WordPress Best Practices, Part Three: Reduce Visibility To Hackers

by Paul on September 2, 2011

Wordpress Logo (grey, XL)In the previous two sections I’ve opted to focus on security and reducing your risk to being hacked. In this article I’m going to run through a few things you can do to really minimize your public visibility and reduce the chances you’ll even be targeted by hackers.

Some of you may think I’m really dragging this security issue out, but seriously, prevention in this case is far better than the cure. It’s cheaper, quicker, and a lot less stress!

Some or all of these change may be applicable to you. Review each on their own merit and implement as you see fit.

The Powered by WordPress link – get rid of it.

Security is only 1 reason to get rid of this link sitting at the footer of each of your WordPress sites.

Having this sitting at the bottom of your website is like walking through Barcelona with a sticker on the pocket of your jeans saying: “my wallet is in this one”

To remove this:

  1. Under ‘Appearance’ menu, click ‘Editor’
  2. Ensure that on the top-right, the theme being edited is your active theme.
  3. On the right-hand side, click on ‘footer.php‘ to edit this file.
  4. Within the text, locate the text “Powered by WordPress” and delete the line.
  5. Click ‘Update File’ to save.

If you want to give kudos back to WordPress.org elsewhere, you could mention it in other pages or posts. No harm.

This approach will need to be repeated each time you update the theme. Alternatively you could consider creating a WordPress child theme and making your changes there.

Meta Generator Tag – get rid of it

This meta tag display to the world that you’re using WordPress and the version number you’re running.  It’s not the end of the world, but I don’t think this is necessary and is similar to the previous section in its advertisement of your vulnerability.

To resolve this, you can do 1 of a number of things.  My preference is using the WordPress SEO plugin by Yoast.

  1. Install the plugin
  2. From the SEO plugin menu, go to ‘Indexation’
  3. Locate (at the bottom) and check the box ‘Hide WordPress Generator’
  4. Click ‘Save Indexation Settings’

Alternatively you could edit the theme again. This is much the same as the ‘Powered by WordPress’ link, except you would edit the header.php file and locate the generator line and remove that.

Disable Directory Listing on your server hosting

It can be disconcerting to know that unless you server is configured properly, anyone can get a list of all files and folders on your server. They just need to find a directory that doesn’t have an index.html/php and just like that, they can see what you have.

This is a straight forward fix, but will require you to FTP and edit/create a file on the server.

  1. FTP to your web server and go to the top level HTML folder. In CPanel hosting, often this is public_html.
  2. Locate and download the file to your local computer (if it exists) called .htaccess
  3. Open this file in your preferred text editor
  4. Search for the text: Options -Indexes. If it exists, you have nothing more to do.  Otherwise…
  5. At the top of the file create a new line and enter the text exactly: Options -Indexes
  6. Save the file and upload it to your FTP directory where where you downloaded it.

If the file did not exist at step 2, simply create a file called .htaccess on your local computer and resume from step 3 (skipping step 4).

Password protect your Administration area

Implementing this 2nd level of protection on your WordPress site is useful to reduce your exposure to brute-force password attacks. However, it presents a few quirks on your WordPress installation that require a work around.

I’ve provided the following 2 links that will help you achieve this:

  1. Password protecting the WordPress admin area
  2. Working around the problems of password protecting the admin area.

Force secure (SSL) access to your Administration area

Basically this means that you’re not sending your administrator user credential flying over the interweb in plain text.

A good idea to put an end to that.

The WordPress Codex has very easy to follow guide on this, so there’s no need to repeat them.

Check the details on enforcing WordPress Administration over SSL here.

Use Secure FTP to access your web server

For much the same reasons as the previous section it’s a good idea to secure your access over FTP. This again prevents your username and password being sent over the internet in plain text.

You’ll need to check with your web hosting provider, but for Host Like Toast customers, you can achieve this using FileZilla and setting your connection to use SFTP on port 2222.

CloudFlare as a security layer

I wrote an article on the use of CloudFlare, and while it has it quirks here and there, it’s a great free tool for reducing your risk from hackers and brute-force attacks by bots and the like.

Check out the CloudFlare article and see what you think.

Highly recommended!

Your Next Step

As with previous articles, I’ve tried to keep this as simple as possible so anyone can begin to implement the changes necessary to reduce their surface area of attack. There are many more things that can be done to achieve this, but I’m attempting to strike a balance between ease of implementation and advantages served.

In the future I’ll present some of the more complex solutions in a video series.

If you have any questions, please feel free to voice them below, or get in touch with us to find out more about our Managed WordPress Hosting solutions.

Use the form below to join our Developer Channel

Do you need an automated CPanel web hosting backup script? There is that and more in the Developer Channel

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: