Menu
01101110 01100101 01110100 01110111 01101111 01110010 01101011 01100001 01100100 01101101 01101001 01101110 01110100 01101111 01101111 01101100 01110011 00001101 00001010

Background

Manage Engine

Our readers provide the funding for our platform, and we may receive a commission when you make a purchase using the links on our site.

Quick and Reasonably Secure WordPress install

/ May 11, 2018 — Web

Average User Rating

    Rather than relying on the security provided by the default WordPress install, we have utilized some other security measures. We changed the prefix to the wordpress table names so zero-day SQL exploits which depend on default installations will not work. Defeating zero day exploits is significant because new WordPress vulnerabilities emerge often, and exploits may be released on a large scale before being reported and patched. We have created the WordPress database user with only the necessary permissions to do its job. We have changed the name of the admin account to something difficult to guess. We have enabled the Akismet plugin to defeat spam in the comments. We have also employed an .htaccess file in the wp-admin directory to add another layer of password protection.

    INSTALLATION STEPS

    1. Create mysql database.

    mysql> create database wp;

    2. Give appropriate grants to wordpress user.

    mysql> grant select, insert, update, delete, create, drop on wp.* to 'wordp_user'@'localhost'
 identified by 'PASSWORD';

     

    3. Install wordpress files. They are available packaged as a zipped archive or tarball.

    root@srv-01 [/home/blogger/public_html]# unzip wordpress-2.7.1.zip
root@srv-01 [/home/blogger/public_html]# chown -R monkeygo:monkeygo wordpress

    Copy wp-config-sample.php to wp-config.php. This is your configuration file.

    4. Edit the configuration file. Database information needs to be defined:

    DB_NAME
DB_USER
DB_PASSWORD

     

    Then, follow the instructions in the file to generate authentication unique keys and paste them into the file. WordPress has a service that will generate them for you.

    Scroll down to $table_prefix and set the prefix to something more random. This will mean that automated exploits won’t be able to run against the wordpress tables because the table names will be incorrect. We’re going to set ours to za398_.

    5. Point your browser to your wordpress installation. It will redirect to the installation page. eg. http://myblog/wordpress/wp-admin/install.php Fill in the information, take note of the admin password which is generated for you. This will install the database and set up the basic blog. It will use the table prefix value you specified in the config when it creates the tables.

    7. Change the admin login. In this example we change it to tito. Note the non-standard prefix on the table name.

    mysql> update za398_users set user_login='admin',user_login='tito';

    8. Put an .htaccess file in the wp_admin directory to protect it. We’ll use the tito user for this, too, to minimize confusion.

    AuthType Basic
AuthName "Admin Area"
AuthUserFile "/home/blogger/.htpasswds/public_html/wordpress/passwd"
require user tito

    And use htpasswd to create a password for the tito user, something like this:

    root@srv-01 [~]# /usr/local/apache/bin/htpasswd -cb passwd tito secretword

    8. Activate Akismet plugin to catch spam comments. After you activate it, go to the Akismet configuration link in the plugins area, and enter a WordPress API key which is available if you sign up for a wordpress.com account.

    There’s lots more great information about securing blogs at blogsecurit.net, including a great whitepaper that goes into depth about securing WordPress.

    Information

    About