This post contains a summary TODO list for securing a WordPress site. If you set up a WordPress site, feel free to go through this list and apply as many of its items as you like.
Also, if you think of some advice which isn’t here, or have remarks about what’s present here, just comment them.
Use unique and unguessable passwords
Way too many people use weak passwords: passwords which are too short (like qwerty or, for the Fench, azerty) or too simple (12345 anyone?) or too easy to guess (user: percival, password: perc1val) or already used elsewhere with the same e-mail address. So of course, attackers try these passwords first when thry attempt to log in to your site.
Don’t make it easy for them. Use long, complicated, unpredictable passwords. For instance, have them generated for you — but not by some website! Use a proven password generator which runs on your computer, tablet or mobile.
Use a password manager
Using long, complicated, unpredictable passwords means you have to remember these long, complicated, unpredictable therefore hard-to-memorize passwords — that is, unless you use a password manager. Then you only have to remember one long, complicated, password, and that can be a passphrase, easier to memorize than a password (although I would not recommend selecting “correct horse battery staple” itself as a passphrase).
Use unique identifiers for administrator accounts
Lots of people use admin or administrator or (sigh) administrateur or (eyeroll) root or some other all-too-common name as their administrator account identifiers. Problem is, all people who are bent into attacking a website login will try these, in case, you know, the corresponding passwords are weak.
WordPress gives you the possibility to define your own administrator account identifier. Find one which cannot be guessed.
Hey, why not have your password manager generate one and memorize it for you? You may have to restrict it to letters and numbers, but that’s something password managers can do, although they might complain that this would make a weak(er) password; but as a login, that’s good enough.
Change the default login URL
Lots of bots out there will try yourwebsite/wp-login.php on any website, in hopes that it is a WordPress with the unmodified login URL, in which case they’ll try any old login/password they happen to have a list of.
Changing the default URL from …/login.php to …/somethingunique/ prevents these bots from ever getting to the login page, so at least they won’t hassle your website with unwanted login attempts.
You can change the login URL (and prevent people from accessing any part of the adminstration interface until they have properly logged in) with the WPS Hide Login plugin.
IMPORTANT: if access to your site is restricted to registered users, you must make sure that the site’s behavior when visited anonymously is *not* set to redirect to the login page! If it were, then anonymous visitors would land on the custom URL of the login page, which would then be exposed. I have opened a forum ticket for this. I’ll update this post when / if it is resolved.
Use fail2ban if you can
Once a bot has stumbled upon your website, it will try a whole lot of requests on it, some meant for WordPress, some for Drupal, some for SPIP, etc… Of course, most of these will fail because your site is not a Drupal or SPIP or… site, and the worst of the WordPress-meant ones will also fail because you did change the default login URL, did you not? So any failed attempts are usually signs that some bot is knocking at your site’s door.
That’s where fail2ban comes handy. Roughly speaking, your webserver runs a log of failed attempts, and fail2ban just reads this log and if enough attempts fail from the same visitor, it blocks the visitor from event trying to reach your site. Think of fail2ban as a “three-strikes-and-you’re-out” mechanism.
Installing and configuring fail2ban is not easy! It will require you to know a fair bit of how your web server and its underlying operating system work. I have it set up for Debian and nginx; if that’s your own combination, ping me and I’ll publish notes about these.
Worried that you set up and advertised your website but you won’t get any interaction, and more specifically no comments? Don’t worry. You’ll get plenty of comments. Most of which you’ll wish you’d never seen in the first place.
You’ll need to weed out the spam comments. And you can’t weed them out manually. You’ll have to automate.
You can automate this at two points: before the comment is submitted, and once it is.
Before the comment is submitted, you can add checks to verify that the commenter is a human rather than a spamming bot. Use captchas, for instance.
Once the comment is submitted, you can use antispam plugins such as Akismet which do a pretty good job of blocking spam comments too.