It is easy to setup and run your WordPress Site but difficult to protect from hackers and spam. That’s why I choose to adopt the free WordPress.com which helps me to focus on contents.
When I setup WordPress for my customers, I will secure wp-config.php and limit the database account to current WordPress database only. It prevent access to the WordPress configuration file which contains the database account and password in non-encrypted format. Even if they get the file, the database user account is limited to access the WordPress database.
codex.wordpress provides a very good explain about how to protect your wp-config.php.
I setup a demo WordPress site on my Linux desktop to test the process. The wp-config.php is generated during setup. Here is how I secure it.
- List the owner of wp-config.php
- Change groups and owner of wp-config.php
- Change the access right to 400 to provide read only access to owner and reject anyone else.
In Linux terminal, you may use ls -l to list the access rights of files and directories. As you may see on the above picture, the left -rwxrw-r– means “This is a file. Owner may read, write, and execute. Group may read and write. Others may read.”
- Read is the first of the three, and the value is 2²＝4.
- Write is the second of the three, and the value is 2¹＝2.
- Execute is the first of the three, and the value is 2°＝1.
For wp-config.php, if you want to enable the read, write, and execute for owner, it is 4*1 + 2*1 + 1*1 = 7. If you want to enable the read and write for group, it is 4*1 + 2*1 + 1*0 = 6. If you want to disable access to others, it is 4*0 + 2*0 + 1*0 = 0
Then use chmod 760 wp-config.php to change the access right for the file.
To harden wp-config.php, it is recommend to use chmod 400 wp-config.php for best protection.
If you have problems to use chmod on wp-config.php, check the current owner of the file. If the file is generated during setup of WordPress, the owner might be the apache not you. You’ll need to switch to root with su before change access right.
But if you create wp-config.php yourself, In this case, I use chown wwwrun:www wp-config.php to change the owner to Apache before or after change access rights. If you forget to change owner, it will be read by myself, and reject Apache which will result in WordPress fails.
Create User for WordPress Database
With a super user account which may have full control of the whole database and may access other database on the database server.
Therefore, you may use phpMyAdmin to create a new user and restrict to WordPress database only.
- Create user by CREATE USER ‘wpdbadmin’@’localhost’ IDENTIFIED BY ‘PASSWORD’;
- Restrict user on database wordpress by GRANT ALL ON wordpress.* TO ‘wpdbadmin’@’localhost’;
According to Restricting Database User Privileges on codex.wordpress.com,normal WordPress operations only need data read and write privileges. Therefore, you may to the MySQL database; SELECT, INSERT, UPDATE and DELETE.
Therefore, you need to revoke all privileges by REVOKE ALL PRIVILEGES ON wordpress . * FROM ‘wpdbadmin’@’localhost’ before grant restricted privileges by GRANT SELECT, INSERT, UPDATE, DELETE ON wordpress.* TO ‘wpdbadmin’@’localhost’;
For plug-ins or themes which need to change the database structure, you might need to provide more privileges.
There are also many WordPress may help you secure. Here are some of them:
- Limit Login Attempts – Slow down dictionary attack and may warn through emails.
- Better WP Security – Check and guide you to secure your WordPress.
- Theme Authenticity Checker (TAC) – Check WordPress theme files.
- Codex: Hardening WordPress
- Securing wp-config.php
- Restricting Database User Privileges
- 改變檔案擁有者, chown
- How to Change Ownership of a file on Linux
- ThemeShock: Powering WordPress and website security, Most complete guide
- MySQL 5.7 Reference Manual: 18.104.22.168. CREATE USER Syntax
- MySQL 5.7 Reference Manual: 22.214.171.124. GRANT Syntax
- MySQL 5.7 Reference Manual: 126.96.36.199. REVOKE Syntax