unset Server
	Header always unset X-Powered-By
	Header unset X-Powered-By
	Header unset X-CF-Powered-By
	Header unset X-Mod-Pagespeed
	Header unset X-Pingback
</IfModule>

In wp-config.php, add:

/** Extra Security */
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
header('Referrer-Policy: no-referrer-when-downgrade');
header_remove('X-Powered-By');
header_remove('Server');
header_remove('X-CF-Powered-By');
header_remove('X-Mod-Pagespeed');
header_remove('X-Pingback');
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);


7. Do not expose too much information

At the root folder of your website, in php.ini, add the line:

expose_php = Off

Your current version of PHP will not be exposed.


8. Backup your website regularly

Last but not least! You don’t need a particular software or extra plugin to achieve this.

  • With your favourite FTP tool (e.g. Filezilla), save all the files available on your server.
  • For the database, use the available MySQL backup feature. Many hosting companies provide access to phpMyAdmin, an online tool.

I recommend doing a backup every month, and keep the history of the last 6 backups somewhere safe. Of course, it depends on the volume of articles you are writing and how critical is your data.


That’s it! If you have done all the above, your website should be more resilient to attacks. In the worst case, you should be able to recover easily.

Happy safe blogging!

Related posts

WordPress qTranslateMake your WordPress site multilingual with qTranslate printerOptimize your website for print in 5 minutes boost-wordpressBoost your WordPress blog: W3 Total Cache + CloudFlare Mobile devicesA mobile version of your WordPress Blog
Comments
No Comments »
Categories
Technology
Tags
hacking, hacker, security, wordpress
Comments rss Comments rss

Some basic rules to prevent your accounts from getting hacked

Fabian Piau | Friday November 1st, 2013 - 10:15 AM
  • Print
  • Twitter
  • LinkedIn
  • Facebook
  • Pocket

 Version française disponible

Note
April 2014, the internet world discovers the wide “Heartbleed” security bug. Recommandation is to change all your passwords. Take advantage of Heartbleed by choosing better passwords 🙂

When we think of computer security, security software like antivirus, firewalls immediately come to mind. Actually, we forget that one of the root causes of hacking is… you!

The hacker

Prevention is better than cure.

You know that old saying, because it can apply to your computer habits as well.


A good security starts with a good password

  • Use a different password for each application you are using. At least, if someone finds out your Facebook password, he won’t be able to connect to your Twitter account.

  • Currently, many websites (even some famous ones) don’t encrypt passwords of their users. Who has not received an email including a password reminder?
    One might say: hooray, that’s great, I will be able to recover my password easily in case I forget it. Actually, it would be better to think: hum, if my email gets hacked, the hacker will get this password, especially it means that my password is somewhere in plain language in a database. It also means the administrator or other people can see it (and imagine if the website gets hacked).
    Unfortunately, the problem is not on your side, but again it is a really good reason to have different passwords.

  • Your password must be neither simple nor logical. A date of birth, the name of your pet or one of your children, a word taken from the dictionary… Avoid all of these! Mechanisms like brute force attack (i.e. trying all combinations to find out the password) will eventually find it in a short amount of time (hardware is very powerful now). Therefore, I advise you to choose a password not too short and containing a mix of uppercase, lowercase letters and numbers. Of course, a complex password is great but if you have to write it down on a post’it to remember it, that’s not the right solution either. You have to strike a happy medium.

  • When it is possible, use advanced authentication strategies. For example, it can be a confirmation code sent on your phone. This kind of service is usually proposed by largest software companies such as Google or Facebook.


A good security also requires common sense

  • Avoid to connect to public Wi-Fi networks and other free hotspots. This is especially true when you connect to unsecured services. Insecure means that data exchanges are not encrypted. You can easily identify secure services when they are using the ‘https’ prefix in the URL (the ‘s’ is important), hopefully the most popular applications support it.
    Why? A bad guy can listen to the network and collect all the exchanged data (thanks to a sniffer), the bunch of data is difficult to read at first sight, but an expert will be able to isolate any useful information. In the case you are searching for kitten videos on YouTube, you will not care a lot, but if you are logging in to an application through an unsecured form, I guess it will be more annoying…

  • When you download your software, always take a look at the download URL.
    For instance, if you want to download the latest version of iTunes, go systematically on the Apple website, avoid generic websites such as downloadfreesoftwares.com (I will not be surprised if this website exists). First, use publisher websites. Ultimately, use famous and trusted download websites.

  • Same thing when you are using an online service, make sure it can be trusted before you register and provide your personal information.

  • Pay attention to your emails. Especially when you receive strange ones that could not be identified as spam by your email software.
    Just yesterday, I received an email from the French tax department to inform me about a refund of 178.20 euros due to a mistake. The email was so real (no misspelling) that I thought it was good news. When I clicked on the link, I realized there was something wrong. It was not the usual website URL of the French government, and above all I needed to enter my credit card information. This is clearly a phishing attempt: a fake page with a classic form that reproduced exactly the official website (design interface, header, footer and so on). It’s really easy to fall into the trap.

  • One last tip, update your software and applications when new updates are available. It can be your browser, its plugins, any installed software… or even your blog’s engine (if you have one, I use WordPress that is updated several times a year).
    Every day, security vulnerabilities are discovered and corrected. A security glitch is usually (at least when it is a big one) published in the press, it becomes a door left open for hackers. I do not want to scare you, but remember it!


Every day if you follow these advices and are vigilant, you should avoid any kind of virtual trouble! At least, you cannot say that nobody warned you!

I realize I have denigrated cats a little bit in this article, I hope they will forgive me…

Cat - What do you want?

Related posts

WatiNWatiN, an automation web testing tool updapyUpdapy, the applications update center for Windows Responsive Web DesignDoing Responsive Web Design: yes, but easily! seo performance websiteThe best free and online tools for testing and optimizing an application or website
Comments
No Comments »
Categories
Technology
Tags
account, flaw, phishing, hacking, hacker, security, spam
Comments rss Comments rss
Page 1 of 11
Download CarmaBlog App

Most viewed posts

  • Changing the language in Firefox - 114,302 views
  • Using Google Forms / Drive / Docs to create an online survey - 60,268 views
  • Customizing Gnome 3 (Shell) - 28,280 views
  • FAQ – Online survey with Google Forms / Drive / Docs - 26,288 views
  • Java EE & CDI vs. Spring - 14,266 views
  • The meaning of URL, URI, URN - 14,097 views
  • Comparing NoSQL: Couchbase & MongoDB - 13,084 views
  • Open Street Map, better map than Google Maps? - 12,970 views
  • Firefox Nightly, Aurora, Beta, Desktop, Mobile, ESR & Co. - 12,481 views
  • WordPress plugins of CarmaBlog - 11,111 views

Recent Comments

  • User AvatarFabian Piau Je ne peux pas vraiment répondre. Techniquement, il est possible... – FAQ - Online survey with Google Forms / Drive / Docs – 8 months and 11 hours ago
  • User AvatarTinoubi Bonjour J'ai un souci j'ai répondu hâtivement a une enquête... – FAQ - Online survey with Google Forms / Drive / Docs – 8 months and 2 days ago
  • User AvatarLaurent Ah oui effectivement.... cette configuration n'est disponible que si la... – FAQ - Online survey with Google Forms / Drive / Docs – 8 months and 1 week ago
  • User AvatarFabian Piau Oui, vous pouvez ajouter une validation sur la question. A... – FAQ - Online survey with Google Forms / Drive / Docs – 8 months and 1 week ago
  • User AvatarLaurent Je découvre... article vraiment intéressant... Merci J'ai une question concernant... – FAQ - Online survey with Google Forms / Drive / Docs – 8 months and 1 week ago

