The 10 Things You Need to Know to Secure Your WordPress Site

The 10 Things You Need to Know to Secure Your WordPress Site

Tom Ewer

The 10 Things You Need to Know to Secure Your WordPress Site

Security is typically something that many of us don’t give a second’s thought to until it is too late.

If we are lucky, someone else’s misfortune galvanizes us into action. For instance, the popular blog Famous Bloggers was recently subject to domain theft, as chronicled here and here. Whilst hacking and malware are something I have always been aware of, I hadn’t even considered domain theft. In response to learning of Famous Bloggers’ misfortune, I immediately changed my GoDaddy password to something completely unique and random.

Fortunately, the dev folks here at ManageWP take security very seriously, with everything from secure SSL login capability to two step authentication featuring in our our suite of security utilities. However, your WordPress site may not be as well protected.

With that in mind, there are some steps that arguably every WordPress user should take to secure their site(s).

Is WordPress Vulnerable?

WordPress SecurityThere are a few integral factors that make WordPress potentially vulnerable to attack, but the core issue is in its enormous popularity.

Every single day, new WordPress installations take place on an unfathomable number of varying server environments. Each installation will then subsequently be built upon with third party themes and plugins of varying qualities and compatibilities. As the TimThumb debacle and WordPress.org Repository hack last year highlighted, all it takes is one compromised or out of date plugin or theme to result in a major security threat.

You may be wondering what hackers might do when they find a website that they can breach. In reality, they are only limited by their imagination, but popular examples are:

  • Executing code
  • Creating hidden links to sites (in the hope of boosting search engine rankings)
  • Redirecting visitors to alternative sites (which is exactly what happened in the Famous Bloggers incident above)
  • Embedding a hidden backdoor, so that access can be gained even when vulnerabilities are fixed

I should make it clear that all content management systems of a similar nature suffer from the same vulnerabilities – it is the nature of the beast. With great power comes a responsibility to ensure that you are keeping your WordPress installation secure. The good news is that securing your WordPress site is not a particularly difficult process.

How to Secure Your WordPress Site

This may seem like an intimidatingly long list, but in reality, the majority of tips you see below are either a one-off job, or can be done at the click of a button. Although you will need to put in a little bit of work in order to secure your WordPress site, the alternative is unthinkable.

Here’s what you need to do:

  1. Update your WordPress installation as soon as a new version is released.
  2. Keep plugins and themes updated (even deactivated ones).
  3. Never install themes or plugins from an untrusted source.
  4. Create regular backups of both your database and files.
  5. Create a new administrator user, login as that user, and delete your “admin” user account. Make sure that you transfer any posts and pages owned by the old admin user when doing this.
  6. Do not publish your administrator account name on your blog (e.g. in the meta data above a post). Instead, select to display your nickname as your public name (which can be done from the User Profile settings screen).
  7. Create a custom login page URL (these plugins may help you)
  8. Create a completely unique password for your account, ideally included upper and lowercase letters, numbers, and symbols. I like to combine a completely random word with a couple of numbers, with at least one symbol replacing a similar letter (e.g. “@Grari@n36”).
  9. Install a login attempt limiting plugin, such as Limit Login Attempts.
  10. Install WordPress File Monitor Plus, so that you will be informed whenever changes are made to your site.
  11. Install one or more of the following excellent security plugins: Wordfence Security, BulletProof Security, or Better WP Security.

There are additional, more intricate steps you can take to further boost the security of your WordPress installation. After all, there is no such thing as a perfectly secure website, so there is always something extra you can do. However, following the above 10 tips will have you more effectively protected than the vast majority of WordPress sites, and hackers go after the easy targets, not the difficult ones.

I have just one final piece of advice – make sure that any computer you use is free of viruses, malware and spyware. Following all of the above recommendations will be for naught if the computer you are using is compromised.

What Tips Do You Have?

Are you a WordPress security nut? If so, do you have any additional tips that can help people increase the security of their WordPress installation? Let us know in the comments section!

Creative Commons photo courtesy of vrogy

Tom Ewer Avatar

author

Tom Ewer
Tom Ewer is the founder of WordCandy.co. He has been a huge fan of WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he’s not working, you’re likely to find him outdoors somewhere – as far away from a screen as possible!

17 responses

  1. Andi Avatar
    Andi

    Hey Tom, I always add
    ‘Options All -Indexes’
    to prevent directory browsing
    and

    Order allow,deny
    Deny from all

    to prevent access to my wp-config file where Database credentilals can be found, to my .htaccess file immediately after Installation.

