// for enabling/disabling theme/plugin editor
define( 'DISALLOW_FILE_EDIT', TRUE );

The second constant presented here prohibits editing, modifying or changing the core files, Plugins or Themes. In this context the menu entries in the backend are not visible or usable. Thus the update is not so easy to do and clients and unauthenticated users are blocked quickly.

// Disallow anything that creates, deletes, or edits core, plugin, or theme files.
// Files in uploads are excepted.
define( 'DISALLOW_FILE_MODS', TRUE );

In this context there are two constants that are useful now and then.

In various contexts it is very useful that all users have the option of: to write unfiltered HTML, in all aspects and this can also be easily implemented via constants:

// Disallow unfiltered_html for all users, even admins and super admins
DISALLOW_UNFILTERED_HTML

Similar existing for uploads:

// Allow uploads of filtered file types to users with administrator role
ALLOW_UNFILTERED_UPLOADS

The constants belong in the wp-config.php of the installation.

if ( is_admin() )
  add_action( 'init', 'disable_password_fields', 10 );

function disable_password_fields() {
  if ( ! current_user_can( 'administrator' ) )
    $show_password_fields = add_filter( 'show_password_fields', '__return_false' );
}

Now only a user with the administrator role can change the passwords of the users and make sure that they are using strong passwords.

The hard way

The first code snippet is my own solution. WordPress gives you the possibility to replace some functions directly in the core, without Plugin or via Hooks. You can find all functions for this in wp-includes/pluggable.php. There you can find, since version 2.5 of WordPress, the function wp_validate_auth_cookie(). It takes care to check the login, which I replace in my local development environment, since my site it is not accessible for anybody else. This functions gives back, if you logged in correctly, the ID of the user and that's exactly what I'm doing. ID 1 for Admin, should exist if you didn't change it after the installation of WordPress.
I put the following function in wp-config.php.

/**
 * Set authentication cookie.
 *
 * @param string $cookie Optional. If used, will validate contents instead of cookie's
 * @param string $scheme Optional. The cookie scheme to use: auth, secure_auth, or logged_in
 * @return bool|int False if invalid cookie, User ID if valid.
 */
//*
function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) {
	$user_ID = (int) 1; // admin user id
	return $user_ID;
}
//*/

The block-comment-trick

If you need under certain circumstances the login for some tests then you can comment out this function. I will explain briefly the comment characters in this code, which you probably noticed.

We talk about the following characters:

//*
function ...
//*/

I just have to change the slashes in /* and the content is comment out. I got this tip from Aleem Bawany; he explains it thoroughly in his article.

Alternatively, you can also create a safe option and go many other ways - this is my path and it is simple and controllable.

Expand time of the cookie

I found on StackExchange another solution, which is much more safe and probably usable on live sites. You just change via hook the time of the cookie. At default is the „Remember me“-Checkbox set to 14 days, the following function changes it to a year. So the actual login still exists, only the time frame changes.

function keep_me_logged_in_for_1_year( $expirein ) {
    return 31556926; // 1 year in seconds
}
add_filter( 'auth_cookie_expiration', 'keep_me_logged_in_for_1_year' );

This solution was published by Alex (Viper007Bond) and it's worth reading the comments, especially about create_function within the filter hook.
This function belongs in a Plugin or in the functions.php of the theme if it is necessary.

Two solutions with different approaches and usage. Maybe you know other solutions and let us know in the comment area.

There are many ways to secure a WordPress installation. In this article we will show only those who are easy to implement with little effort in WordPress. Which possibilities you use always depends on the different options available. For example, if you have access to the server's configuration, you can already create a high level of security. Here it is only about security settings within WordPress.

Install WordPress securely

WordPress is known for its simple and uncomplicated installation. This fact has contributed in particular to the popularity of the software, but also ensures that many settings are equally on many installations. This allows hackers to set up at various initial positions and gain unauthorized access.

Already during the installation of WordPress, you should pay attention that your own blog has less in common with a default installation of WordPress. An installation that differs from the standard, makes it more difficult for potential intruders to unauthorized access. In this context, you should consider a few points when setting up a new installation of WordPress.

All tips are limited to the possibilities of the basic installation without extensions. However, there are also some useful Plugins for more security in WordPress, which are particularly for less experienced users an alternative.

Table prefix

Access to the database is configured in wp-config.php. In this file, the table prefix is defined which uses WordPress to create the database at installation. By default, this is the prefix "wp_". You should always configure a random prefix that does not meet the standard. You should also make sure that you are using only numbers, letters and underscore, because other characters are not supported.

Authentication Unique Keys

Also in wp-config.php, you have the ability to define four security keys to increase the safety of WordPress. The keys either created manually or via a generator at wordpress.org. The four keys are assigned to different cookies and are used at different places in order to increase the security of WordPress, so it is also important that every installation has different keys. The relevant keys are:

• AUTH_KEY Is used for unsecure connections via http.
• SECURE_AUTH_KEY This constant can be realized through https secure..
• LOGGED_IN_KEY holds firmly to whether a user has logged in, not an administrative cookie.
• NONCE_KEY appaers at $_POST-queries of WordPress and can be used via extension with function wp_nonce().

If you update an existing installation of WordPress, the key should be supplemented here by the example of AUTH_KEY:

define('AUTH_KEY', 'put your unique phrase here');

File and Folder Permissions

Distinguish the rights of files and directories properly. Restricted Rights make it difficult for an attacker to alter files and directories.

Search engines usually take up to a certain depth, which they can get. Prevent using the robots.txt file to have access. The internal directory of WordPress shouldn't appear in any search results - a simple Disallow is enough.

Depending on server configuration, the possibility exists that you can list the contents of the folder in the browser. This must be prevented, which is quickly done by passing an empty index.html in each directory. Alternatively this can be done with the help of Secure WordPress Plugins.

Rename wp-content

All extensions, files and themes are stored in the default installation folder wp-content. Often, themes or Plugins opens a security hole in the system, so it is possible since version 2.6, to enter an arbitrary name for that folder, and storing the folder elsewhere. With a new installation it can be done easy and fast. It can lead to problems with Plugins or themes, since not all authors check this path by using the available constants and functions. Therefore, this option is only recommended for experienced users.

To redefine the folder, it is sufficient to establish that with the help of the constants in the wp-config.php.

define('WP_CONTENT_DIR', ABSPATH . 'test');    // wp-content Directory
define('WP_CONTENT_URL', 'http://example.com/test');    // wp-content URL

Secure access

With version 2.6, a new option has been added to secure the back end of the installation: access via SSL - Secure Sockets Layer is an encryption protocol for transmitting data. Your internet provider must support the use of SSL. If so, you can enable the protocol in wp-config.php . To use the SSL capabilities in the backend, you must define FORCE_SSL_LOGIN with TRUE, not in quotes, it is a boolean value. From now on, all data is encrypted in the backend.

define ('FORCE_SSL_LOGIN', true);

Safety of existing installations

Also existing blogs can be made safer with a few simple steps. If the blog is already active and the database is already filled with content, changing the table prefix have fatal consequences. Yet there is also the possibility here to change the prefix. These various steps with the help of SQL is required that you perform in the most appropriate interface. Alternatively, you can go down that route with the help of a Plugin. Any changes to the database requires a backup of current database in advance.

To change all ten standard tables, the following SQL statements are necessary. Have you more tables, for example because of Plugins, they must also be changed. Adjust the sample wp_i1d_ to your requirements.

RENAME TABLE wp_comments to wp_i1d_comments;
RENAME TABLE wp_links to wp_i1d_links;
RENAME TABLE wp_options to wp_i1d_options;
RENAME TABLE wp_postmeta to wp_i1d_postmeta;
RENAME TABLE wp_posts to wp_i1d_posts;
RENAME TABLE wp_terms to wp_i1d_terms;
RENAME TABLE wp_term_relationships to wp_i1d_term_relationships;
RENAME TABLE wp_term_taxonomy to i1d_term_taxonomy;
RENAME TABLE wp_usermeta to wp_i1d_usermeta;
RENAME TABLE wp_users to wp_i1d_users;

Unfortunately, WordPress uses the installation prefix, to clearly identify some of the fields in the tables options and usermeta. Therefore, you must rename these fields.

UPDATE wp_i1d_options SET option_name = REPLACE(option_name, 'wp_', 'wp_i1d_');
UPDATE wp_i1d_usermeta SET meta_key = REPLACE(meta_key, 'wp_', 'wp_i1d_');

Since Plugins may be able to create fields with the prefix, it is advisable if you now search the database for the old prefix and change the values.

SELECT * FROM wp_i1d_options WHERE option_name LIKE 'wp_%';
SELECT * FROM wp_i1d_usermeta WHERE meta_key LIKE 'wp_%';

Rename Username

The user name of the default installation is admin and not only known to you. After an installation you should delete this user. Be sure to create a new administrator. This is done in the administration area and should be the first act after the initial login.

This will change not only the user name, but also the ID, which is after the initial installation 1. Two fields that makes it easy for an attacker if you don't change them.

Would you like to set a very large value for the ID, the manual option in the backend is very complicated, because WordPress is adding to each new user only 1. Alternatively, you can change this value via SQL or with the Plugin Search & Replace.

UPDATE `wp_users` SET `ID` = '815' WHERE `wp_users`.`ID` = 1;
UPDATE `wp_usermeta` SET `user_id` = '815' WHERE `wp_usermeta`.`user_id` = 1;
UPDATE `wp_posts` SET `post_author` = '815' WHERE `wp_posts`.`post_author` = 1;
UPDATE `wp_links` SET `link_owner` = '815' WHERE `wp_links`.`link_owner` = 1;

Don't reveal WordPress version

The version of WordPress is displayed in many parts of the blog, in your backend, feeds and in your theme. Each version has its quirks and errors that potential attackers are known.

For this reason, nobody should receive information about your WordPress installation. The simplest way to remove the version information from all areas (except the back end), is the use of Secure WordPress Plugins. Alternatively, it is sufficient to suppress the function of publishing the release.

add_filter( 'the_generator', create_function('$a', "return null;") );

Disable Error and Information messages

The backend of WordPress can be reached via login with username and password. If the user produces an error, WordPress provides related tips to ease the login. As useful as the information for the user is, so it is also useful for unwanted intruders.

Consider whether you need to allow these messages, or want to, otherwise they can be disabled by the already mentioned Plugin Secure WordPress Plugin.

If the constant WP-DEBUG is defined in your wp-config.php, you need to set it on FALSE or delete, otherwise any error in WordPress will be displayed in your browser. This constant should be used only in the development environment of WordPress.

define('WP_DEBUG', false);

Security via .htaccess

The possibilities with .htaccess are various and we can also secure WordPress sufficiently. Specifically, the different requirements should be considered here, because not infrequently the usability suffers from the security settings. Consider the safety of WordPress also from the perspective of users, not only from the administrator. You should also note the configuration of your web space, so that there will be no errors.

In principle, any directory can be protected, especially the folder wp-admin, because there are the files to get access to your backend stored. Access is controlled via wp-login.php and WordPress always forwards to it, no matter which unauthorized call was placed in wp-admin. It must be added a .htpasswd file, that contains user name and password. Various online generators can help you create the file contents.

# protect wp-login.php
<files wp-login.php>
AuthName "Admin-Bereich"
AuthType Basic
AuthUserFile /your_lokal_path/.htpasswd
require valid-user
</files>

As already mentioned, the file wp-config.php contains the accesses to the database, which makes them especially worthy of protection. A few lines in .htaccess of the root are helpful.

# protect wp-config.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

If the server environment allow an open directory environment, it is advisable to either store the main index.html in each directory or block access via "Options Indexes" in the .htaccess.

The folder wp-content and wp-includes are worthy to protect. The following syntax shows a simple method to protect the respective folder.

Order Allow,Deny
Deny from all
<Files ~ "js/tinymce/*.$">
Allow from all
</Files>
<Files ~ "\.(css|jpe?g|png|gif|js)$">
Allow from all
</Files>

The file formats should be adapted and possibly be expanded and tested. Alternatively you can also use a Plugin solution that can greatly improve security and will decrease the work: AskApache Password Protect.

Conclusion

PHP and security have been and are frequently discussed and sometimes makes a web programmer pretty nervous. Security with PHP is not a "secret science", already with a few basics you can make a WordPress extension safer. Even WordPress itself provides this functionality. WordPress is much used in different configurations and versions of PHP, so that we can discuss the issue on different levels. The featured selections are simple and almost everywhere doable, which should not be ignored, if you want to keep your blog under your control.

