The WordPress Security Guide
Blog, Security — By Matthew Tommasi on 9 October 2009 3:15 pm
Security is a very important, but often overlooked aspect of blogging.
There are many tools and plugins that can be integrated into your WordPress blog that can help harden and secure it from hackers and spammers.
This guide on WordPress security will hopefully add an extra layer or two in helping to secure your online asset – your blog.
Brad Williams: WordPress Security – WordCamp Montreal 2009
Latest WordPress Version
WordPress is an open source publishing platform, which means its source code is freely available for anyone to see, use, modify.. or exploit.
Often developers of worms and viruses take advantage of the older, more vulnerable WordPress versions as they are more susceptible to these kinds of malicious activity.
Every new WordPress release improves on its predecessor both in terms of functionality and security, so it is very important that your blog is running on the latest version of WordPress.
Backing up WordPress
Backup early.. backup often! It is as simple as that.
When did you last backup your blog?
How much would you lose if your web host’s hard drives permanently failed right now, and your blog was gone with it? Or you installed a new plugin or upgraded an existing one, which caused major conflicts resulting in data loss?
You get the picture.. your website is only as safe as its last backup.
I backup a fair bit and have made a habit out of it. It has certainly been a lifesaver on those rare occasions when I have needed to do a restore.
I personally do a full backup of my blog and database after every post I publish.. as well as any progress I make on a draft post I am working on.
I will also do a full site and database backup prior to installing a new plugin.. or even upgrading an existing plugin. That way if there are any conflicts I can always revert.
Backup Folders
I recommend creating a backup folder on your hard drive, and underneath that creating a folder with the current WordPress version.. and just put your backups in each of these folders. Everytime a new WordPress release comes out, just add a new versioned folder and continue doing the same.
They don’t take up that much space and in time you can always do a cleanup and delete some of the older backups you have got.
Here is an example of how my backup folders are setup,
Screenshots
I think it is a good idea as well to take screenshots of any customised settings you have made to your blog such as your Permalink Settings,
I also take screenshots of all my active plugins as well as their version numbers.
This can come in handy if you need to restore your blog, you can easily identify the version of the plugin needed for the restore.. as a newer plugin version may not be compatible,
Taking screenshots of various plugin settings can also be very helpful if you’ve needed to delete a plugin and reinstall it,
Likewise with your backups, just create a plugins screenshots folder and put all your screenshots here.
As I already do regular full backups.. I tend to update my screenshots every month or so.
Exporting your Content
Exporting your WordPress data (posts, pages, comments, custom fields, categories, and tags) is sometimes necessary and useful. If you are moving to a new host or just want a backup of your blog, then exporting your blog is the answer.
In the Tools section click on Export,
If you select All Authors from the drop-down menu this will export all the posts, from all authors on your blog.
If your blog has more than one author, you can restrict the exports to a certain author, by selecting that particular person.
Next click on <Download export file>,
Click on <OK> to save the exported file,
As before, just put this exported file in your backups folder.
WP-Config.php
The wp-config.php file is the key to the WordPress database. It is where you set the database name, username, password and location. So it is a good idea to back this up as well.
Using your FTP client copy this file to your backup folder,
See also the Securing WP-Config.php section below
Changing the Default Admin User
When you started your blog right at the beginning, WordPress by default names the administrator account “admin“.
A lot of bloggers don’t bother to change this and just choose and strong password. It is a very good idea to change the admin account this to something different.
Hackers who want to gain access to your blog often employ brute-force attacks by using automated tools to guess passwords, by cycling through different combinations of letters, numbers and characters.. and if you leave this administrator account as admin, then they are 50% closer to gaining access.
To change this login to your WordPress blog as normal.
Under the Users section, click on Add New,
Fill out the details for adding a new user.
Make sure you choose a hard to guess username by using letters and numbers, and that it’s not similar to the one you publicly display on your blog . For example, the word “wordpress” could be turned into “wOrdpr3ss”.
