WordPress Security 101: Securing your Site

Securing your self-hosted WordPress site is one of the most critical aspects of starting a blog or growing it to the next level. As your site becomes more popular and garners the attention of new readers, it becomes a more attractive target for hackers and people who are up to no good.

While there is no silver bullet when it comes to securing a site, there are several things that can be done to make it less likely that yours will be compromised.

COMMON SENSE

Secure Password
The first, most common-sense way to secure your site is to have a strong, hard-to-guess password. This means that neither your significant other, best friend, nor malicious intruders should be able to guess what it is.

The ideal password is at least 8 characters long and contains one or more capital letter, lower case letter, special character (*&$#), and number. How secure is your password?

Examples of terrible password formats include your name, your children’s names, your pet’s name(s), or combinations of names and numbers that have significance in your life. John Smith’s password shouldn’t be johnsmith1965, for example. This is not only easy to guess; it’s very easy for a brute force attacker to decipher the password.

Keep WordPress and plugins up-to-date
Running an outdated version of WordPress is one of the best ways to get your site hacked. When security holes are found and patched, updates are pushed out to site owners and they’re encouraged to upgrade their site. Hackers are most likely aware of the exploit already, but the ones that aren’t can easily put together a piece of software than scans for vulnerabilities in your version of WordPress.

One of the foremost experts on WordPress is involved with keeping the platform secure. His consulting (for people like you and me) is $250 per hour, and keeping your installation up to date is like applying his personally-suggested updates to your site as soon as they’re available.

Use plugins sparingly
There’s virtually no quality control when it comes to plugin coding, and certainly nothing in the way of an official security audit. What this means is that each plugin you add to your site increases the chances that your site could be compromised.

When evaluating a plugin, it might be helpful to ask yourself the following questions:

  1. Is this something I absolutely need? Will it help me reach my website goals?
  2. What feedback have others left for the plugin? Is it generally positive or mostly negative?
  3. Have many other users installed the plugin on their site already?

Use a reputable web host
Your site should be hosted by a reputable company just like your car should be serviced by qualified mechcanic. You wouldn’t trust your means of transportation to someone with a bad reputation, so why accept anything less than the best in web hosting?

There have been several recent incidents where popular hosting companies have fallen victim to targeted attacks that compromised the websites of thousands of users. It’s your responsibility to research the reputation of the company that’s hosting your website. You can run simple google searches, ask around (particularly your tech-savvy friends), and check out who’s hosting the websites of industry leaders and businesses you admire.

GENERAL HOUSEKEEPING

Change table prefix
When a WordPress website is installed for the first time, it will use the wp_ prefix in front of all records stored in the MySQL database unless it’s changed. Since hackers make the (correct) assumption that most people neglect to change this, attacks that use automated scripts to carry out malicious tasks will expect this database table naming convention.

The database table prefix can be found in the following line of the wp-config.php file:

$table_prefix  = 'wp_';

Here’s an example of how we can make this default WordPress installation more secure by changing the default database prefix:

$table_prefix  = 's3cur3pr3f1x_';

A different approach would be used to change the database table prefix of a live site.

Set correct permissions on files and folders
The concept of permissions applies to WordPress sites in that access must be explicitly granted to certain files and folders in the WordPress installation in order for the site to run properly. These settings determine who can read, write, and modify files and folders on the server.

Generally speaking, the correct permissions setting is 644 for files and 755 for folders or directories. Permissions can be verified and changed using most FTP clients such as FileZilla.

The webserver must have permission to access and run certain files in the same way that visitors must have permissions set so they’re able to view images and other media on your site. By the same token, we don’t want Harry Hacker being able to view the contents of your configuration files under any circumstances.

Sensible backup strategy
Part of securing your site means that you’re prepared for a worst-case scenario. Since we know there’s no way to guarantee that our site will be compromised, we should also include a layer of security and insurance that includes a sensible backup strategy. There are many helpful plugins that can automatically schedule backups of your database or your entire site.

