Is WordPress your MVC of choice? Are you having a LIVE WordPress site? then come the crucial questions
- How much secure is your WordPress MVC?
- How Crucial is your WordPress MVC to your business?
- is your WordPress Mission Critical?
Then You are at serious risks if You do not follow the next steps… There are many ways to protect a site but a rule of thumb states that The First Step Is The Best Step!?! Alternatively You could google “WordPress Security” and yes one can code snippets to counteract this but WordPress is always under development so new updates are to be expected. So Version Control (Git / Google Codes) would be a priority!
I am so sure that my down to earth advise is so prominent to deliver success and stealth on an individual basis.
To secure your WordPress MVC and make it harder for unwanted individuals to attack your website a series of Security Implementations have to be rolled in, tested and stabilised.
- Backups – As a rule of thumb a backup process must be implemented through CRON or other means and make sure these backups are kept off site! This is a Data Protection Act 1998 UK Requirement!!!
- Rename the wp-admin folder (The Most Important of ALL) – Be very careful on this!!! Easier steps coming on how to do this!
- .HTACCESS FILE to be specific and stealth enough not to allow a site critical web directory to be HTTracked.
System Integrity, folder rights and many more security flows as well as setting up the right .HTACCESS can be addressed by making use of the following plugins
Acunetix Secure WordPress – (By far one of the greatest tools in the market!) This basically allows you to literally bespoke your WordPress (Backend / Frontend) to fit your business / organisation requirements! My recommendation is to make a backup first (so easy with this plugin) then turn all RED lights to GREEN (not for the faint hearted)! Document every changes and archive procedures undertaken!
This is a free and comprehensive security tool that helps you secure your WordPress installation and suggests corrective measures for: securing file permissions, security of the database, version hiding, WordPress admin protection and lots more.
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
Akismet – This checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.
Prevent XMLRPC (Something to consider) - There’s a vulnerability in WordPress’s XMLRPC implementation, that permits trackback spam – even when you disable trackbacks. The only way to prevent this spam is to disable XMLRPC entirely. Some people have suggested renaming or deleting the xmlrpc.php file, but this is not a good idea, because it’s altering core code and not trivial for novice users to undo. This plugin completely disables WordPress’s XMLRPC functions, and doesn’t alter or rename any core files. You can enable XMLRPC again by simply disabling this plugin.
See http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/ for detailed information about the vulnerability in WordPress’s XMLRPC handler.
WTC Comment Cleaner - If you receive comments through your WordPress Blog website then there is a high chance that one day, not some day, that you fall pray simply by having allowed malicious codes to be into your comments.
Rename wp-login.php (A Must for All WordPress Sites)- If One knows your backdoor location of your house without consent then there is a serious issue to address. Before I got into WordPress I intensely was and still am Joomla and pound for pound WordPress has impressed me with its versatility and capability towards providing optimum service at a fraction!
But We’re coders and out there… surely there are decoders so the game never ends!
PLEASE RENAME OR STEALTH EVERY MISSION CRITICAL DIRECTORIES OR FILES
DO NOT LET THE OUTSIDE WORLD GUESS WHERE THE BACKDOOR / BACKEND OF YOUR SYSTEM IS LOCATED
This is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before. And I should admit every WordPress site should have this plugin! So easy for someone to maliciously DOS a site!
NB. Remember the name that you have given as parse to wp-admin directory for that would be the link to use in future to login!
Make sure to enforce Company / Organisation Policy once name parse is implemented (Guess this is the secret of the house)
Once name parse is implemented logout then try:
- http://your_website_name/wp-admin (Original Directory, open to the public)
- https://your_website_name/wp-admin (Original Directory, open to the public)