WordPress Security Essentials : Building A Layered Defense

Preventing a hack attack is virtually impossible, so the pragmatic goal of any security strategy is to make any attack as difficult as possible.

If the attack can be slowed down sufficiently then the perpetrators will likely give up and move on to a new target.

In this installment of our WordPress Security Essentials video series, we take a look at layered security or layered defence:  the combining of multiple security controls to protect your WordPress site’s critical files and data.

WordPress security essentials - layered security
Layered security: the art of picking the right mix of security controls for your situation

WordPress security is not a perfect science. There is no definitive approach, and so you’ll need to work out which security controls are appropriate for your situation taking into account what needs to be shared, which files or features need to be accessible and what are the requirements of the users involved in maintaining and contributing to your site.

The video will walk you through how to set up the following security measures and controls:

  • restricting uploads
  • protecting critical files (such as wp-config.php, .htaccess)
  • white/blacklisting IP addresses
  • removing edit access to theme and plugin files
  • restricting access to the dashboard and its features

Always keep in the back of your mind, that an obstacle to a hacker is also a potential obstacle for you and your users, so it’s a balancing act.

As the video stresses: it’s ultimately a question of how valuable is the content on your site? The answer will determine which and how many controls you need to deploy.

Code Snippets From The Video

1. Restricting access to wp-config.php (.htaccess in root)

1
2
3
4
<Files wp-config.php>
order allow,deny
deny from all
</Files>

2. Whitelisting an IP address for the dashboard (.htaccess in /wp-admin)

1
2
3
order deny,allow
allow from [enter ip address]
deny from all

Denies access to all requests except for those from entered IP address.

3. Blacklisting an IP address (.htaccess in root)

1
2
3
4
5
<Limit GET POST>
order allow,deny
deny from [enter ip address]
allow from all
</Limit>

Allows access to all requests except those from the entered IP address. You can blacklist multiple IP addresses by simply replicating the deny from statement.

4. Disabling theme and plugin editing in the dashboard (wp-config.php)

1
define( 'DISALLOW_FILE_EDIT' , true );

Remember, all editing access will be disallowed, including for site administrators.

5. Protecting the .htaccess file itself (.htaccess)

1
2
3
4
5
<Files ~"^.*.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
Tags

Comments (5)

    • Yes, it’s a potentially drastic measure.

      It’s all part of the balancing act, isn’t it? How much can you tighten up security before it starts having a detrimental impact on you (as the site owner) and your users.

Participate