You can find the class in /wp-includes/wp-db.php where the individual methods are documented.
I show the most important ones and give some small examples. It is important to work with these opportunities to ensure the safety of Plugins.

For the following four methods I created some syntax examples.

• insert($table, $data, $format) — insert a row into a table via arrays.
• update($table, $data, $where, $format, $where_format) — update a row in a table via arrays.
• get_var($query, $x, $y) — retrieve a single variable from the database.
• query($query) — perform a MySQL database query with current connection
• get_results($query, $output) — retrieve SQL result set from database… one or more rows.
• escape($data) — Escapes content for insertion into the database using addslashes(), for security

Also interesting are the methods below.

• set_prefix($prefix) — used to set table prefix for WordPress tables, can be used to override prefix at any time
• prepare($query) — safely prepares an SQL query for execution with sprintf()-like syntax.
• get_row($query, $output, $y) — retrieve a single row from the database.
• get_col($query, $x) — retrieve a single column from the database in array format.

/**
 * insert
 */
$wpdb->insert( $wpdb->posts, array( 'post_title' => $mytitle ) );

$wpdb->insert( $wpdb->options, array(
            'option_name',
            'new_option_key',
            'option_value' => 'New Option Value',
            'autoload' => 'yes' )
            );

/**
 * update
 */
$wpdb->update( $wpdb->posts, array( 'post_title' => $mytitle ),
            array( 'ID' => $myid )
            );

$wpdb->update( $wpdb->options,
            array( 'option_value' => 'New Option Value' ),
            array( 'option_name' => 'new_option_value' )
            );

/**
 * get_var
 */
$post_id = $wpdb->get_var(
            $wpdb->prepare( "SELECT post_id FROM
                    $wpdb->postmeta WHERE
                    post_id = %d AND
                    meta_key = 'enclosure' AND
                    meta_value LIKE (%s)", $post_ID, $url . '&' )
            );

$content = $wpdb->get_var(
            $wpdb->prepare("SELECT post_content FROM " .
                    "$wpdb->posts WHERE " .
                    "post_title = %s AND " .
                    "ID = %d", $title, $id )
        );

/**
 * query
 */
$wpdb->query( "DELETE FROM $wpdb->options WHERE option_name = '$name'" );

$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$mytitle' WHERE ID = $myid" );

/**
 * query and escape
 */
$mytitle = $wpdb->escape( $mytitle );
$myid    = absint( $myid );
$wpdb->query( "UPDATE $wpdb->posts SET post_title = '$mytitle' WHERE ID = $myid" );

/**
 * get_results
 */
$type = $wpdb->get_results( "SELECT post_type FROM " .
                "$wpdb->posts WHERE ID=$id" );

Who has implemented several projects already with WordPress probably had experienced that a user doesn't have the rights to upload a specific format.

The Plugin Role Manager allows the uploading of all MIME types. But in my opinion this is not the perfect way, and therefore here is a small code snippet that takes adjusting according to the particular requirement.

All allowed types are found in the whitelist-function wp_check_filetype(), in wp-includes/functions.php.
This function has a filter upload_mimes that can be extended. And there we come in and call the MIME types that we need. In the following example, I allow PHP-, XHTML- and htaccess-files. The options are passed in an array and the assignment is important so that WordPress can also assign an icon, like you see on the screenshot.

function my_upload_mimes() {
	$mime_types = array(
		'php|phps'   => 'text/php',
		'xhtm|xhtml' => 'text/html',
		'htaccess'    => 'text/plain'
	);

	return $mime_types;
}

add_filter( 'upload_mimes', 'my_upload_mimes' );

Mime Types

To obtain a list of all MIME types that can be used, you can check out the following list. The list should only contain type files, which are explicitly required, otherwise the above constants can be used.