    Also I change the ‘wp_’ Database prefix and admin user during installation to non-standards.
    Then, I chmod the wp-config to 440 which is enough for daily operation without any problems.

    These are the minimum options that saved me for 1 year up to now after 2 hacks in 3 weeks – so that seems to work fine so far.
    I use the Bulletproof Plugin for my own Sites as additional security option.

    Reply
  2. Sergej Müller Avatar
    Sergej Müller

    Another security plugin: http://wordpress.org/extend/plugins/antivirus/

    Reply
  3. BigBolts Avatar
    BigBolts

    When I setup a new wordpress site the defaults are always:

    Create new super user with strong passowrd and Delete “admin” user
    Always move the wp-config file above the public_html dir.
    Always add Options -Indexes to .htaccess
    Turn on Akismet
    Delete deactivate plugins (like hello dolly) – never leave them
    Bad Behaviour – to prevent script access
    SABRE – to stop bot registrations
    Login Lockdown – to prevent login attempts
    Lockdown WP – to obscure the wp-admin/wp-login URL
    Secure WordPress – for various security improvements
    Cloudflare for cache & security (don’t use with bad behaviour)
    Audit Trail – to see any changes
    Wordpress File Monitor Plus – for emails of changed files

    Reply
  4. Paul Harvey Avatar
    Paul Harvey

    Tom, I’m afraid this post falls well below your usual high standard, as comments already indicate. Would love to see you redo this after more thorough research. Perhaps a trip to the dark side?

    Paul Harvey.

    Reply
  5. Cotton Rohrscheib Avatar
    Cotton Rohrscheib

    I agree w/ a lot of what you have suggested however I also recommend running mod_security on the server when possible. It takes a little while to get it fine tuned but in the end it’s well worth it’s weight in gold when it comes to blocking XSS exploits, etc.

    Also, a few more security related posts from my blog:

    http://www.cottonrohrscheib.com/blog/securing-wp-config-php/
    http://www.cottonrohrscheib.com/blog/critch-on-modsecurity/
    http://www.cottonrohrscheib.com/blog/the-wordpress-pharma-hack/

    Thanks,

    Cotton Rohrscheib
    Partner / Co-Founder – Pleth, LLC
    http://www.pleth.com
    http://www.cottonrohrscheib.com

    Reply
  6. Paul Avatar
    Paul

    Hi Tom

    One thing that helps me is get a good web hosting company. I use WPEngine and they take care of all backend security for me. Don’t have to install security plugins, don’t have to change file permissions, I get regular backups and if the site does get hacked they will fix it for me.

    Reply
  7. Stuart Avatar
    Stuart

    This post could be a tad misleading to beginners in WordPress, lets not make people think that by doing the above will make them safe.

    Some other essentials that you must do are lock down the admin section, install.php and config.php files.

    I also like to recommend checking all file and folder permissions, and using 5G Firewall as a minimum. Might as well protect from hotlinking whilst you’re in the .htaccess file as well.

    I also recently started to use Cloudflare’s free account for a few sites and they seem to filter out lots of bad people! Still monotoring effectiveness on this though.

    For more detailed explanations of these methods, including using .htaccess to secure yout site you can go to:

    http://talkingwordpress.com/category/security/

    Reply
  8. Anders Vinther Avatar
    Anders Vinther

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

    I have written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a few more items on it and includes step by step instructions on how to get the job done…

    Hopefully the checklist can help other people securing their WordPress sites…

    Reply
  9. DiTesco Avatar
    DiTesco

    Hi Tom. WordPress security should never be taken lightly. I too found out about this when it was too late, although, fortunately I was able to recover from the mishap. Backing up files is by far the best of the best and installing additional “counter-measures” like the ones you mentioned in this post is more than advisable. I have been using Better WP Security, and right after installing it, I started to receive notification lockouts from people trying to login my account. I never thought that the attempts where so much … FamousBloggers experience is really a scary one and I am just glad that my friend got it sorted out quickly.

    Reply
  10. sikedestroya Avatar
    sikedestroya

    In my opinion, Better WP Security, is far best security plugin for WordPress, and easiest to use… Give it a try, you will not regret it…

    Reply
  11. viki debbarma Avatar
    viki debbarma

    Your tips are great of no imaginary, these plugins are wonderful.
    thanx for the post.

    Reply
  12. Lisa Avatar
    Lisa

    Thanks for a thought provoking article.

    Utter newbie here, so forgive me: #5 “Make sure that you transfer any posts and pages owned by the old admin user when doing this” has me stumped. I’ve googled, and all hits refer to transferring blogs, not posts. Can you explain further?
    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *