This is an advanced tutorial for WordPress developers looking for ways to secure their WordPress blog or website beyond that of the everyday user. I will demonstrate how to implement some of the more advanced security measures into your WordPress website or blog to enhance the security of your website and server. This is the fourth and final part to my series of WordPress Security tutorials. You can find the provioous articles here: WordPress Security Tips; In-depth Guide to WordPress Security; Advanced WordPress Security Tips. You might want to read those first to get an idea of what should be done before doing these more advanced security measures.
Before you start WordPress security measures
I do not advise anyone who is not accustomed to doing advanced security measures on their website and web server to do any of the exercises in this tutorial. If you are not extremely careful, you could lose data, disable your server or even make security worse on your site or server. In order to follow along in this tutorial, it is expected that you know the basics of PHP, HTML and CSS minimally. It is also good to have a working knowledge of the WordPress infrastructure. It is an advanced tutorial and will involve modifying existing WordPress PHP files. There will also be modifications to HTML, CSS and to the .htaccess file.
Prevent Comments from Proxies
Are you tired of seeing a ton of emails in your inbox from WordPress letting you know someone has commented on your blog post, just to find out it was a spammer? This can be a problem, not only because it is an inconvenience, but comment spam can negatively affect your site’s SEO because it often degrades the quality of your website’s content. Search engines are getting a lot better at determining if a website has quality and relevant content or not and ranking them accordingly, so comments need to be moderated closely. A lot of spammers use proxy servers, so it only makes sense that if you block proxy servers from making comments, you will end up with fewer comments that are spam.
To disable proxy servers from posting comments, add the following entry into your .htaccess file outside of the part that has been commented for use by WordPress. If you place the code inside of the designated WordPress section of the file, it will get overwritten by WordPress when it makes updates to the .htaccess rules. Here is what to add to your .htaccess file:
RewriteCond % =POST
RewriteCond %%%%% !^$ [OR]
RewriteCond %%% !^$
RewriteCond % !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* – [F,NS,L]
The above .htaccess rules shouldn’t require any changes unless you have an uncommon directory structure or have renamed some of the core folders in WordPress. It should be safe to copy and paste the above code into the end of your .htaccess file. Only do so if you are sure you know what you are doing though and backup the file before making changes so you can revert to the backup if something goes wrong. A bad .htaccess file can disable your entire server.
Add HTTPS to Your Server
This may seem extreme for some websites, but many of them need HTTPS. Https is probably the most secure method of protecting your visitors and their personal information being passed from page to page on your site. If you have a WordPress site that sells things and takes credit cards, HTTPS is an absolute must. Here is a quick and dirty method of installing HTTPS on your server if you have a Linux web server. Windows directions are very similar.
- Check for HTTPS – this can be accomplished by typing the following at a command prompt:
openssl genrsa -des3 -out server.key 4096
If you have it, then it will ask you to set up a certificate, don’t do it unless you know what you are doing. You may not be ready for setting up a certificate you because you should buy one from a certificate authority such as Godaddy or Verisign.
- Install the HTTPS software if you don’t have it – Since it is a bit outside of the scope of this tutorial, I am providing a link to instructions for installing and configuring SSL on a Linux server. Go to http://onlamp.com/onlamp/2008/03/04/step-by-step-configuring-ssl-under-apache.html and follow the instructions given for installing HTTPS on an apache server.
- Get a signed Certificate – I cannot stress the importance of getting a signed certificate enough. The main argument for a signed certificate is that users will no longer see the security warnings they are subject to with a self-signed certificate. Other than that, it is a lot less secure in general. But no certificate is secure unless you keep it to yourself and your server. Don’t let anyone get their hands on the files that hold your certificate keys and data. The best places to get a signed certificate from my experience have been Godaddy for low prices and VeriSign for quality and trust.
After you have HTTPS/SSL set up on your WordPress server, you will no longer have to worry about packets of data being intercepted by a hacker. Remember, this doesn’t only make your site visitors vulnerable, it can make you vulnerable too. Think about how much data you upload to your WordPress site. Some of you may not need HTTPS, but if you are taking information from users with on-site forms, then you should consider it. Just having it in place makes perspective customers more likely to buy from your site or fill in required information at least.
Adding a Firewall to WordPress
That’s right, you can add a firewall to WordPress itself! I was reading about security measures on the WordPress codex when I first stumbled upon the WordPress Firewall plugin available for download directly at
WordPress Firewall uses a whitelist and some finely tuned WordPress security rules to block potential threats to your WordPress installation and its users. The plugin is one file that can be uploaded quickly and easily to your wp-content/plugins/ directory.
WordPress Firewall helps protect against directory traversal attacks, sql injection attacks, code injections and .exe file uploads to name some of the more prominent features. It is a must have for popular sites with more traffic.
After following along with this advanced WordPress security tutorial, you should have a good idea of what to do next to secure your blog. All the measures taken in this tutorial could be added to any ones WordPress blog or website. The more secure, the better off you will be. It is true that if you don’t use your WordPress site much and it doesn’t have much or any traffic, then the security measures in this tutorial may be a bit much for you, however, you should read one of my beginner level tutorials available on this site to at least implement some of the more basic security measures for WordPress websites and blogs. Good luck getting your WordPress site secure. Security is a never ending subject. Always update to the latest versions of your WordPress core, themes, plugins and even server software because updates always contain the latest security patches.