Magento WordPress Integration Security

« Back to Magento WordPress Integration

Any installed web application can present serious security risks and this includes WordPress and Magento. Fortunately by following some simple steps, it's quite easy to reduce these security risks and securely integrate WordPress into Magento.

Upgrades

The first and easiest step is to always keep the WordPress core, plugins and themes upgraded to the latest version. If you have any security incidents and you're running out of date WordPress software, you only have yourself to blame.

WordPress updates are extremely easy to do without needing to worry about code (unlike Magento updates) so there is really no excuse.

You should also look at keeping all FishPig modules as up to date as possible and when ever you upgrade 1 FishPig module, you should upgrade them all at the same time. If you need any help with this, get in touch.

Limit Third Party Code

A high number of WordPress hacks are caused by unsecure third party plugin or theme code. You can mitigate this risk by only installing plugins that you really need. Too often I see sites with 30+ plugins installed, of which only 4-5 are actually used. Disable all plugins and then re-enable those that you need. If you don't use them, delete them. A plugin can't pose a security risk if it's been deleted.

The same goes for WordPress themes. When integrated into Magento, the FishPig theme should be used so you should delete all other themes.

Database Security

For security reasons, it is best to run WordPress in it's own database with it's own database user. This user should not have any access to the Magento database. If done this way, SQL injection attacks in WordPress will not lead to Magento data being affected.

It is also advisable to use a random and non-standard table prefix. This has a small security benefit but is still recommended.

IP Lockdown

For a really secure WordPress installation, consider locking down access by IP. The following .htaccess file can be placed in WordPress and will block access to all of WordPress, with the exception of some files and folders needed on the frontend and for specific IP addresses.

# Block WordPress access
<IfModule mod_rewrite.c>
  RewriteEngine On

# First allow access to certain files to all IPs
  RewriteCond %{REQUEST_URI} !/wp-comments-post.php
  RewriteCond %{REQUEST_URI} !/wp-includes/js
  RewriteCond %{REQUEST_URI} !/wp-content/
	
# Allow global access to specific IPs
# Copy this row and change the IP for multiple IPs
  RewriteCond %{REMOTE_ADDR} !^82\.21\.192\.101$
	
# Rewrite to ../404.php 	
  RewriteRule .* /404.php [L]
</IfModule>

This script uses a 404.php file that is present in the parent directory of WordPress (the Magento folder) and this is loaded when a user is blocked. This file can be as simple as the below code.

<?php
	
	header('HTTP/1.0 404 Not Found');
	echo '404';
	exit;

By locking down access to WordPress by IP address, you effectivey make your WordPress installation un-hackable, however you should still follow all other steps and ensure everything is always updated and the WordPress database is separate.

Post your comment

FishPig Ltd