Securing a WordPress blog is pretty simple. If you google the words “How to protect wordpress”, you will find a lot of sites talk about the basic techniques, such as

  1. Make sure that your WordPress software and other plugins are always up to date
  2. Enable Akismet to protect your site from spam comment
  3. Don’t share your WordPress account with others people

While these advices are absolutely correct, but to me (and most other experienced users), these are common sense only. As an advanced user, I am interested in learning more innovative or advanced techniques, rather than some junk collected from WordPress for Dummies.

In the following paragraphs, I am going to show you some advanced techniques that 90% of the WordPress sites have not implemented. They are nothing fancy, just require you to do tweak using terminal. Notice that doing something through terminal (a.k.a. command line) is considered an difficult task to 90% of the people in the world.

Anyway, the techniques I introduce below are targeted to solve the most basic and fundamental security problem that WordPress do not address, because these problems go beyond its capability.

Securing WordPress: Step 1 – Secure your server, at least secure how you login to WordPress Dashboard

WordPress provides an extremely easy way to access the WordPress Dashboard:

http://yourwordpress.com/wordpress/wp-login.php

It is very handy because you can log in to your website anywhere, as long as you have access to a browser with internet connection. However, it also opens a door to everybody as long as they have your login and password. How? When you login to WordPress, you are sending your login and password to the WordPress server in clear, unencrypted format. Everything are visible to everybody. If someone is interested to steal your information, it is possible.

There are two ways to solve this problem –

1.) Building a secure HTTP server, i.e.,

https://yourwordpress.com

Notice that it is https, not just http.

Depending on what web server you use to run WordPress. In my case, I use Apache and it is very simple to run a secure Apache server. All I need is to generate a website certificate, apply it to my domain and my secure web server is ready.

There is only one problem – All browsers will complain about your certificate because it is generated by myself, not the other authorities such as Verisign. However, I can ask my browser to ignore that.

If it sounds difficult to you, you can ignore that. The second suggestion below will help solving this problem.

Securing WordPress: Step 2 – Limit the access to WordPress Dashboard

Okay, now you’ve already secure the communication channel between your computer and the WordPress server, and no one can see the login and password in your transaction. Is it enough? Nope. I can still brute-force attack your website by trying all different combination. So, we need to limit the access by IP addresses. Depending on how you access your WordPress blog, if you always access it from certain location, such as home, office or other locations, and if these IP addresses do not change often, this may work for you.

Simply go to the wordpress directory, e.g.,

/usr/local/www/wordpress

Make sure that .htaccess exists.

Add the following to the end of the file:

order deny,allow
deny from all
allow from XXX.XXX.XXX.XXX
allow from localhost

Replace XXX.XXX.XXX.XXX by your IP addresses. Here are some examples:

allow from 192.168.1.101  #Allow from this address
allow from 192.168.1        #Allow from 192.168.1.*
allow from 192.168          #Allow from 192.168.*.*

That’s it! If you want to go further, you can check the IP address inside wp-login.php as well, i.e.,

$IP = $_SERVER['REMOTE_ADDR'];

if ($IP != '192.168.1.100') exit();

However, I don’t recommend this way because your codes will get overwritten after upgrading the WordPress.

That’s it. Enjoy building a secure WordPress site.

–Derrick

Our sponsors:

Have you experienced these computer problems like mine before? You got some error messages that your system cannot read your harddrives, or your harddrives suddenly got detached by your system. You have no clue why it happens because it is a fairly new harddrive. Before you decide to discard, return or RMA your harddrive, let me share you my experience first because it may save your harddrive (and your bank).

Recently, I found several harddrive related computer problems in my FreeBSD systems. These includes:

Symptom: Harddrive seems failing

When I boot the computer, it threw me the following messages:

ad0: FAILURE - READ_DMA status=51 ready ,DSC,ERROR error=40 uncorrectable LBA=sector
ad0: FAILURE - READ_DMA status=51 ready ,DSC,ERROR error=40 uncorrectable LBA=sector
ad0: FAILURE - READ_DMA status=51 ready ,DSC,ERROR error=40 uncorrectable LBA=sector

If you miss these messages during the boot process, you can review these messages using the following command:

sudo dmesg | grep ad | less

Symptom: Harddrive is disappeared or got detached

When I tried to test the harddrive using dd, e.g.,

dd if=/dev/random of=/dev/ad0

(This command will wipe the entire disk with random data until the disk is full. The reason why I do it because I want to test every single sector of the disk.)

It gave the following message:

dd: /dev/ad0: open: I/O error

and I checked the /dev/ad0, e.g.,

ls -al /dev/ad0

The file was disappeared.

Apparently, the device was detached by the system automatically.

So, how do you solve this computer problem? Here are few methods I recommend you to try:

Solution: Check the SMART Status

You can check the SMART status of the harddrive using the following command:

smartctl -a /dev/ad

Make sure that the test result is PASSED.

If you don’t have smartctl installed, it is available in the following port:

/usr/ports/sysutils/smartmontools

Solution: How do you connect your harddrive?

Sometimes, connecting the harddrive through PCI card can cause issue (at least in my case). After connecting the harddrive to a different port, such as switching from port 1 of the card to port 3 of the motherboard, the computer problem is solved and gone. If the computer problem still exists, the next thing I will try is to connect the harddrive using USB or firewire. You can do it by getting an harddrive enclosure.

Solution: Replacing harddrive cables

Old harddrive cables can be the source of the computer problems too. Since the temperature inside the computer chassis is high, and the harddrive cables are usually bended, these can soften the cable and may break the metal wire inside the cable. Try replacing it by new cables and see the computer problem is gone or not. Also, check the power adapter as well. Sometimes this computer problem is caused by loose power connectors.

Solution: Have you installed any new harddrive recently?

Sometimes, the system will behave abnormally because of newly installed hardware. It can be any reason such as conflicting hardware etc. Recently, I installed a PCI flash card adapter, which caused the system very unstable. After I removed the card, the computer problem is solved and gone.

Solution: Is your Motherboard doing okay?

Although it is not likely, but this computer problem can caused by the burned motherboard. Sometimes, if a mother board is getting old, it can be unstable and not reliable (Heavy usage such as gaming can generate high temperature, which will decrease the life span of a motherboard). To determine the root of the computer problem, I will replace a motherboard and test the system again.

How do you know if your system is stable or not?

Here are few things I usually do to test the stability of a system:

1. Run the machine for at least a week.

2. Wipe all non-system harddrives using dd:

sudo dd if=/dev/random of=/dev/ad0 &
sudo dd if=/dev/random of=/dev/ad2 &
sudo dd if=/dev/random of=/dev/ad4 &

etc.

where ‘&’ at the end of the command means running it in background.

3. If possible, always keep your system in a cool place such as basement. It helps to keep the harddrive healthy.

–Derrick

Our sponsors: