Zach Adams Web Developer and Programmer

Securing a Wordpress site when you don't have access to the Server

December 18, 2014

We’ve all been in a situation where the website we’re working on is stuck on some weird server somewhere and you need to make sure it’s secure. Here’s a list of things I make sure to do to ensure that my sites on other servers don’t get hacked.

1. iThemes Security

This is the most popular security plugin for a reason, it works. It should be a mandatory install on all WordPress sites no matter how they’re setup.

Download it from the official WordPress repository and activate it. If you’re unsure what kind of webserver the site is running on check on the Dashboard of iThemes Security before you start.

Configuration

There’s lots of different options for iThemes Security, here’s the one’s I make sure to enable. Head over to the Settings tab:

  • Temporarily Whitelist your IP – Just in case you get into trouble

Just a note that I’m only listing the changes I make to the default options, feel free to configure to your heart’s delight.

Global Settings

  • Allow iThemes to write to wp-config.php – Lets iThemes do some configuration
  • Enable Email Lockout Notifications – Disable, I don’t need an email everytime a bot get’s locked out of my site

Banned Users

  • Enable HackRepair.com’s blacklist feature – Enable, awesome list of bots that automatically get rejected from your site
  • Enable Ban Users – Enable, allows you to ban users to become unruly

Brute Force Protection

  • Get your iThemes Brute Force Protection API Key – Enter your email but be sure to uncheck the checkbox for promotional material. Their network brute force protection is awesome and all you have to do is enter your email.
  • Enable local brute force protection – Enable, also decrease the number of tries users get and increase the ban time for maximum protection

Database Backups

  • I usually let other plugins handle this but I highly encourage you to enable this

File Change Detection

  • File Change Detection – Enable, let’s you know if somebody’s snooping around in your files

Hide Login Area

  • Hide Backend – Enable, I usually change the slug to ‘super’, however feel free to change it to whatever works best for you

Malware Scanning

  • Enable Malware Scanning – Enable, get a free API key from Virustotal and enter it here, well worth it

Strong Passwords

  • Enable, for obvious reasons

System Tweaks

Note, these can mess with plugins, be careful

  • System Files – Enable, unless you need public access to important system files
  • Request Methods – Enable, unless you’re working on a site that specifically needs Trace, Delete or Track request methods
  • Suspicious Query Strings – Enable, unless people will be searching for ‘unique’ items on your site
  • Non-English Characters – Enable, unless you’re working on a Non-English site (duh)
  • Long URL Strings – Enable, unless there’s long url strings (also duh)
  • File Writing Permissions – Enable, very important for shared servers and any server in general
  • Uploads – Enable, also very important to keep bots from uploading stuff to your server and executing it

WordPress Tweaks

  • Generator Meta Tag – Enable, unless you specifically want people to know what WordPress version you’re using
  • Windows Live Writer Header – Enable, unless you’re using Windows Live Writer (take note all 2 people who use it)
  • Comment Spam – Enable, along with Akismet this will basically eliminate 99% of all blog spam
  • Display Random Version – Enable if you really want to mess with bots
  • Login Error Messages – Enable, slows down bots
  • Disable Extra User Archives – Enable

Advanced Settings

In the Advanced settings tab check “Enable change Admin user” and and follow the commands. Very important as 99.9% of bots will try to brute force with the “admin” username.

2. Keeping WordPress Up-To-Date

The most important thing you can do for security is keeping things up to date, so far I’ve found 2 good ways to do that.

Automatic Updates

I think this is a good way to go for most “small” websites. It does raise concerns with sites that you have to be very careful don’t go down or are very sensitive to plugin updates, however in 80-90% of sites this would be the way to go.

Download Update Control from the WordPress Repository and activate it. Then go to “Settings -> General” and at the bottom you can see the updates options. Select “Major Updates” for the WordPress Core and check the Automatic updates for Plugins and Themes. Also make sure to enable Advanced Settings and uncheck the emails if you don’t want to receive them.

WP Remote

WP Remote is a free site which allows you to control updates across all your WordPress sites. This is what I use since it allows me to pick and choose among the updates in case there’s some that I want to wait a while before updating. I highly recommend this route.

3. Cloudflare

If you have access to the domain of the website I would highly recommend Cloudflare’s free platform for not only speed but some added security.

4. Hardening WordPress

Read this if you are ever serious about your WordPress security. It will give you the run-down on exactly how to secure your site.

That’s about it, let me know if you have any suggestions I can add!