WordPress security hardening for weekend warriors

Many WordPress users think securing their website is too complicated and thus completely ignore it. However, it’s not as difficult as the experts would have you believe. Performing some easy principles takes care of much more than you think.

This list isn’t exhaustive, but I see the same mistakes come up over and over. I’m not going to rehash the tried and true maxims like “Keep plugins and WordPress core up to date”, etc.,etc. Anyways, let’s get on with it.

Don’t put backups in your public_html folder

It’s called public_html for a reason — because it’s public. Anyone would be able to navigate to your backup file and download it. Thus this would reveal sensitive info, like passwords that your WordPress installation uses.

Don’t assume that the backup filename is so obscure that nobody would be able to find it. cPanel and backup plugins use common naming conventions.

The backup is usually named something like {account-username}-{date}.zip. Most semi-literate hackers know this. If you must keep backups on the account, move them up one folder. This is called the home directory and is not public. This means people (think hackers) can’t navigate to any files in there from the internet.

Don’t modify robots.txt to reveal juicy clues for hackers

Robots.txt is a file used to tell search engines what files should be indexed and what files should be ignored. Even Google itself has a robots.txt file: https://www.google.com/robots.txt

The robots.txt is public and can be seen by anyone.

Webmasters who don’t know any better will add entries for folders and files that they want to hide from the public also. This is a bad idea. Hackers usually check robots.txt for any clues about where they should look for sensitive files. Don’t let them know of any files that may reveal sensitive passwords or files. Again, it’s better not to have sensitive in the public_html folder in the first place.

Delete themes and plugins you don’t use

Do you have deactivated plugins that you don’t remember installing because that’s how old they are? If so, delete them. If you need them, just install them again. But if you haven’t used them in a year or so, you don’t need them.

Hackers can still exploit deactivated plugins. With file enumeration, they can easily find that you have the plugin installed, even though it isn’t showing itself in your html, css, or javascript.

The same goes for themes. I still keep the 2017 stock theme around for debugging site issues. Otherwise, I have my main theme and child theme only. I don’t keep around free or old premium themes around. They can have exploits much like the plugins. Just get rid of the dead weight, really.

NOTE: Keep in mind, though, that if you delete a plugin, this will remove the settings you have put in it. Deactivating the plugin still keeps those settings, but a deletion wipes out those settings from your database. So don’t delete plugins you only deactivated temporarily and will use again.

Look at your site’s search results for sensitive files

Not going to lie, but some people make it way too easy for the bad dudes and gals. Since WordPress is great for SEO, it can allow Google to crawl things you didn’t mean to. Or certain plugins store sensitive files in directories that are crawl-able.

Do a search on Google.com formatted like this: site:example.com

This will only show the results Google has for that one site. Look through the results for hacker eye-candy items. For example, files named public_html_backup.zip, or billysite_wp.sql

Backup and sql files should not be in these results at all. Otherwise, a non so friendly hacker can click it, download it, and have all they need to do just about anything.

If you do find something, log in to your site’s FTP and delete the file. It may show up in the search for a little while until Google removes it, but nobody will be able to download at it anymore.

If it is a plugin that placed this file, remove the plugin. It is doing a poor job at security.

The technical definition of this hacking technique is called Google dorking. It applies to all sites and not only WordPress sites. It’s so common because even script kids who don’t have advanced skillz can use it very successfully. Thus it opens the way for a larger amount of people to use it. And yes, I used a “z” in a hacker Chad way and am starting to feel bad about it.

Closing remarks

These are common sense, easy tips to keep your site safer. You don’t need to know advanced programming or networking to protect yourself.

I also really wanted to use an ironic stock photo with a computer hacker for a post like this. The one above gives me the impression the hacker was being raided while decorating for Christmas, celebrating a birthday party, and stealing physical credit cards out of the computer. Keep these coming, please.