Category: The Fancy Robot

Hide Your WordPress Usernames From Hackers

Hide Your WordPress Usernames From Hackers

One of the most common attacks on a WordPress install is a brute force attack. This is when a malicious visitor tries to log in with a username over and over again with different passwords until they get it right. The passwords usually come from a long list of commonly used passwords easily found on the internet. In order for this to work for our malicious visitor, they need to also know your WordPress username. Unfortunately, WordPress makes this very easy for them to obtain.

When you create a user, WordPress stores what it calls a nicename in the database. This is what WordPress uses to rewrite the URL for your author pages. WordPress creates the nicename by sanitizing the user log in the same way it sanitizes post names for permalinks. With this configuration, any time someone visits your author page, your username is exposed right there in the address bar. This gives malicious visitors a leg up in attempting a brute force attack. In fact, Google will even index these pages making it super easy for someone to uncover ALL of your usernames with one simple query in Google. Unfortunately, WordPress does not provide a way to easily change this.

First Deter Brute Force Attacks

The first step is to deter brute force attacks. The easiest way to do this is to install a security plugin. Lucky for you, I wrote a tutorial on how to stop WordPress brute force attacks. If you haven’t done this yet, go read that tutorial, follow the instructions, and then come back here. Take your time; I’ll wait.

How Do I Hide My WordPress Username?

That’s a great question. That is why you’re here after all. First, you stop WordPress from showing your usernames, and then, if you need to have dynamic author pages, you redirect your author links to somewhere else. Let’s start with stopping WordPress from showing your usernames.

Fix The WordPress Enumeration Vulnerability

That’s a lot of big words, I know. It’s really not so scary though. This is referring to the ability to reveal WordPress login usernames quite easily by simply incrementing a number in the following URI request www.yourdomain.com?author=1. Luckily, this is easy to circumvent. Put this code in the functions.php file of your child theme (credit: Perishable Press):

/**
* Block enumeration scan
**/
function tfr_check_enum($redirect, $request) {
	// permalink URL format
	if (preg_match('/?author=([0-9]*)(/*)/i', $request)) die();
	else return $redirect;
}
if (!is_admin()) {
	// default URL format
	if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();
	add_filter('redirect_canonical', 'tfr_check_enum', 10, 2);
}

Now any request to such a URI will return nothing. A blank page should show in the browser.

Change your user nicename

If you MUST have the dynamic author pages generated by WordPress, you MUST change your user nicename to something other than your WordPress login username. You can do this in one of two ways. The first way is by going into the database and changing it manually. However you access your database, go to the wp_users table and each user will have a user_nicename column. Just change that entry for each user and you’re on your way.

User Nicename | thefancyrobot.com

The other option is to add a field to change the nicename from the user admin panel. First we need the function to add the field to the user admin page:

/**
* Add nicename field to user admin page
**/
function tfr_add_nicename_field( $user ) {
	$userdata = get_userdata( $user->ID );
	?>
	

Then we need a function to handle what the user puts in that field. If it is left blank, we will use the nickname entry instead of the user login entry.

function tfr_update_nicename( $user_id ) {
	if ( ! current_user_can( 'edit_user', $user_id ) ) {
		return false;
	}

	$nicename = !empty( $_POST['user_nicename'] ) ? sanitize_title_with_dashes( $_POST['user_nicename'] ) : sanitize_title_with_dashes( $_POST['nickname'] );

	$userdata = array(
		'ID'             => $user_id,
		'user_nicename'  => $nicename
	);

	wp_update_user( $userdata );
}
add_action( 'personal_options_update', 'tfr_update_nicename' );
add_action( 'edit_user_profile_update', 'tfr_update_nicename' );

Redirect WordPress Author Links

If you don’t need the dynamic author links, you should redirect those links somewhere else. Somewhere else? Where? That’s also a good question, but I’m going to leave that up to you. It really depends on your needs. You can redirect to an about page, a static authors page, or even the home page. For the purpose of this tutorial, I”m going to redirect to the home page. To accomplish this, add these two functions to your functions.php:

/**
* Filter author links on page
**/
function tfr_filter_author_link( $link ) {
	return get_home_url();
}
add_filter( 'author_link', 'tfr_filter_author_link' );

/**
* Redirect author pages
**/
function tfr_disable_author_pages() {
	if ( is_author() ) {
		wp_safe_redirect( get_home_url(), '301' );
	}
}
add_action( 'template_redirect', 'tfr_disable_author_pages' );

And there you have it. Your usernames should be good and hidden from anyone that’s looking for them. Comments, questions, or concerns? Leave them in the comment section below.

Stop WordPress Brute Force Attacks

Stop WordPress Brute Force Attacks

Brute force attacks are the most common type of attack on WordPress websites. It’s an old-school technique and, by far, the easiest to implement. A brute force attack is when a malicious visitor tries to repeatedly log in to your WordPress website using different passwords each time. It’s easy to find a WordPress brute force script by simply searching google or GitHub.

The only way to completely stop brute force attacks is to instantly block the IP address of anyone that enters a wrong password. In doing so you will almost certainly lock yourself out of your own site and no one wants to deal with that mess. While I don’t recommend going through the paces necessary to completely stop brute force attacks, it is worthwhile to make it such a chore that it’s not worth the effort.

The easiest way to do this is to install a security plugin. I’m generally not one to immediately tell you to install a plugin, but security is a complicated and ever-changing landscape. Unless you intend to dedicate most of your time to solving security issues, I would say this is the first thing you should do after installing WordPress. A good security plugin will protect you from more than just brute force attacks as well.

While there are more than a few security plugins, I personally recommend Wordfence. There is a premium version of this plugin, but I’ve never found the need to pay for it. I also use BBQ in conjuction with Wordfence, and they work wonderfully together.

How To Set Up Wordfence

I’m not going to get very deep into the Wordfence settings, as that is outside the scope of this article, but I will show you what settings to change to defend against brute force attacks.

    1. In your admin sidebar go to
      Wordfence > firewall

      Wordfence Firewall Nav

    2. Select
      All Firewall Options

      All Firewall Options | thefancyrobot.com

    3. Scroll down to Brute Force Protection and change the settings accordingly
      Stop WordPress Brute Force Attacks 1

      I like to set the login failures and forgot password attempts to 3 just in case I have a brain fart when trying to log in to the backend of my sites. This has happened before and I’m sure it will happen again. Just be aware that if you lock yourself out, you will be locked out for whatever setting you choose. If you can deal with that, then go ahead and set those lower.

    4. The most common usernames used for a brute force attack when the username is unknown are:
      • admin
      • test
      • your primary domain (e.g. in my case that would be thefancyrobot
    5. Save your settings and you’re all set. This will lock out anyone trying to brute force your site for however long you’ve set. This makes it quite a pain for anyone to successfully carry out a brute force attack on your WordPress website.

Set Up Redis Object Cache for WordPress

When it comes to WordPress speed optimizations, there are plenty of options. In fact, it can be a bit overwhelming trying to figure out what the best options are. The average WordPress user goes straight for one of the many plugins, such as W3 Total Cache, WP Rocket, or SP Super Cache. I hate to say it, but your best option is to not use any of them. the issue with those plugins, aside from the security issues (boy have I seen some real messes because of those plugins), is that they are all PHP level solutions. The best solution to speed up WordPress is to use technologies that exist outside of the WordPress ecosystem. Enter Redis

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache and message broker.

So what does that mean? It means that we can store data that WordPress queries from the database in Redis for quick and easy access, and it’s a persistent data store. This speeds up your site, and greatly reduces server load, by storing all of that data so that WordPress doesn’t have to run multiple queries to the database every time a page is loaded. We call this an object cache.

What’s Wrong With the Built-in WordPress Object Cache?

This question could be answered with a whole new article. Thankfully, Zack Tollman has already written it. It’s a little dated and refers to Memcached instead of Redis, but the overall point of the article still applies today. To sum up, there isn’t anything wrong with the built-in object cache, but a persistent cache is more efficient.

Step 1 – Install Redis

This tutorial assumes you have your site set up on an Ubuntu or Debian server.

We’re going to install Redis using apt. This is the easiest method and it ensures you’re using a stable version. Before installing anything you should always make sure apt is up to date by typing:

sudo apt-get update && apt-get upgrade

Now it’s time to install Redis

sudo apt-get install redis-server

Now you need to check the configuration. Unless you know for a fact that your situation is different, you want to make sure that Redis is only available to localhost. This should be the default configuration but check it anyway just to be sure. This is a very important security measure.

sudo nano /etc/redis/redis.conf

Find this line and remove the # if there is one at the beginning of the line. Make sure there are no other bindings in the configuration.

bind 127.0.0.1 ::1

Then add this to the end of the file

maxmemory 50mb
maxmemory-policy allkeys-lru

Please note: you can increase the maxmemory setting according to your needs, but 50mb will be plenty for most WordPress installs

Save the Redis configuration file and restart Redis

sudo systemctl restart redis

And make sure your configuration is correct

sudo netstat -lnp | grep redis

You should see output similar to this:

tcp    0    0 127.0.0.1:6379    0.0.0.0:*    LISTEN    6888/redis-server 1

If there is more than one line in the output, check your configuration and make sure that 127.0.0.1 is the only binding in the configuration.

Step 2 – Install WP Object Cache plugin

There are a couple Redis object cache plugins, but the Redis Object Cache plugin is the easiest to set up.

Install the plugin using the standard procedure for install WordPress plugins.

Now go to Settings > Redis and click the “Enable Object Cache” button.

Step 3 – Add salt to wp-config.php (optional)

This setting is really only important if you’ve got more than one resource accessing the same Redis data store (e.g. WordPress multisite install). However, I would recommend setting it anyway, if for no reason other than planning ahead in case you need to add an additional resource on your server in the future.

Open up your wp-config.php file and add this at the end (you can enter any string you want for the salt. I personally use random.org to generate a random string)

define( 'WP_CACHE_KEY_SALT', 'cFGUIzDeyA' );

Make sure you flush and restart your cache after setting the key salt.

That’s all folks!

Now you’ve got a Redis object cache for your WordPress website. There are many configuration options for the plugin that are outside the scope of this article. Please visit https://github.com/tillkruss/redis-cache for plugin documentation and support.

Please leave any questions, comments, or concerns in the comment section!

How to Create a Child Theme in WordPress

Let me start you off with a little story. My first job as a professional web developer, I was working in an agency developing custom WordPress websites. This meant that every time we had a new client, we built them a new theme from scratch. The problem with this is that we would have to download Underscores, strip out all of the stuff we didn’t need, and then add all the code to make the theme their own. The problem with this is that a lot of our sites shared the same logic, but we were writing it over and over again. This was an astronomical waste of time, but I didn’t know any better, because this was my first job as a web developer as well as the first time I ever built custom WordPress themes. What’s the solution? WordPress child themes.

What is a WordPress Child Theme?

From the Developer Handbook:

A child theme allows you to change small aspects of your site’s appearance yet still preserve your theme’s look and functionality. To understand how child themes work it is first important to understand the relationship between parent and child themes.

What is a Parent Theme?

A parent theme is a complete theme which includes all of the required WordPress template files and assets for the theme to work. All themes – excluding child themes – are considered parent themes.

What is a Child Theme?

A child theme inherits the look and feel of the parent theme and all of its functions, but can be used to make modifications to any part of the theme. In this way, customizations are kept separate from the parent theme’s files. Using a child theme lets you upgrade the parent theme without affecting the customizations you’ve made to your site.

Child themes:

  • make your modifications portable and replicable
  • keep customization separate from parent theme functions
  • allow parent themes to be updated without destroying your modifications
  • allow you to take advantage of the effort and testing put into parent theme
  • save on development time since you are not recreating the wheel, and
  • are a great way to start learning about theme development

Basically, it allows you to make changes to the theme without actually changing the theme (follow me?). You can customize your theme to your heart’s content, while still allowing changes/updates to the main, or parent, theme without breaking anything.

How Do I Create a Child Theme?

Easy peasy.

  1. In your wp-content/themes/ folder, create a new folder for your child theme. You can name it whatever you’d like.
  2. In that folder, create a file named style.css.
  3. In that file, put the following content:
    /*
     Theme Name:   Child Theme
     Theme URI:    https://thefancyrobot.com
     Description:  Child theme for thefancyrobot.com
     Author:       The Fancy Robot
     Author URI:   https://thefancyrobot.com
     Template:     parent-theme
     Version:      1.0.0
     License:      GNU General Public License v2 or later
     License URI:  http://www.gnu.org/licenses/gpl-2.0.html
     Text Domain:  textdomain
    */
  4. Be sure to change the parameters appropriately:
    • Theme Name: The name of your child theme. You can put anything in here, but don’t name it the same as any other theme you have installed.
    • Theme URI: The web address for your theme. In this case, just put the URI for your website.
    • Description: Description of your theme.
    • Author: THAT’S YOU!
    • Author URI: If you have a website separate from the one you’re currently working on, put that here.
    • Template: The directory of the parent theme.
    • License: The license for the code you’re writing. This isn’t absolutely necessary, but if you’re going to be sharing this code, or you’re developing for a client, I would include a license.
    • License URI: URI for the actual license text.
    • Text Domain: This is for translating your website. This is commonly just the name of your theme (all lowercase, and one word). I recommend adding this even if you don’t plan to implement translations.
  5. Create a functions.php file, and add any additional functionality you need in there.
  6. If you’d like an image to show on the theme selection page in the WordPress admin, just create an image and save it as screenshot.png in the root directory of your child theme.

And now you have a child theme. After activating the child theme in the WordPress admin and WordPress will load both your parent them and your child theme. Any template files in your child theme will now override the templates in the parent theme. This opens the door to a ton of custom functionality without worrying about updates to your parent theme breaking things.