WordPress Security Tips

Look around the Net and you will see plenty of blog posts about WordPress sites getting hacked. As a blog owner you probably feel as protective about your site and its content as a teenage girl’s dad feels about protecting his daughter from hormone charged males. If you were the parent of a teenage girl you would struggle to get her into a chastity belt and I couldn’t help you to do that but I can help you protect your blog with software equivalents to chastity belts. So let’s see how we can keep malicious users from getting into your blog’s nether regions.

No blog or website is one hundred percent secure

You might think you’re safe behind your super secure content management system, excellent and expensive dedicated server and your well up to date operating system. But I have news for you: no matter what security measures you take, a determined hacker will always find a way to meddle with your server and content. Just ask NASA about Gary McKinnon or the US government about Julian Assange. If servers secured by trillions of dollars can be hacked then yours can be hacked too.

As the great blog administrator that you are, the best you can do is harden your WordPress site from casual attacks by bots and hackers.

I will say it again to make sure you got my disclaimer the first time round:

Anyone who is determined to hack into a WordPress blog (or any other website) will always find a way in. The more secure a site is, the greater the challenge to hack it, the more determined the hacker becomes to undress it.

Getting back onto the purpose of this post, the four key concerns of any security bolstering plans for a WordPress site are:

  • Pre-Installation
  • Installation
  • Post Installation
  • Ongoing Administration

There is little separation between WordPress security and WordPress maintenance so some of the steps mentioned here are not what you might regularly call security tweaks. They will, however, help defend your site from hack attacks.

Pre Installation

Use a reputable host

This is the simplest of all security steps.

Some host providers are better than most. Use a reputable host with a proven good security record. Web host staff have greater access to your server than you do so your files, databases and emails could be viewed and abused by them. Choose a host that uses trustworthy staff and that is not too shy to let you know about security breaches and the steps taken to fix them. Also be sure your host provides 24 hour live technical support so if your server or site is hacked your host can help you get your site backup and running. My preferred host is Hostgator.

Decide whether you need a dedicated or shared server

Dedicated servers do not depend on the integrity and technical skills of multiple webmasters to secure them from hackers. In other words, although expensive, a dedicated server is more secure than a shared or virtual private server.

Ensure you install only the latest stable version of WordPress as provided by WordPress.org. Virus scan it before you upload it to your server. If you obtain a custom version of WordPress from anywhere other than WordPress.org then be certain of the provider’s integrity.

Installation

The Database Prefix

The default database prefix used by WordPress for all the tables it creates is wp_. During installation WordPress lets you set an alternative prefix. Do so. Hackers will try to run SQL exploits on the basis that your site uses the wp_  prefix; by using a prefix similar to wp_xyza_ or wp_nine_letters_and_numbers_ you will hinder or stop the success of automated attacks and will deter a real person from attacking your site once he or she figures out your database prefix is not simply wp_.

Username

Choose a username other than admin, administrator, moderator, editor, subscriber, guest, poster or similar. Do not use a username that is the same as your displayed author name. As soon as WordPress is installed go to Users>Your Profile and change your display name.

Password

Choose a hard to remember password. Make a note of it on a piece of paper and place it somewhere secure. Install and use a web browser plugin such as InFormEnter or Autofill Forms (Firefox addons) if you want to prevent your username and password from being recorded by key loggers. Do not use common words or phrases and be absolutely sure to add numbers and non-alphanumeric characters like *,#$%^ (no, I’m not swearing).

If you struggle to remember and recall passwords, try splitting them up (chunking them) into smaller more easily remembered character sections or try to relate them to a rhyme or imaginary shopping list.

Post Installation

Protect WP-Config

Protect wp-config immediately after you have successfully installed WordPress.

wp-confg.php contains sensitive information that could easily be used by any hacker to gain access to your blog. Some of the data it holds include:

  • the name of your database
  • your database table prefix
  • your database username
  • your database password
  • plus any other custom WordPress configurations

All the effort put into choosing a crazy database username and password is lost to the ether if you forget to protect wp-config.php.

The easiest way to protect wp-config.php is to set its file permissions to 400. However, setting them to 400 will prevent some plugins like W3 Total Cache from activating properly because they need to write changes to it. An alternative, less restrictive, setting is 644. I keep my permissions at 400 and change them to 644 whenever I activate plugins or update WordPress.

In cPanel, the file’s permission can be set by using the Legacy File Manager to view wp-config.php, selecting it then clicking on “Permissions” from the menu at the top right of the screen.

In some cases you can move wp-config.php out of your WordPress installation directory to one directory above it. You can move it one directory above the WordPress installation directory provided you do not move it above the directory /public_html. WordPress will automatically search for wp-config.php so you do not need to specify where you have placed it. Remember: it can only be one directory above the installation directory.

Protect sensitive directories by adding the following rules to the top of your .htaccess file:

Change Secret Keys for Cookies

Edit wp-config.php to add (or replace) the secret keys required for browser cookies. Go to https://api.wordpress.org/secret-key/1.1/salt/ to get new unique secret keys for your site and replace the default ones which will look similar to

The secret keys can be changed at any time. Changing them will invalidate any current login sessions so users will need to log back in as soon as the keys are changed.

Remove Redundant Files

Delete the following files from your WordPress installation directory:

  • license.txt
  • readme.html

WordPress Security Enhancement Plugins

There are many WordPress security plugins. I recommend the use of these one:

WordPress Exploit Scanner

This one scans your posts, pages, files and database for known vulnerabilities and exploits. It lists the scan results so  you can decide which suggestions to implement. Use with caution. The security scan has to be run manually and can generate a high server load. Disable it between uses. Read the plugin’s FAQ.

BulletProof Security

A new comer to the WordPress security scene. I highly recommend this plugin. It protects your site from XSS (cross site scripting attacks), SQL injection hacking attempts and protects sensitive files such as wp-config and htaccess. It is regularly maintained and for free, it represents very good value for your money. This plugin works by rewriting your htaccess rules so remember to visit its settings page and edit the rules it writes so  they include your personal edits (if they are required).

Secure WordPress

Is a configurable plugin that allows you to remove the WordPress version from your site’s front end, to prevent the display of login error messages, to remove Really Simple Discovery and Windows Live Writer access, to remove site update notifications from non admins, to block bad queries and to remove the WordPress version from non-admins in the back end.

AntiVirus

This one virus scans your site and advises of vulnerabilities. Read the plugin’s FAQs for more details.

Timthumb Vulnerability Scanner

Scans your site’s wp-content directory for old (unpatched) versions of Timthumb and optionally upgrades any found instances.

WordPress Firewall 2

Easy to configure plugin that blocks bad URL requests, protects your site from SQL injections, can be configured to block executable file uploads and lets you whitelist or blacklist IP addresses. It does a little more too.

Summary Plus

A regularly cleaned, optimized and updated WordPress site with up to date plugins and security conscious configuration settings is quicker and  more secure than one that is not. Protect your wp-config.php and .htaccess files, deny directory browsing to visitors and keep aware of the latest WordPress security news and security plugins.

Plugins are a common cause of WordPress security breaches. Only use those plugins you need and try to not use plugins that perform the same tasks as each other. Some plugins may be disabled after first use without affecting their purpose; others should only be enabled when required. Be diligent about the plugins you use by listening to what others say about them.

Lastly, remember to regularly back up your WordPress database, wp-config.php, htaccess and your wp-content directory. I also suggest you back up any non-standard directories created outside of wp-content. Some hosts dislike backups being made to your server but a good place to back up your files is in a directory above /public_html (surfers cannot view above there). It is also a good idea to re-install the WordPress core files every so often by visiting Updates>Re-install in your dashboard.

WP Service Masters is a company that will enhance and regularly update your site’s security measures. They are reasonably priced WordPress experts. How do I know? I own the company. Try them now.

Comments

  1. joomlaserviceprovider says

    Greetings.We are pleased to announce the release of wSecure. wSecure hides your WordPress admin URL with a special key so that only you can access. The problem with WordPress is that anyone can tell if your site is WordPress by simply typing in the default URL to the administration area (i.e. http://www.yoursite.com/wp-admin). wSecure helps you hide the fact that your website is built with Worpdress from prying eyes.

    Check out wSecure in action here: http://wp.joomlaserviceprovider.com/

Leave a Reply