Use secret keys
To increase the security of passwords stored in your WordPress database, you should ensure that your wp-config.php file has unique values replace the default secret key text that exists by default. Here’s what this section looks like before being changed:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

And here’s what the section looks like after replacing the default text with unique keys obtained at WordPress’s secure secret key generator:

define('AUTH_KEY',        '*:f2*X;y@&w$Pqz{^]8v1.i}*_MyX?DXyVy*P{Cy{0NOFuc0I:wT(P10Ng>-3=+_');
define('SECURE_AUTH_KEY', '-7b}IsGq#T{=+-seQI*f+06^gyJVzAY~v<+eNd P-! Hg|VI]}Vq^?JgNd:7=<|j'); 
define('LOGGED_IN_KEY',   'YR=->yG8UnLKN1t#to`Rfws&(GLoGvVFl3$3o)4j+%=R&vRUJQTnzU=D4w/1g1Yu');
define('NONCE_KEY',       'j +o0G?&FXo4ujI!UgpXSkh,{!#Yfs %-+hVP$PH[* CPmVnl+C:!!*_`S={u?F}');

BEST PRACTICES

Code basic plugin functionality yourself
Many WordPress users are surprised to realize that much of the functionality provided by many popular plugins can be added to their sites without using a plugin. For displaying recent posts, recent comments, and related posts in the sidebar on your site, a plugin is definitely not necessary.

When you want to add a bit of custom functionality to your site, Google “[what you’re trying to do] without a plugin” to begin researching an alternate approach. The result will often lie in a few lines of code that you add to your functions.php file (or custom_functions.php if you’re using the Thesis Theme, of course). Your site will be faster and more secure with fewer plugins.

Remove the admin account
The default account created for you in WordPress is called admin. If someone wants to hack into your site, being able to accurately guess your username cuts their work in half. Here’s what to do:

  1. Create a new user with Administrator permissions
  2. Log out and then log back into WordPress with the new user you created
  3. Delete the admin user account
  4. When it asks you want to do with posts attributed to admin, select the user you created

SECURITY PLUGINS

Some very helpful plugins have been developed that take WordPress security to the next level. In no particular order, here are six to consider:

  1. ServerBuddy — Check hosting quality, security issues, and more.
  2. Limit Login Attempts — Limit the number of login attempts possible.
  3. WP Security Scan — Scans your WordPress installation for security vulnerabilities.
  4. Login Lockdown — Records the IP address and timestamp of every failed login attempt.
  5. WordPress Exploit Scanner — Searches files, posts and comments for anything suspicious.
  6. Better WP Security — Removes typical WordPress vulnerabilities and adds security measures.

ADVANCED PRACTICES

.htaccess
In this context, the .htaccess file is a configuration file that allows us to add an additional layer of security to our sites. It’s a “hidden” file (as evidenced by the “.” preceding the name), meaning that you’ll need to enable viewing of hidden files in your FTP client. Note that this approach assumes that your site is running on an Apache webserver.

One of the most comprehensive set of .htaccess rules was compiled by Jeff Starr at Perishable Press based on months of research, data, and testing. It’s called the 4G Blacklist and protects your site from a wide range of malicious attacks. When combined with these three tips from Google’s own Matt Cutts, you’ve got a near bulletproof .htaccess security approach.

Remove wordpress and theme version from head
WordPress includes the version of the software running on your site in the , which can be seen by viewing the source code of your site. The line looks like this:

<meta name="generator" content="WordPress 2.3.2" /> <!-- leave this for stats -->

The trouble with this is that there are often security vulnerabilities inherent to specific versions of WordPress, meaning that you’re potentially broadcasting information that you don’t want in the hands of a hacker. The best way to remove this is with the following snippet of code, which should be added to your functions.php file:

function remove_version_from_head() {
return '';
}
add_filter('the_generator', 'remove_version_from_head');

Force SSL login and administration
To enforce a secure, encrypted connection between you and the server when logging into and administering your site, add the following line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

Move the wp-config file
WordPress 2.6 shipped with the ability to move your wp-login.php file a level higher than where it resides by default. Moving the file into your /wp-includes/ folder means that the file from the read-only permissions of this directory.

You can block access to the file by adding the following directive to your .htaccess file:

<files wp-config.php>
Order deny,allow
deny from all
</files>

SUMMARY

Learning how WordPress works is the first step in finding out the areas where we can mitigate risk. There’s an excellent article on the WordPress Codex that discusses WordPress Hardening (making it more secure). Implementing even half of the suggestions in this post will make your site more secure than the vast majority of WordPress sites on the web. Good luck!

Sign Up Now for Free Updates and Exclusive Content:

Learn how to write killer content, get more traffic, make money, and more by entering your email below:

Written by Willie Jackson

Willie Jackson is a Marketer and Website Performance Engineer with a strong sense of self and a tenuous relationship with the impossible. You can connect with him through Twitter, Facebook, or his personal website.

Comments

  • Kevin says:

    I’ve been looking for a good resource exactly like this. There are way too many wp sites with zero security measures added. Thanks Willie.

    • Cheers Kevin, I’m glad to hear that you found it useful. I totally agree (as you might have gathered) that security should be taken more seriously by everyone.

  • Nick Reese says:

    Willie – This post is Epic. This post has even opened my eyes! You have made me look at the security measure taken on this site.

    I like to think this site is on lock-down but it is time to take a hard look at where we really do stand. Thanks

  • Brian says:

    This is a seriously awesome and insightful post. It answers a lot of questions that have been in the back of my mind. Well done.

  • Mark SMith says:

    Great Post Willy, Please can we have some more on Art of Blog!

  • MASiFFECT says:

    How do you know where to insert the snippet code at? There’s so much going on in the file, I’m afraid of placing it in the wrong part of the script.

    • MASiFFECT says:

      On top of that, there are two functions.php files xD

      • You should only have one functions.php file in your theme. If you’re using the Thesis Theme Framework or similar, there will be a custom_functions.php file that you’d use for PHP code snippets.

        I believe each section indicates where the code snippets go, but please let me know which section you’re referencing so we can get you straight.

  • Steve says:

    Hi Willie and Nick,
    I made the changes to the $table_prefix = ‘wp_'; in the wp-config.php file.
    When i went back into the site, the generic Welcome to WordPress install page was there.
    I did use it with the same login and PW as I had before, but once in the site it looked like a fresh install.
    I backed out, went into my cPanel / file manager / etc. and chenges the $table_prefix back to the default wp_ setting.
    Went to my site, Bingo, all was normal. This is a fresh install of Thesis by the way.

    So, what am I doing wrong?
    Just to add a little humor; I can’t believe I’m asking for help from a self stated dropout. He he
    Had to get that in there Willie.
    Thanks for any help,
    Steve

  • Thankfully this was the number 1 search when I googled “how to secure wordpress website”
    Excellent post I’ll be implenting all your recomendations. As a wordpress nooby I needed a well written easy to understand article like this!
    Thankyou!!

  • Africa Directory says:

    I just lost one of my site to hackers and I cant even delete the wp-admin ,wp-content and include when i tried to delete and reinstall wordpress.My question, is there any single Plugin to do all these? instead of changing code

  • […] of the service.And if this article’s topic is up your alley, check out the post I wrote on WordPress Security for Art of Blog.Tweet This Share on Facebook Submit to StumbleUpon EmailFree updates via Email. You […]

  • […] Web consultant and Domino Project CTO Willie Jackson wrote an excellent post last week on WordPress security. The article provides some solid WP security tips, as well as a brief intro to a WP security tool called Sucuri. Willie also wrote a more detailed article about WP security last year for Art of Blog. […]

  • Noahs Ark says:

    I’m glad i saw this site, I will be implementing this security for several sites I did using WordPress

  • […] of the service.And if this article’s topic is up your alley, check out the post I wrote on WordPress Security for Art of Blog.{ 8 comments } Daniel Decker May 10, 2011 at 9:14 amAwesome. I just bought it. Was […]

  • Useful Computer Security Resources « Joben says:

    […] WordPress Security 101: Securing Your Site by Willie […]

  • Andrew says:

    Thanks for these great tips! With WordPress security is always an issue.

  • Pranav Vaibhav says:

    hmmmm…

    What else can I say except Thanks,

    I believe these tips will help in keeping the sites secured from hackers.