Strong Password
I recommend choosing a really hard and long password as well.
If you are thinking ‘not another password to remember‘, then you should checkout my post LastPass Guide to Online Password Management which shows you how to manage all your online passwords and usernames by remembering only one master password. You can generate very strong random passwords with LastPass.
Also, make sure you select Administrator from the Role drop-down menu.. and when you are done click on <Add User>,
This new user has just been created.
Just double-check that the Nickname isn’t the same as the secret username you have just created. If it is change it,
Now logout of WordPress.
Log back in using your new username and password.
Under Users, click on Authors & Users,
You will see both users – admin and your newly created user.
Delete the admin user by clicking on Delete,
You now want to transfer all the posts that were authored using the admin account to your new account.
Select Attribute all posts and links to your new username.. then click <Confirm Deletion>,
Done!
Your new username is setup and the old default admin account has been deleted. And all posts and links have been transferred across to your new username.
Securing wp-config.php
According to the official Hardening WordPress Codex, you can move the wp-config.php file to the directory above your WordPress install.
This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.
Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation.
Preventing Directory Listing
In many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folders on your server.
Often plugin and theme developers make mistakes in their code that allow unexpected access. This means that hackers can browse through your directories to potentially look for vulnerable files and attack your site.
There are a couple ways you can prevent directory listing.
Hiding Your Plugins
Type your blog’s URL into the address bar, followed by /wp-content/plugins/,
If a list of your plugins are displayed.. then you need to fix this asap,
If your plugins are visible by the people snooping around, then they could potentially exploit a known weakness in one of the plugins.
To prevent this, create either a blank index.html file or a blank index.php file, and upload it to the /wp-content/plugins/ directory.
Refresh the page and if you see either a blank page or a 404 (file not found) page then you are a lot safer than you were before.
Hiding Your Theme’s Files
Now type your blog’s URL into the address bar, followed by /wp-content/themes/,
Just like above, if your themes are visible, then you need to hide them by creating either a blank index.html file or a blank index.php file, and upload it to the /wp-content/themes/ directory.
Refresh the page and if you see either a blank page or a 404 (file not found) page then you can be assured that these folders are hidden from public view.
Editing Your .htaccess File to Prevent Directory Listing
The method I’ve just described by uploading a blank file into a directory doesn’t solve the problem of preventing directory listings of sub-folders (beneath).. not to mention all other folders.
It is just too cumbersome uploading a blank index.php file into every folder on your server.
The recommended way to prevent directory listing of all folders is it to edit your .htaccess file (in your WordPress root directory “/”), and insert the following at the bottom of the file,
# Prevents directory listing
Options -Indexes
To do this login to your webserver.. if you are using cPanel or an FTP client, make sure that you have Force showing hidden files enabled (so you can actually see the .htaccess file),
Now navigate to WordPress’ root directory, find the .htaccess file and edit it,
Add the two lines of code at the bottom of the file.. when you are done click on <Save> to save the changes,
Done!
This method now prevents directory listing of all your blogs directories.
Changing WordPress Database Prefix
By default all the tables in your WordPress database have a prefix of “wp_“.
It is advisable to change this as it will bring your blog’s security to a higher level. This prefix can be changed to any combination of letters, numbers and underscores.
David Potter has done a nice guide on Changing the WordPress Table Prefix.
WordPress Security Plugins
There are plenty of WordPress security plugins available, so please check that the plugin’s version is compatible with your WordPress version before installing!
Here is a list of some good plugins that help to harden your blog.
WP Security Scan
WP Security Scan is probably the most downloaded security plugin for WordPress.
It scans your WordPress installation for file/directory permissions security vulnerabilities and suggests corrective actions,
WP Security Scan also scans for general security vulnerabilities and lets you know of areas that can be further secured,
WP Security Scan also has a password tool and allows you to change database table prefix automatically.
WP-CopyProtect
Plagiarism and content theft is a serious problem for bloggers.
Often people will copy and paste content from your blog and re-publish it themselves without your permission and without referencing your work.
WP-CopyProtect is a simple plugin that allows you to,
- Disable right-click on your blog
- Disable text selection
It certainly isn’t an all encompassing solution. If someone really wants your content they could always get it from your source code or RSS feed, but it does the trick in deterring the average person trying to rip-off your posts.
I currently have text selection disabled on my blog and am quite happy with this plugin.
Secure WordPress
Secure WordPress helps to secure your WordPress installation and includes the following,
1. removes error-information on login-page
2. adds index.html to plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update information for non-admins (only WP 2.8 and higher)
9. Add string for use WP Scanner
WP Scanner
WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level and comes bundled with the Secure WordPress plugin (see above).
To run wp-scanner add <!– wpscanner –> to your current WordPress template.. I added mine in the header.php file, before the closing body tag,
Once this code has been added, head to WPSCAN and scan your blog,
When the scan is finished you will be given a summary of the state of your blog and any security risks associated,
When you have finished don’t forget to go back and REMOVE <!–wpscanner–>, otherwise others will be able to also scan your blog!
Login Lockdown
Login Lockdown records the IP address and timestamp of every failed WordPress login attempt.
If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Lockdown times can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
WP-DBManager
WP-DBManager is a plugin that manages your WordPress database.
It allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries.
It also allows you to schedule your backups and have them emailed to you,
I have configured mine so I get a scheduled email backup everyday,
This is quite a handy plugin as you can set it and forget it. That way you can be sure you always have an up-to-date backup of your blog’s database.
WordPress Security Resources
Security Related Codex Articles
- Changing File Permissions – WordPress Codex
- Editing wp-config.php – WordPress Codex
- Hardening WordPress – WordPress Codex
- How to Keep WordPress Secure – WordPress Blog
- htaccess for Subdirectories – WordPress Codex
50 Other WordPress Security Resources
- 5 WordPress Security Essentials – LGR
- 8 Security Tips and Guidelines for your WordPress Blog – Online Tech Tips
- 9 Best WordPress Security Plugins – Quick Online Tips
- 9 SEO Security Tips for WordPress – Antezeta
- 10 Steps To Protect The Admin Area In WordPress – Smashing Magazine
- 10 WordPress Security Tips – Lost in Search
- 12 Essential Security Tips and Hacks for WordPress – SixRevisions
- 14 tips to wordpress practical security [How-to] – Ruhani Rabin
- 15 Plugins to Boost up your WordPress Security and a Special Tip! – Smart Bloggerz
- 16 Excellent WordPress Security Plugins To Secure Your Blog – TutZone
- 18 WordPress Security Plugins & Tips To Secure Your Blog – MakeUseOf
- 20 WordPress Security Plug-ins And Tips To keep Hackers Away – Simple Thoughts
- 20+ Powerful WordPress Security Plugins and Some Tips and Tricks – SpeckBoy
- Advanced WordPress Security Tips – Website In a Weekend
- Basic WordPress Security Tips – Lyle Ham
- Best practices against hacking – Google Webmaster Central Blog
- Current Events: Lazy Admins and WordPress Security – Monday by Noon
- Did your WordPress site get hacked? – Ocaoimh
- Essential WordPress Security Tips – Is Your Blog Protected? – Tips and Tricks HQ
- Establishing A Sense Of Security On Your Blog – Steven Saunders
- How to secure WordPress – Siteground
- Increasing your WordPress Security – PixelApes
- Interview with Deutsche Welle on WordPress Security – Mark on WordPress
- Protect Your Blog With a Solid Password – The Blog Herald
- Protecting the WordPress wp-admin folder – Reuben Yau
- Regarding WordPress and Security – Daring Fireball
- Top 5 WordPress Security Tips You Most Likely Don’t Follow – WPTavern
- Top 10 ways to stop spam in WordPress – Cats who Code
- Top 21 WordPress Security Plugins for Hacker-Proof Blog – Binary Head
- Top Ten WordPress Security Tips – Moonlight Blog
- Triple “P” Of Total WordPress Security – HowToSpoter
- WordPress Security – Nercomp (PDF download)
- WordPress Security – WPSecurity
- WordPress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! - Programmer Fish
- WordPress Security and How I’m Going to Take All Your Money – Technosailor
- WordPress security: Hide login error messages – Blog Building
- WordPress security plugins - Insane Security
- WordPress Security Presentation – Brad Williams
- WordPress Security Prevention, Reactions, and Scares - Lorelle on WordPress
- WordPress Security Tip: Remove the Admin User - Daily Blogs Tips
- WordPress Security Tips – Devshed
- WordPress Security Tips – Sakin Blog
- WordPress Security Tips – Too Many Secrets
- WordPress Security Tips and Hacks – Noupe
- WordPress Security Tips for non-geeks – YouAre
- WordPress Security Tips — For the untrained – TechLinkblog
- WordPress Security Tips How to Keep WordPress Secure – Deals n Discounts
- WordPress Security Tips How to Secure a WordPress Installation – Suite 101
- WordPress Security Whitepaper – Blogsecurity (PDF download)
- WordPress SEO: WordPress Security Why it Matters to SEO – Wolf Howl
What other WordPress security tips do you have and would like to share?
Finally..
If you liked this post please register to receive The Social Media Guide’s free newsletter that’s packed with tips, guides and more!
Most of these posts are available to download for free as PDFs for registered members.
Please help spread the word by becoming a fan of The Social Media Guide on Facebook,
And following me on Twitter,
Enjoy!
Tags: Blog, guide, how, instructions, linkedin, security, setup, social media, wordpress
Digg This
Bookmark
Stumble
7 Comments
Check out my step-by-step guide for hardening WordPress 2.9.2
http://eyalestrin.blogspot.com/2010/05/hardening-guide-for-wordpress-292.html
Hi the padlock image you have used for this article requires a credit to the photographer.
Please respect the creative commons license and support the contributors with a credit and a link.
Hi Alex
Yes I totally agree with you about the right-click functionality.. I don't
like to have that disabled as it can be a major inconvenience. I have
visited sites where right-click has been disabled and have found the user
experience to be pretty bad.
I have opted however to disable text select (via left-click).. just a
personal preference. I noticed after my massive list of Twitter tools, this
was getting ripped-off a fair bit. So this for me, is a good solution.
Thanks for the commenting and I have updated the text to display your site –
PixelApes.
Cheers
Matt
————————————————–
Great round-up, really very comprehensive. You know, it never occurred to me to create a new administrator and delete the admin account! I just went for the DB changing of the username.
I like the wp-scanner stuff that's nice – I had never even looked at readme.html to realise that it included the wp-version!
The only thing I wouldn't be hot for on this list is the Copy Protect plugin – anything that encourages people to disable right-click functionality is bad, and can easily be circumvented. If someone really wants to get access to your website content they can. If copyright is a major concern I'd be more inclined to utilise one of the services that scans other sites for theft of your content and then allows you to request a take-down. Removing right-click functionality will only punish the normal visitors who might want to highlight text and right click “search in google” or any other number of options.
Thanks for the link through to my article on Pixelapes as well
(ps. Perhaps you could change the text after the link to Pixelapes not PixelPipes!)
Awesome! I like your style of writing. Maybe if you like, you might wanna write some guest posts at my site under social media section.. keep up the good work..
Hi Ruhani
Thanks for the comment!
Keep up the great tweets as well (I'm following you on Twitter).
Cheers
Matt
@socialguide
————————————————–
Great details, I like the way you put these in, really helpful and thanks for hooking up my article. I also liked the way you've kept your backup folders. Usually I do by date.
Trackbacks