Everything Else

The WordPress Security Guide

wordpress security

Security is a very important, but often overlooked aspect of blogging.

There are many tools and plugins that can be integrated into your WordPress blog that can help harden and secure it from hackers and spammers.

This guide on WordPress security will hopefully add an extra layer or two in helping to secure your online asset – your blog.

Brad Williams: WordPress Security – Word Camp Montreal 2009

Latest WordPress Version

WordPress is an open source publishing platform, which means its source code is freely available for anyone to see, use, modify.. or exploit.

Often developers of worms and viruses take advantage of the older, more vulnerable WordPress versions as they are more susceptible to these kinds of malicious activity.

Every new WordPress release improves on its predecessor both in terms of functionality and security, so it is very important that your blog is running on the latest version of WordPress.

Backing up WordPress

Backup early.. backup often! It is as simple as that.

When did you last backup your blog?

How much would you lose if your web host’s hard drives permanently failed right now, and your blog was gone with it? Or you installed a new plugin or upgraded an existing one, which caused major conflicts resulting in data loss?

You get the picture.. your website is only as safe as its last backup.

I backup a fair bit and have made a habit out of it. It has certainly been a lifesaver on those rare occasions when I have needed to do a restore.

I personally do a full backup of my blog and database after every post I publish.. as well as any progress I make on a draft post I am working on.

I will also do a full site and database backup prior to installing a new plugin.. or even upgrading an existing plugin. That way if there are any conflicts I can always revert.

Backup Folders

I recommend creating a backup folder on your hard drive, and underneath that creating a folder with the current WordPress version.. and just put your backups in each of these folders. Everytime a new WordPress release comes out, just add a new versioned folder and continue doing the same.

They don’t take up that much space and in time you can always do a cleanup and delete some of the older backups you have got.

Here is an example of how my backup folders are setup,

backup folders

Screenshots

I think it is a good idea as well to take screenshots of any customized settings you have made to your blog such as your Permalink Settings,

permalink settings

I also take screenshots of all my active plugins as well as their version numbers.

This can come in handy if you need to restore your blog, you can easily identify the version of the plugin needed for the restore.. as a newer plugin version may not be compatible,

plugins

Taking screenshots of various plugin settings can also be very helpful if you’ve needed to delete a plugin and reinstall it,

plugin settings

Likewise with your backups, just create a plugins screenshots folder and put all your screenshots here.

As I already do regular full backups.. I tend to update my screenshots every month or so.

Exporting your Content

Exporting your WordPress data (posts, pages, comments, custom fields, categories, and tags) is sometimes necessary and useful. If you are moving to a new host or just want a backup of your blog, then exporting your blog is the answer.

In the Tools section click on Export,

export

If you select All Authors from the drop-down menu this will export all the posts, from all authors on your blog.

If your blog has more than one author, you can restrict the exports to a certain author, by selecting that particular person.

Next click on <Download export file>,

download export file

Click on <OK> to save the exported file,

exported file

As before, just put this exported file in your backups folder.

WP-Config.php

The wp-config.php file is the key to the WordPress database. It is where you set the database name, username, password and location. So it is a good idea to back this up as well.

Using your FTP client copy this file to your backup folder,

wp-config

See also the Securing WP-Config.php section below

Changing the Default Admin User

When you started your blog right at the beginning, WordPress by default names the administrator account “admin“.

A lot of bloggers don’t bother to change this and just choose and strong password. It is a very good idea to change the admin account this to something different.

Hackers who want to gain access to your blog often employ brute-force attacks by using automated tools to guess passwords, by cycling through different combinations of letters, numbers and characters.. and if you leave this administrator account as admin, then they are 50% closer to gaining access.

To change this login to your WordPress blog as normal.

Under the Users section, click on Add New,

add new

Fill out the details for adding a new user.

Make sure you choose a hard to guess username by using letters and numbers, and that it’s not similar to the one you publicly display on your blog . For example, the word “WordPress” could be turned into “wOrdpr3ss”.

Strong Password

I recommend choosing a really hard and long password as well.

If you are thinking ‘not another password to remember‘, then you should checkout my post LastPass Guide to Online Password Management which shows you how to manage all your online passwords and usernames by remembering only one master password. You can generate very strong random passwords with LastPass.

Also, make sure you select Administrator from the Role drop-down menu.. and when you are done click on <Add User>,

add new user

This new user has just been created.

Just double-check that the Nickname isn’t the same as the secret username you have just created. If it is change it,

nickname

Now logout of WordPress.

Log back in using your new username and password.

Under Users, click on Authors & Users,

authors and users

You will see both users – admin and your newly created user.

Delete the admin user by clicking on Delete,

delete admin

You now want to transfer all the posts that were authored using the admin account to your new account.

Select Attribute all posts and links to your new username.. then click <Confirm Deletion>,

Done!

Your new username is setup and the old default admin account has been deleted. And all posts and links have been transferred across to your new username.

Securing wp-config.php

According to the official 

you can move the wp-config.php file to the directory above your WordPress install.

This means for a site installed in the root of your webs pace, you can store wp-config.php outside the web-root folder.

Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation.

Preventing Directory Listing

In many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folders on your server.

Often plugin and theme developers make mistakes in their code that allow unexpected access. This means that hackers can browse through your directories to potentially look for vulnerable files and attack your site.

There are a couple ways you can prevent directory listing.

Hiding Your Plugins

Type your blog’s URL into the address bar, followed by /wp-content/plugins/,

display plugins

If a list of your plugins are displayed.. then you need to fix this asap,

plugins displayed

If your plugins are visible by the people snooping around, then they could potentially exploit a known weakness in one of the plugins.

To prevent this, create either a blank index.html file or a blank index.php file, and upload it to the /wp-content/plugins/ directory.

Refresh the page and if  you see either a blank page or a 404 (file not found) page then you are a lot safer than you were before.

Hiding Your Theme’s Files

Now type your blog’s URL into the address bar, followed by /wp-content/themes/,

display themes

Just like above, if your themes are visible, then you need to hide them by creating either a blank index.html file or a blank index.php file, and upload it to the /wp-content/themes/ directory.

Refresh the page and if  you see either a blank page or a 404 (file not found) page then you can be assured that these folders are hidden from public view.

Editing Your .htaccess File to Prevent Directory Listing

The method I’ve just described by uploading a blank file into a directory doesn’t solve the problem of preventing directory listings of sub-folders (beneath).. not to mention all other folders.

It is just too cumbersome uploading a blank index.php file into every folder on your server.

The recommended way to prevent directory listing of all folders is it to edit your .htaccess file (in your WordPress root directory “/”), and insert the following at the bottom of the file,

# Prevents directory listing

Options -Indexes

To do this login to your webserver.. if you are using cPanel or an FTP client, make sure that you have Force showing hidden files enabled (so you can actually see the .htaccess file),

show hidden files

Now navigate to WordPress’ root directory, find the .htaccess file and edit it,

edit htaccess

Add the two lines of code at the bottom of the file.. when you are done click on <Save> to save the changes,

prevent directory listing

Done!

This method now prevents directory listing of all your blogs directories.

Changing WordPress Database Prefix

By default all the tables in your WordPress database have a prefix of “wp_“.

It is advisable to change this as it will bring your blog’s security to a higher level. This prefix can be changed to any combination of letters, numbers and underscores.

David Potter has done a nice guide on Changing the WordPress Table Prefix.

WordPress Security Plugins

wordpress security plugins

There are plenty of WordPress security plugins available, so please check that the plugin’s version is compatible with your WordPress version before installing!

Here is a list of some good plugins that help to harden your blog.

WP Security Scan

wp security scan

WP Security Scan is probably the most downloaded security plugin for WordPress.

It scans your WordPress installation for file/directory permissions security vulnerabilities and suggests corrective actions,

directory permissions

WP Security Scan also scans for general security vulnerabilities and lets you know of areas that can be further secured,

initial scan

WP Security Scan also has a password tool and allows you to change database table prefix automatically.

WP-CopyProtect

WP-CopyProtect

Plagiarism and content theft is a serious problem for bloggers.

Often people will copy and paste content from your blog and re-publish it themselves without your permission and without referencing your work.

WP-CopyProtect is a simple plugin that allows you to,

  • Disable right-click on your blog
  • Disable text selection
WP-copyprotect options

It certainly isn’t an all encompassing solution. If someone really wants your content they could always get it from your source code or RSS feed, but it does the trick in deterring the average person trying to rip-off your posts.

I currently have text selection disabled on my blog and am quite happy with this plugin.

Secure WordPress

Secure WordPress helps to secure your WordPress installation and includes the following,

1. removes error-information on login-page
2. adds index.html to plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update information for non-admins (only WP 2.8 and higher)
9. Add string for use WP Scanner

secure wordpress

WP Scanner

WordPress scanner is a free online resource that blog administrators can use to provide a measure of their WordPress security level and comes bundled with the Secure WordPress plugin (see above).