$mime_types = array(
'323'     => 'text/h323',
'acx'     => 'application/internet-property-stream',
'ai'      => 'application/postscript',
'aif'     => 'audio/x-aiff',
'aifc'    => 'audio/x-aiff',
'aiff'    => 'audio/x-aiff',
'asf'     => 'video/x-ms-asf',
'asr'     => 'video/x-ms-asf',
'asx'     => 'video/x-ms-asf',
'au'      => 'audio/basic',
'avi'     => 'video/x-msvideo',
'axs'     => 'application/olescript',
'bas'     => 'text/plain',
'bcpio'   => 'application/x-bcpio',
'bin'     => 'application/octet-stream',
'bmp'     => 'image/bmp',
'c'       => 'text/plain',
'cat'     => 'application/vnd.ms-pkiseccat',
'cdf'     => 'application/x-cdf',
'cer'     => 'application/x-x509-ca-cert',
'class'   => 'application/octet-stream',
'clp'     => 'application/x-msclip',
'cmx'     => 'image/x-cmx',
'cod'     => 'image/cis-cod',
'cpio'    => 'application/x-cpio',
'crd'     => 'application/x-mscardfile',
'crl'     => 'application/pkix-crl',
'crt'     => 'application/x-x509-ca-cert',
'csh'     => 'application/x-csh',
'css'     => 'text/css',
'dcr'     => 'application/x-director',
'der'     => 'application/x-x509-ca-cert',
'dir'     => 'application/x-director',
'dll'     => 'application/x-msdownload',
'dms'     => 'application/octet-stream',
'doc'     => 'application/msword',
'dot'     => 'application/msword',
'dvi'     => 'application/x-dvi',
'dxr'     => 'application/x-director',
'eps'     => 'application/postscript',
'etx'     => 'text/x-setext',
'evy'     => 'application/envoy',
'exe'     => 'application/octet-stream',
'fif'     => 'application/fractals',
'flr'     => 'x-world/x-vrml',
'gif'     => 'image/gif',
'gtar'    => 'application/x-gtar',
'gz'      => 'application/x-gzip',
'h'       => 'text/plain',
'hdf'     => 'application/x-hdf',
'hlp'     => 'application/winhlp',
'hqx'     => 'application/mac-binhex40',
'hta'     => 'application/hta',
'htc'     => 'text/x-component',
'htm'     => 'text/html',
'html'    => 'text/html',
'htt'     => 'text/webviewhtml',
'ico'     => 'image/x-icon',
'ief'     => 'image/ief',
'iii'     => 'application/x-iphone',
'ins'     => 'application/x-internet-signup',
'isp'     => 'application/x-internet-signup',
'jfif'    => 'image/pipeg',
'jpe'     => 'image/jpeg',
'jpeg'    => 'image/jpeg',
'jpg'     => 'image/jpeg',
'js'      => 'application/x-javascript',
'latex'   => 'application/x-latex',
'lha'     => 'application/octet-stream',
'lsf'     => 'video/x-la-asf',
'lsx'     => 'video/x-la-asf',
'lzh'     => 'application/octet-stream',
'm13'     => 'application/x-msmediaview',
'm14'     => 'application/x-msmediaview',
'm3u'     => 'audio/x-mpegurl',
'man'     => 'application/x-troff-man',
'mdb'     => 'application/x-msaccess',
'me'      => 'application/x-troff-me',
'mht'     => 'message/rfc822',
'mhtml'   => 'message/rfc822',
'mid'     => 'audio/mid',
'mny'     => 'application/x-msmoney',
'mov'     => 'video/quicktime',
'movie'   => 'video/x-sgi-movie',
'mp2'     => 'video/mpeg',
'mp3'     => 'audio/mpeg',
'mpa'     => 'video/mpeg',
'mpe'     => 'video/mpeg',
'mpeg'    => 'video/mpeg',
'mpg'     => 'video/mpeg',
'mpp'     => 'application/vnd.ms-project',
'mpv2'    => 'video/mpeg',
'ms'      => 'application/x-troff-ms',
'mvb'     => 'application/x-msmediaview',
'nws'     => 'message/rfc822',
'oda'     => 'application/oda',
'p10'     => 'application/pkcs10',
'p12'     => 'application/x-pkcs12',
'p7b'     => 'application/x-pkcs7-certificates',
'p7c'     => 'application/x-pkcs7-mime',
'p7m'     => 'application/x-pkcs7-mime',
'p7r'     => 'application/x-pkcs7-certreqresp',
'p7s'     => 'application/x-pkcs7-signature',
'pbm'     => 'image/x-portable-bitmap',
'pdf'     => 'application/pdf',
'pfx'     => 'application/x-pkcs12',
'pgm'     => 'image/x-portable-graymap',
'pko'     => 'application/ynd.ms-pkipko',
'pma'     => 'application/x-perfmon',
'pmc'     => 'application/x-perfmon',
'pml'     => 'application/x-perfmon',
'pmr'     => 'application/x-perfmon',
'pmw'     => 'application/x-perfmon',
'pnm'     => 'image/x-portable-anymap',
'pot'     => 'application/vnd.ms-powerpoint',
'ppm'     => 'image/x-portable-pixmap',
'pps'     => 'application/vnd.ms-powerpoint',
'ppt'     => 'application/vnd.ms-powerpoint',
'prf'     => 'application/pics-rules',
'ps'      => 'application/postscript',
'pub'     => 'application/x-mspublisher',
'qt'      => 'video/quicktime',
'ra'      => 'audio/x-pn-realaudio',
'ram'     => 'audio/x-pn-realaudio',
'ras'     => 'image/x-cmu-raster',
'rgb'     => 'image/x-rgb',
'rmi'     => 'audio/mid',
'roff'    => 'application/x-troff',
'rtf'     => 'application/rtf',
'rtx'     => 'text/richtext',
'scd'     => 'application/x-msschedule',
'sct'     => 'text/scriptlet',
'setpay'  => 'application/set-payment-initiation',
'setreg'  => 'application/set-registration-initiation',
'sh'      => 'application/x-sh',
'shar'    => 'application/x-shar',
'sit'     => 'application/x-stuffit',
'snd'     => 'audio/basic',
'spc'     => 'application/x-pkcs7-certificates',
'spl'     => 'application/futuresplash',
'src'     => 'application/x-wais-source',
'sst'     => 'application/vnd.ms-pkicertstore',
'stl'     => 'application/vnd.ms-pkistl',
'stm'     => 'text/html',
'svg'     => 'image/svg+xml',
'sv4cpio' => 'application/x-sv4cpio',
'sv4crc'  => 'application/x-sv4crc',
't'       => 'application/x-troff',
'tar'     => 'application/x-tar',
'tcl'     => 'application/x-tcl',
'tex'     => 'application/x-tex',
'texi'    => 'application/x-texinfo',
'texinfo' => 'application/x-texinfo',
'tgz'     => 'application/x-compressed',
'tif'     => 'image/tiff',
'tiff'    => 'image/tiff',
'tr'      => 'application/x-troff',
'trm'     => 'application/x-msterminal',
'tsv'     => 'text/tab-separated-values',
'txt'     => 'text/plain',
'uls'     => 'text/iuls',
'ustar'   => 'application/x-ustar',
'vcf'     => 'text/x-vcard',
'vrml'    => 'x-world/x-vrml',
'wav'     => 'audio/x-wav',
'wcm'     => 'application/vnd.ms-works',
'wdb'     => 'application/vnd.ms-works',
'wks'     => 'application/vnd.ms-works',
'wmf'     => 'application/x-msmetafile',
'wps'     => 'application/vnd.ms-works',
'wri'     => 'application/x-mswrite',
'wrl'     => 'x-world/x-vrml',
'wrz'     => 'x-world/x-vrml',
'xaf'     => 'x-world/x-vrml',
'xbm'     => 'image/x-xbitmap',
'xla'     => 'application/vnd.ms-excel',
'xlc'     => 'application/vnd.ms-excel',
'xlm'     => 'application/vnd.ms-excel',
'xls'     => 'application/vnd.ms-excel',
'xlt'     => 'application/vnd.ms-excel',
'xlw'     => 'application/vnd.ms-excel',
'xof'     => 'x-world/x-vrml',
'xpm'     => 'image/x-xpixmap',
'xwd'     => 'image/x-xwindowdump',
'z'       => 'application/x-compress',
'zip'     => 'application/zip'
);

In the development process it can increase fast, simple and straightforwarded the safety. The tool can be easily put as a bookmark in the browser and scans links and paths. Alternatively, you can add new vectors. Definitely worth a bookmark. Download of application can be found on the website for XSS Rays.