Twitter

My Tweets

Recent posts

  • A Java 11 migration successful story - 1 month and 3 weeks ago
  • Tips to make your WordPress website secure - 4 months and 1 week ago
  • Devoxx UK 2018 – Day 2 - 8 months and 2 weeks ago
  • Devoxx UK 2018 – Day 1 - 9 months and 3 days ago
  • TransferWise, Revolut and Monzo, a small revolution for travelers and expats - 1 year and 1 month ago
  • Autocomplete for Git - 1 year and 9 months ago
  • Swagger, the automated API documentation - 1 year and 11 months ago
  • Microservices architecture – Best practices - 2 years and 4 months ago
  • FAQ – Online survey with Google Forms / Drive / Docs - 2 years and 9 months ago
  • QCon London 2016 – Project Jigsaw in JDK 9 – Modularity comes to Java - 2 years and 10 months ago
  • QCon London 2016 – Spring Framework 5 – Preview & Roadmap - 2 years and 11 months ago
  • The best free and online tools for testing and optimizing an application or website - 3 years and 3 months ago
  • Should we be wary of Google? - 3 years and 8 months ago
  • Creation of tweets from a RSS feed - 4 years and 4 days ago
  • Boost your WordPress blog: W3 Total Cache + CloudFlare - 4 years and 1 month ago

Language

  • Français
  • English

RSS feeds

  • RSS Feed RSS - Posts
  • RSS Feed RSS - Comments

Follow me!

Follow me on Twitter
Follow me on Linkedin
Follow me on Stackoverflow
Follow me on Google
Follow me on Rss
Link to my Contact

Email subscription

Enter your email address to receive notifications of new posts.

Tags

.net agile agility android app stores bash best practices blog cache chrome cloud conference continuous integration css eclipse extreme programming firefox fosdem google hibernate java javascript jquery jug microsoft mobile computing mongodb nantes nosql performance plugin script sharing society spring survey tdd test tip tool training ubuntu unit test windows wordpress

Links

  • Agile Nantes
  • Blog Ippon Technologies
  • Blog Netapsys
  • Blog Xebia France
  • Blog Zenika
  • CommitStrip
  • Coursera
  • Developpef
  • Le Touilleur Express
  • Les Cast Codeurs Podcast
  • new Blog( perso );
  • OCTO talks !
  • Open2Study
  • The Coder's Breakfast

Categories

  • Event (13)
  • Linux (3)
  • Management (7)
  • Agile programming (26)
  • Technology (44)

Archives

  • December 2018 (1)
  • October 2018 (1)
  • June 2018 (1)
  • May 2018 (1)
  • January 2018 (1)
  • May 2017 (1)
  • March 2017 (1)
  • October 2016 (1)
  • April 2016 (2)
  • March 2016 (1)
  • November 2015 (1)
  • May 2015 (1)
  • February 2015 (1)
  • December 2014 (1)
  • November 2014 (1)
  • September 2014 (2)
  • August 2014 (1)
  • July 2014 (2)
  • June 2014 (1)
  • April 2014 (1)
  • March 2014 (1)
  • February 2014 (2)
  • January 2014 (1)
  • December 2013 (1)
  • November 2013 (1)
  • October 2013 (3)
  • September 2013 (5)
  • July 2013 (1)
  • June 2013 (1)
  • May 2013 (1)
  • April 2013 (1)
  • March 2013 (2)
  • February 2013 (1)
  • January 2013 (2)
  • December 2012 (2)
  • October 2012 (1)
  • September 2012 (1)
  • July 2012 (1)
  • May 2012 (1)
  • April 2012 (1)
  • March 2012 (1)
  • February 2012 (1)
  • January 2012 (2)
  • December 2011 (1)
  • November 2011 (2)
  • October 2011 (2)
  • September 2011 (1)
  • July 2011 (1)
  • June 2011 (2)
  • April 2011 (1)
  • March 2011 (1)
  • February 2011 (1)
  • January 2011 (2)
  • November 2010 (2)
  • September 2010 (1)
  • August 2010 (1)
  • July 2010 (1)
  • June 2010 (1)
  • May 2010 (1)
  • April 2010 (1)
  • March 2010 (1)
  • February 2010 (1)
  • December 2009 (1)
  • November 2009 (1)
  • October 2009 (2)
  • September 2009 (2)
  • August 2009 (3)
  • July 2009 (1)
  • June 2009 (2)
Follow me on Twitter
Follow me on Linkedin
Follow me on Stackoverflow
Follow me on Google
Follow me on Rss
Link to my Contact
rss Comments rss powered by Wordpress get firefox
Fabian Piau | Copyright © 2009 - 2019
All Rights Reserved | Top ↑