Blogs: Setting up WP-Hide

Harnessing the Full Potential of WP Hide: Elevate Your Website’s Privacy, Security, and User Experience.

Unveiling the Power of WP Hide: Unleash Advanced WordPress Site Security Customization

How to Set Up WP Hide

When it comes to website development, WordPress has long been a popular choice due to its user-friendly interface and extensive range of plugins and themes. However, its widespread adoption has also made it a prime target for hackers seeking vulnerabilities. As a website owner, prioritizing security is paramount. Luckily, there’s a powerful tool at your disposal: the “WP Hide and Security Enhancer” plugin.

“WP Hide and Security Enhancer” offers a comprehensive set of features designed to conceal the fact that your website is powered by WordPress, bolstering your security measures. This plugin comes in both a free version and a pro version, providing varying levels of functionality based on your specific needs. In this blog post, we’ll not only explore effective strategies and techniques to hide the telltale signs of WordPress but also dive into how the “WP Hide and Security Enhancer” plugin can fortify your website’s defenses.

By leveraging this plugin, even with the free version, you’ll gain the ability to alter common WordPress identifiers, modify URLs, and customize file structures, making it considerably more challenging for potential attackers to identify and exploit your website. Together, we’ll step into the realm of mystery and learn how to cloak your WordPress website like a seasoned pro, all while enhancing your security with the powerful capabilities of “WP Hide and Security Enhancer.” Prepare to embark on a journey that will provide unparalleled peace of mind in the face of evolving cybersecurity threats.

Install and activate the “WP Hide and Security Enhancer” plugin from the WordPress plugin repository. Once activated, navigate to the plugin settings and proceed to run an initial scan to evaluate the current visibility of your WordPress site.

Let’s simplify the plugin name to “WP-Hide” for convenience. Begin by running a basic setup of WP-Hide.

With the completion of the automatic basic setup, you have taken a step towards enhancing your website’s security. The modifications made by WP-Hide, such as altering WordPress identifiers, modifying URLs, and customizing file structures, contribute to a slightly improved security posture for your WordPress site.

It’s time to perform some manual configurations to further enhance the concealment of your WordPress site. As part of the basic setup, WP-Hide automatically hides the following directories:

– wp-content
– wp-includes
– wp-content/themes/[Theme Name]
– wp-content/plugins
– wp-content/uploads
– wp-comments-post.php

These hidden directories and files help minimize the exposure of sensitive information and discourage potential attackers from easily identifying your WordPress installation.

The underlying method employed in the previous step involves adding a .htaccess rule to rewrite the URL structure. However, it’s important to note that in the basic setup, the original directory/URL names (such as wp-content) are retained. To further block access to these original directories/URLs and reinforce the concealment, you can press “SHOW” and select yes.

and select “yes” and then press “ENTER” to apply it.

Before proceeding to block the original directory/URL names, it is crucial to test the changed URLs, directory names, and file names. This is because certain systems may experience compatibility issues or broken functionality when the changes are implemented. In case any issues arise, you can rectify them by accessing the .htaccess file and making necessary adjustments.

Additionally, we can manually obfuscate the following URLs using the respective tabs in WP-Hide:

1. “Author” URL: Use the appropriate tab in WP-Hide to obfuscate the author URL, making it more challenging for potential attackers to gather information about your site’s authors.
2. “Search” URL: Similarly, utilize the designated tab in WP-Hide to obfuscate the search URL, adding an extra layer of concealment to your site’s search functionality.
3. “xmlrpc.php” File: WP-Hide allows you to obscure the xmlrpc.php file, which can be a target for malicious activities. Obfuscating it enhances your site’s security by reducing its exposure.

When it comes to disabling the REST API, exercise caution as some plugins may rely on its functionality. Before disabling it, it is essential to verify whether any of your installed plugins utilize the REST API. If any plugins depend on it, refrain from disabling the REST API to avoid potential plugin malfunctions. Always prioritize compatibility and functionality when making such decisions.

Under the “Root File” tab in WP-Hide, you have the option to block several WordPress-related files to further obscure the fact that your website is built with WordPress. Here are the files available for blocking:

– license.txt
– readme.txt
– wp-activate.txt
– wp-signup.php (block if user sign-ups are not intended)
– wp-register.php (block if user registrations are not intended)
– other wp-*.php files – wp-cron.php (block if remote calls to this file are not needed)

The wp-cron.php is used to automate tasks in the wordpress site. If you don’t intend to use remote call to this file you can block it.

Additionally, you can utilize the “URL Slash” tab to automatically add a trailing “/” to each URL, helping to disguise the existence of the files.

To enhance security, it is crucial to rename the commonly known WordPress admin access files, namely /wp-login.php and /wp-admin. However, when renaming these files, it is essential to remember the new file names; otherwise, you may inadvertently lock yourself out of the admin panel. Exercise caution while renaming and ensure you keep track of the new file names to maintain access to the admin panel.

Within the “General/HTML” section of WP-Hide, you will find several tabs that enable you to obfuscate various aspects of WordPress. Among these tabs, the “Meta” tab contains two crucial sections:

1. “Remove WordPress Generator Meta”: By selecting “Yes” in this section, you can effectively hide the WordPress version from being displayed in the generated HTML source code. This helps to obscure the specific version of WordPress you are using, making it more challenging for potential attackers to exploit known vulnerabilities.

2. “Remove Other Generator Meta”: Similarly, selecting “Yes” in this section enables the removal of generator meta tags associated with themes and plugins. This ensures that the version information of your theme and other installed plugins remains hidden, further enhancing the concealment of your website’s underlying components.

By utilizing these options, you can effectively conceal crucial information, such as the WordPress version and theme version, from being readily accessible to external parties, thus improving the overall security posture of your WordPress site.

After implementing the various measures to hide WordPress using WP-Hide, performing a wpscan, a popular tool for WordPress vulnerability scanning, will reveal the effectiveness of your concealment efforts. The successful outcome of the scan will indicate that you have done a commendable job in concealing the presence of WordPress on your website, reducing the visibility of potential vulnerabilities and making it more challenging for attackers to exploit known WordPress-related issues.

In addition to a wpscan, you can conduct a wappalyzer scan, a tool that identifies technologies used on websites. Despite performing a wappalyzer scan, the fact that your website is built with WordPress remains completely hidden. The concealment measures implemented through WP-Hide ensure that the underlying CMS platform is not easily identifiable, thus adding an extra layer of security.

Advanced security configurations

With WP-Hide, you have the option to emulate a different CMS, which can further enhance the concealment of your WordPress site. However, it’s important to note that emulating a different CMS may have implications for certain platforms like Google Analytics. As a result, you may need to manually adjust the relevant configurations to ensure accurate tracking and reporting since Google will not recognize the website as a WordPress CMS. It is recommended to carefully evaluate the potential impact and make necessary adjustments to maintain proper functionality across different platforms while still benefiting from the overall concealment provided by WP-Hide

It is indeed wise to disallow access to admin pages in the robots.txt file to prevent search engine crawlers and other bots from visiting those URLs. By disallowing the admin pages in the robots.txt file, you add an extra layer of security by preventing unauthorized access to sensitive areas of your website. Ensure that you carefully configure the robots.txt file to disallow access to relevant admin pages while still allowing access to necessary areas for proper indexing and crawling by search engines.

Removing the style version from style files is a recommended practice to further enhance the security of your WordPress site. While the style version included in these files typically has no functional significance, it can provide valuable information to potential malicious actors. By removing the style version, you minimize the exposure of such information and reduce the risk of targeted attacks or exploits that rely on specific versions.

Removing the JavaScript version that is being used from the files is a prudent measure to bolster the security of your WordPress site. Just like the style version, the JavaScript version number can be leveraged by malicious actors to identify and exploit known vulnerabilities associated with specific versions. By eliminating the JavaScript version information from your files, you reduce the risk of targeted attacks and make it more difficult for potential attackers to exploit any known vulnerabilities.

If desired, you have the option to disable user interactions to provide an additional layer of control over your website’s content. Some of the user interaction options you can consider disabling include:

1. Mouse Right Click: Disabling the right-click functionality prevents users from accessing the context menu, which may help discourage unauthorized copying or inspecting of your website’s content.

2. Text Selection: By disabling text selection, you prevent users from easily highlighting and copying the text on your website, making it more challenging for them to extract or duplicate your content.

3. Copy/Paste: Disabling copy and paste functionality further restricts users from copying content directly from your website, adding an extra layer of protection against content theft.

4. Print Dialogue: Disabling the print dialogue option can prevent users from easily printing your website’s pages, helping to control the distribution of your content.

5. Print Screen: Disabling the print screen functionality attempts to prevent users from taking screenshots of your website’s content, limiting their ability to capture and replicate it.

6. Developer Tools: Disabling developer tools access inhibits users from inspecting or modifying your website’s source code through browser developer tools, providing additional protection against unauthorized modifications.

7. Source View: Disabling the source view functionality prevents users from viewing the HTML source code of your website, making it more challenging for them to analyze its structure or identify vulnerabilities.

8. Drag/Drop: Disabling drag and drop functionality can prevent users from dragging and dropping elements or content from your website, further securing your content against unauthorized usage.

Please note that implementing these measures may impact the user experience on your website. Consider the balance between usability and security before deciding to disable any of these user interactions.

Security headers play a crucial role in enhancing the overall security of your website by providing instructions to web browsers on how to handle and enforce security policies during communication. These headers, sent by the server to the client (web browser), help protect against a range of web vulnerabilities and attacks.

If an initial scan reveals that your security headers are not set correctly, you can start by creating a basic setup.

This can be achieved by clicking on the “Create Sample Setup” button within your security header configuration tool. The sample setup will generate a recommended configuration for security headers, ensuring that your website benefits from essential security policies and protections.

After creating a basic setup we get a 67% score.

Once you have created a basic setup for your security headers, you may notice that your website receives a score of 67% in terms of security headers configuration. It’s important to note that certain security headers may only be available in the PRO version of the tool you are using, which could limit your options for further enhancing the security headers configuration.

Additionally, while activating additional security headers can improve your website’s security, it’s crucial to exercise caution. Some headers may have compatibility issues with certain functionalities or plugins on your website. Before enabling any new security headers, it is recommended to thoroughly test and ensure that there are no adverse effects on the functionality or user experience of your website.

For the security headers that are not activated by default, you can manually enable them by navigating to the respective tab in your security header configuration tool. By accessing the specific tab associated with each header, you can activate them based on your desired security requirements.

In the case of the PRO version headers, their activation typically involves modifying the .htaccess file. It is crucial to exercise caution and gain a comprehensive understanding of what each of these headers does before enabling them. Take the time to research and familiarize yourself with the purpose and potential impact of these headers on your website’s security and functionality. Bypassing and activating the PRO features is out of the scope of this blog post.

Understanding the implications of each header will help you make informed decisions regarding their activation. It is recommended to refer to the documentation or resources provided by the security header tool to gain a deeper understanding of the specific headers and their effects.

After activating the free headers, you can achieve a header security percentage of 83%, which demonstrates a significant improvement in your website’s security posture.

Moving on to the database, you have identified that every table has a wp_ prefix, indicating the usage of WordPress. It’s important to note that this information can be valuable to malicious actors, potentially making your website a target for attacks specifically targeting WordPress vulnerabilities.

To mitigate this risk and further enhance the concealment of WordPress, it is advisable to change the default wp_ table prefix to a custom prefix. By modifying the table prefix, you make it more challenging for attackers to identify the underlying CMS and potentially exploit known vulnerabilities associated with WordPress.

It’s crucial to perform this change carefully, as it involves updating the database tables and corresponding configuration files. Backup your database and consult reliable resources or documentation for the appropriate steps to safely change the table prefix. Ensure that you test your website thoroughly after making this modification to confirm that everything functions correctly.

So it is better to rename them to a different string.

1. First and foremost, we change the name in wp-config.php file:
1. $table_prefix = ‘wp_’; -> $table_prefix = ‘NEWPREFIX_’;
2. iN phpMyAdmin, select all the tables with wp_ prefix, then at the bottom, next to check all, click on “with selected” drop down and select “Replace table prefix”. There on the “From” filed write “wp” and on the “To” field write “NEWPREFIX”

Renaming the database table prefix to a different string is a recommended practice to further obfuscate the fact that your website is built on WordPress. To accomplish this, follow the steps below:

1. Open the wp-config.php file of your WordPress installation.

2. Locate the line that defines the table prefix:

$table_prefix = 'wp_';

Change it to your desired custom prefix:

$table_prefix = 'NEWPREFIX_';

Replace ‘NEWPREFIX’ with the prefix you prefer. Make sure to include the underscore (_) at the end.

3. Access phpMyAdmin

4. In phpMyAdmin, select all the tables that have the wp_ prefix.

5. At the bottom of the table list, next to the “Check All” option, click on the “With selected” drop-down menu and choose “Replace table prefix.”

6. In the “From” field, enter “wp” (without quotes).

7. In the “To” field, enter your new custom prefix (e.g., “NEWPREFIX”).

8. Click the “Go” button to initiate the prefix replacement process.

9. Once the operation is complete, verify that all the tables now have the new custom prefix.

We are almost done, now to alter some setting in your database that uses wp_ prefix, we can execute the following SQL queries.

update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_capabilities' where meta_key = 'wp_capabilities'; 
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_user_level' where meta_key = 'wp_user_level'; 
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_autosave_draft_ids' where meta_key = 'wp_autosave_draft_ids'; 
update NEWPREFIX_options set option_name = 'NEWPREFIX_user_roles' where option_name = 'wp_user_roles';

Press Go button.

Few more minor things. Now run the following SQL query by selecting the database

SELECT * FROM `NEWPREFIX_options` WHERE `option_name` LIKE '%wp_%'
SELECT * FROM `NEWPREFIX_usermeta` WHERE `meta_key` LIKE '%wp_%'

For each query you will find entries with wp_ prefix. Now for each of these row entries, click edit.

Locking the ability to edit themes is an important security measure to prevent unauthorized modification of theme files. By implementing this measure, even if a hacker gains access to your admin panel, they won’t be able to insert malicious code or make unauthorized changes to the themes.

To lock the themes from editing, follow these steps:

1. Open the wp-config.php file of your WordPress installation.
2. Add the following line of code anywhere

define ( 'DISALLOW_FILE_EDIT', TRUE );

This code defines a constant, DISALLOW_FILE_EDIT, with a value of true. It disables the theme and plugin file editors in the WordPress admin panel.
3. Save the wp-config.php file after adding the line.

By adding this line to the wp-config.php file, you effectively disable the file editing functionality within WordPress.

Congratulations on implementing all the available free features to enhance the security of your website! Achieving a security quality score of 67% is a significant improvement and demonstrates your commitment to protecting your WordPress site.

While there is always more that can be done to enhance security, the measures you have taken so far, including concealing WordPress-related information, implementing security headers, altering the database settings, and locking theme editing, have greatly reduced the visibility of WordPress and mitigated common attack vectors.

Remember that maintaining a secure website is an ongoing process. It’s important to stay informed about emerging security threats, keep your WordPress installation and plugins up to date, regularly backup your site, and monitor for any suspicious activity.

Consider periodically reviewing your security measures and exploring additional options, such as implementing a robust firewall, using a reputable security plugin, or considering the benefits of the pro version of WP Hide and Security Enhancer.

By prioritizing website security, you are taking proactive steps to protect your site, data, and visitors from potential threats. Well done on your efforts so far!

Conclusion

However, regardless of whether you have chosen to purchase the pro version or opt for the free version of WP Hide and Security Enhancer, it’s important to acknowledge that configuring the plugin correctly requires a significant amount of technical knowledge. One wrong setting could potentially disrupt the functionality of your website.

At Red Threat Cyber Security, we understand the challenges of securing a mission-critical WordPress site. Our team possesses the expertise and experience to help you navigate the complexities of WordPress security. We offer comprehensive services tailored to your specific needs, ensuring the protection of your valuable online assets.

Whether you need assistance with plugin configuration, advanced security measures, vulnerability assessments, or overall WordPress security consultancy, we are here to help. Our dedicated professionals will work closely with you to identify potential risks, implement robust security measures, and safeguard your website against malicious attacks.

Contact us today for a free consultancy session and explore how our services can provide you with peace of mind and confidence in the security of your WordPress site. Don’t leave your website’s security to chance—partner with Red Threat Cyber Security and let us fortify your digital presence.