To run wp-scanner add <!– wpscanner –> to your current WordPress template.. I added mine in the header.php file, before the closing body tag,

wpscanner

Once this code has been added, head to WPSCAN and scan your blog,

scan

When the scan is finished you will be given a summary of the state of your blog and any security risks associated,

scan finished

When you have finished don’t forget to go back and REMOVE <!–wpscanner–>, otherwise others will be able to also scan your blog!

Login Lockdown

Login Lockdown records the IP address and timestamp of every failed WordPress login attempt.

If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

Lockdown times can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

login lockdown options

WP-DBManager

wp-dbmanager

WP-DBManager is a plugin that manages your WordPress database.

It allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries.

It also allows you to schedule your backups and have them emailed to you,

automatic schedule

I have configured mine so I get a scheduled email backup everyday,

backup emailed

This is quite a handy plugin as you can set it and forget it. That way you can be sure you always have an up-to-date backup of your blog’s database.

WordPress Security Resources

Security Related Codex Articles

wordpress codex

50 Other WordPress Security Resources

  1. 5 WordPress Security Essentials – LGR
  2. 8 Security Tips and Guidelines for your WordPress Blog – Online Tech Tips
  3. 9 Best WordPress Security Plugins – Quick Online Tips
  4. 9 SEO Security Tips for WordPress – Ante zeta
  5. 10 Steps To Protect The Admin Area In WordPress – Smashing Magazine
  6. 10 WordPress Security Tips – Lost in Search
  7. 12 Essential Security Tips and Hacks for WordPress – Six Revisions
  8. 14 tips to wordpress practical security [How-to] – Rhulani Rabin
  9. 15 Plugins to Boost up your WordPress Security and a Special Tip! – Smart Bloggers
  10. 16 Excellent WordPress Security Plugins To Secure Your Blog – Tuazon
  11. 18 WordPress Security Plugins & Tips To Secure Your Blog – Make Use Of
  12. 20 WordPress Security Plug-ins And Tips To keep Hackers Away – Simple Thoughts
  13. 20+ Powerful WordPress Security Plugins and Some Tips and Tricks – Speck Boy
  14. Advanced WordPress Security Tips – Website In a Weekend
  15. Basic WordPress Security Tips – Lyle Ham
  16. Best practices against hacking – Google Webmaster Central Blog
  17. Current Events: Lazy Admins and WordPress Security – Monday by Noon
  18. Did your WordPress site get hacked? – Caoimhe
  19. Essential WordPress Security Tips – Is Your Blog Protected? – Tips and Tricks HQ
  20. Establishing A Sense Of Security On Your Blog – Steven Saunders
  21. How to secure WordPress – Site round
  22. Increasing your WordPress Security – Pixel Apes
  23. Interview with Deutsche Welle on WordPress Security – Mark on WordPress
  24. Protect Your Blog With a Solid Password – The Blog Herald
  25. Protecting the WordPress wp-admin folder – Reuben Yau
  26. Regarding WordPress and Security – Daring Fireball
  27. Top 5 WordPress Security Tips You Most Likely Don’t Follow – WP Tavern
  28. Top 10 ways to stop spam in WordPress – Cats who Code
  29. Top 21 WordPress Security Plugins for Hacker-Proof Blog – Binary Head
  30. Top Ten WordPress Security Tips – Moonlight Blog
  31. Triple “P” Of Total WordPress Security – How To Spotter
  32. WordPress Security – Netcom (PDF download)
  33. WordPress Security – WP Security
  34. WordPress Security Flaw: Reset Admin Password of Any Blog Without Confirmation! – Programmer Fish
  35. WordPress Security and How I’m Going to Take All Your Money – Techno sailor
  36. WordPress security: Hide login error messages – Blog Building
  37. WordPress security plugins – Insane Security
  38. WordPress Security Presentation – Brad Williams
  39. WordPress Security Prevention, Reactions, and Scares – Lorelle on WordPress
  40. WordPress Security Tip: Remove the Admin User – Daily Blogs Tips
  41. WordPress Security Tips – Dev shed
  42. WordPress Security Tips – Saki Blog
  43. WordPress Security Tips – Too Many Secrets
  44. WordPress Security Tips and Hacks – Nape
  45. WordPress Security Tips for non-geeks – You Are
  46. WordPress Security Tips — For the untrained – Tech Link blog
  47. WordPress Security Tips How to Keep WordPress Secure – Deals n Discounts
  48. WordPress Security Tips How to Secure a WordPress Installation – Suite 101
  49. WordPress Security Whitepaper – Blog security (PDF download)
  50. WordPress SEO: WordPress Security Why it Matters to SEO – Wolf Howl

Related Articles

Back to top button