The need for WordPress security is growing at an accelerating rate. Reports say that WordPress sites experience 90,978 attacks per minute. Since its release, WordPress has patched more than 2,450 vulnerabilities. In addition to those basic security measures that you are already taking to protect your site, here are some advanced WordPress security measures, including how to prevent WordPress DDoS (Distributed Denial of Service) on your website.
1. Turn off HTTP Trace functionality
Attacks like Cross Site Scripting (XSS) and Cross Site Tracing (XST) are geared towards systems with enabled HTTP Trace functionality. Most web servers are set by default to function with HTTP Trace which it uses for activities like debugging. Using header requests, hackers would steal sensitive information such as cookies by executing a Cross Site Tracing attack. OWASP Top Ten Project offers comprehensive lists of vulnerabilities and attacks on WordPress websites.
Of all vulnerability types, Cross Site Scripting ranks number one. In fact, 46.9% of all websites are vulnerable to this type of attack. To deactivate the HTTP Trace functionality, add the following code to your .htaccess file.
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F]
2. Remove WordPress installation header outputs
Services specific to different parts of your WordPress website necessitate adding lots of output in the header. You can remove these outputs by adding the code below to the “functions.php” file of your theme.
remove_action( 'wp_head', 'index_rel_link' ); remove_action( 'wp_head', 'feed_links', 2 ); remove_action( 'wp_head', 'feed_links_extra', 3 ); remove_action( 'wp_head', 'rsd_link' ); remove_action( 'wp_head', 'wlwmanifest_link' ); remove_action( 'wp_head', 'parent_post_rel_link', 10, 0 ); remove_action( 'wp_head', 'start_post_rel_link', 10, 0 ); remove_action( 'wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0 ); remove_action( 'wp_head', 'wp_generator' ); remove_action( 'wp_head', 'wp_shortlink_wp_head', 10, 0 ); remove_action( 'wp_head', 'noindex', 1 );
3. Alter the default database prefix for WordPress
The default prefix value for WordPress database tables is “wp_”. Hackers and harmful bots can use this prefix value to successfully guess your database table names. Since wp-config.php file is where your WordPress database prefix value is set, it’s easier to change this prefix value on installing WordPress. You can use the Change Table Prefix plugin, or if you prefer to do it manually, follow the steps below:
1. Completely back up your database and make sure to save the backup somewhere safe. Here are some of the backup plugins you can use.
2. Use “phpmyadmin” in your web host control panel to completely dump your WordPress database into a text file. Back up this text file as well.
3. Next, use a code editor to replace all “wp_” prefix values with your own prefix.
4. Deactivate all plugins in your admin panel.
5. Now, using the file you’ve edited in the third step above, import the new database after you have removed the old one via phpMyAdmin.
6. Using the new database prefix value, edit the “wp-config.php” file.
7. Now, reactivate your WordPress plugins.
8. To save the permalink settings, go to Settings and then to Permalinks; this refreshes your website’s permalink structure. Do note that changing the database prefix shouldn’t change your domain name, URL and permalink settings.
4. Block query strings that are potentially dangerous
To prevent Cross Site Scripting (XSS) attacks, add the following code to your .htaccess file. First, before adding the code, identify query strings that are potentially dangerous. URL requests are stripped of many malicious injections by this set of rules. There are two important things to note here:
- Certain plugins or themes break functionalities if you do not exclude strings that they already use.
- Although the strings below are the most common, you may choose to add more strings.
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L]
5. Use Deflect to prevent DDoS attack
Fledgling websites, independent media groups, and the sites of most human rights activists/groups usually don’t have the technical and financial resources to withstand a distributed denial of service (DDoS) attack. That’s where Deflect comes in. Deflect positions itself as a solution that’s BETTER than commercial DDoS mitigation options.
Commercial DDoS mitigation options cost a lot of money and could change their terms of service if a website under their protection attracts DDoS attacks regularly. Deflect proactively stops DDoS attacks by keeping websites under constant protection.
A side benefit of using Deflect on your website is that it saves you money by lowering the strain on your client’s server and sysadmin resources. Deflect puts all their source codes and documentation in the public domain under a Creative Commons Licence; this allows anyone to mitigate DDoS attacks by setting up their own Deflect network. You may sign up on their website for FREE and start using the service right away.
6. Use Secure Sockets Layer (SSL) and Firewall Protection
Security services like Sucuri offers security options like installing a Secure Sockets Layer (SSL) certificate and firewall protection that’s PCI compliant. This is an easily accessible option for everyone, including non-technical people.
You can easily set up security solutions like this and let it work in the background, and in some cases, update itself as necessary (like Sucuri). This is a highly effective, low maintenance security option.
A number of WordPress plugins can be used to add secure sockets layer (SSL) certificates to your site. Some of the most recommended WordPress SSL plugins include CM HTTPS Pro, Really Simple SSL, WP Force SSL, SSL Insecure Content Fixer, and Easy HTTPS Redirection.
To wrap up
You’d experience marked site security improvements by using the points outlined above. It’s helpful to note that WordPress security is always evolving. The goal is to mitigate risks, not eliminate them, as that’s nearly impossible to do so. WordPress security is dynamic and works in layers, so there is no one-plugin-fits-all or one-tactic-fits-all.
Image credit: DDoS (http://www.epictop10.com/)
Nicholas Godwin is a technology researcher who helps businesses tell profitable brand stories that their audiences love. He’s worked on projects for Fortune 500 companies, global tech corporations and top consulting firms, from Bloomberg Beta, Accenture, PwC, and Deloitte to HP, Shell, and AT&T. You may follow his work on Twitter or simply say hello. His website is Tech Write Researcher.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe