Security is typically something that many of us don’t give a second’s thought to until it is too late.
If we are lucky, someone else’s misfortune galvanizes us into action. For instance, the popular blog Famous Bloggers was recently subject to domain theft, as chronicled here and here. Whilst hacking and malware are something I have always been aware of, I hadn’t even considered domain theft. In response to learning of Famous Bloggers’ misfortune, I immediately changed my GoDaddy password to something completely unique and random.
Fortunately, the dev folks here at ManageWP take security very seriously, with everything from secure SSL login capability to two step authentication featuring in our our suite of security utilities. However, your WordPress site may not be as well protected.
With that in mind, there are some steps that arguably every WordPress user should take to secure their site(s).
Is WordPress Vulnerable?
There are a few integral factors that make WordPress potentially vulnerable to attack, but the core issue is in its enormous popularity.
Every single day, new WordPress installations take place on an unfathomable number of varying server environments. Each installation will then subsequently be built upon with third party themes and plugins of varying qualities and compatibilities. As the TimThumb debacle and WordPress.org Repository hack last year highlighted, all it takes is one compromised or out of date plugin or theme to result in a major security threat.
You may be wondering what hackers might do when they find a website that they can breach. In reality, they are only limited by their imagination, but popular examples are:
- Executing code
- Creating hidden links to sites (in the hope of boosting search engine rankings)
- Redirecting visitors to alternative sites (which is exactly what happened in the Famous Bloggers incident above)
- Embedding a hidden backdoor, so that access can be gained even when vulnerabilities are fixed
I should make it clear that all content management systems of a similar nature suffer from the same vulnerabilities – it is the nature of the beast. With great power comes a responsibility to ensure that you are keeping your WordPress installation secure. The good news is that securing your WordPress site is not a particularly difficult process.
How to Secure Your WordPress Site
This may seem like an intimidatingly long list, but in reality, the majority of tips you see below are either a one-off job, or can be done at the click of a button. Although you will need to put in a little bit of work in order to secure your WordPress site, the alternative is unthinkable.
Here’s what you need to do:
- Update your WordPress installation as soon as a new version is released.
- Keep plugins and themes updated (even deactivated ones).
- Never install themes or plugins from an untrusted source.
- Create regular backups of both your database and files.
- Create a new administrator user, login as that user, and delete your “admin” user account. Make sure that you transfer any posts and pages owned by the old admin user when doing this.
- Do not publish your administrator account name on your blog (e.g. in the meta data above a post). Instead, select to display your nickname as your public name (which can be done from the User Profile settings screen).
- Create a custom login page URL (these plugins may help you)
- Create a completely unique password for your account, ideally included upper and lowercase letters, numbers, and symbols. I like to combine a completely random word with a couple of numbers, with at least one symbol replacing a similar letter (e.g. “@Grari@n36”).
- Install a login attempt limiting plugin, such as Limit Login Attempts.
- Install WordPress File Monitor Plus, so that you will be informed whenever changes are made to your site.
- Install one or more of the following excellent security plugins: Wordfence Security, BulletProof Security, or Better WP Security.
There are additional, more intricate steps you can take to further boost the security of your WordPress installation. After all, there is no such thing as a perfectly secure website, so there is always something extra you can do. However, following the above 10 tips will have you more effectively protected than the vast majority of WordPress sites, and hackers go after the easy targets, not the difficult ones.
I have just one final piece of advice – make sure that any computer you use is free of viruses, malware and spyware. Following all of the above recommendations will be for naught if the computer you are using is compromised.
What Tips Do You Have?
Are you a WordPress security nut? If so, do you have any additional tips that can help people increase the security of their WordPress installation? Let us know in the comments section!
Creative Commons photo courtesy of vrogy
Lisa
Thanks for a thought provoking article.
Utter newbie here, so forgive me: #5 “Make sure that you transfer any posts and pages owned by the old admin user when doing this” has me stumped. I’ve googled, and all hits refer to transferring blogs, not posts. Can you explain further?
Thanks!
viki debbarma
Your tips are great of no imaginary, these plugins are wonderful.
thanx for the post.
sikedestroya
In my opinion, Better WP Security, is far best security plugin for WordPress, and easiest to use… Give it a try, you will not regret it…
Liza
YES! This plugin is FABULOUS.
DiTesco
Hi Tom. WordPress security should never be taken lightly. I too found out about this when it was too late, although, fortunately I was able to recover from the mishap. Backing up files is by far the best of the best and installing additional “counter-measures” like the ones you mentioned in this post is more than advisable. I have been using Better WP Security, and right after installing it, I started to receive notification lockouts from people trying to login my account. I never thought that the attempts where so much … FamousBloggers experience is really a scary one and I am just glad that my friend got it sorted out quickly.
Anders Vinther
I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
I have written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.
My checklist has a few more items on it and includes step by step instructions on how to get the job done…
Hopefully the checklist can help other people securing their WordPress sites…
Stuart
This post could be a tad misleading to beginners in WordPress, lets not make people think that by doing the above will make them safe.
Some other essentials that you must do are lock down the admin section, install.php and config.php files.
I also like to recommend checking all file and folder permissions, and using 5G Firewall as a minimum. Might as well protect from hotlinking whilst you’re in the .htaccess file as well.
I also recently started to use Cloudflare’s free account for a few sites and they seem to filter out lots of bad people! Still monotoring effectiveness on this though.
For more detailed explanations of these methods, including using .htaccess to secure yout site you can go to:
http://talkingwordpress.com/category/security/
Tom Ewer
Hi Stuart,
“Safe” is of course a subjective term, but I did state the following in the post:
“There are additional, more intricate steps you can take to further boost the security of your WordPress installation. After all, there is no such thing as a perfectly secure website, so there is always something extra you can do.”
Having said that, I think the steps above take people a lot further in terms of security than most.
Cheers,
Tom
Paul
Hi Tom
One thing that helps me is get a good web hosting company. I use WPEngine and they take care of all backend security for me. Don’t have to install security plugins, don’t have to change file permissions, I get regular backups and if the site does get hacked they will fix it for me.
Tom Ewer
Great suggestion Paul – I think WPEngine are great!
Anders Vinther
Hi Paul,
Just a word of warning here: Just because you are hosted at WP Engine does not mean you do not have to do anything in relation to security.
As an example I asked their support how I could protect the wp-admin directory using basic auth in their environment (a very common and effective way to stop automated brute force attacks on the admin user).
Support told me that I did not have to do this.
However the Sucuri WordPress plugin has reported several failed attempts at logging in with the admin user on my site.
I wish I could tell you exactly what you would need to do to secure your site on the WP Engine environment, but I have not been successful in obtaining that information.
Cotton Rohrscheib
I agree w/ a lot of what you have suggested however I also recommend running mod_security on the server when possible. It takes a little while to get it fine tuned but in the end it’s well worth it’s weight in gold when it comes to blocking XSS exploits, etc.
Also, a few more security related posts from my blog:
http://www.cottonrohrscheib.com/blog/securing-wp-config-php/
http://www.cottonrohrscheib.com/blog/critch-on-modsecurity/
http://www.cottonrohrscheib.com/blog/the-wordpress-pharma-hack/
Thanks,
Cotton Rohrscheib
Partner / Co-Founder – Pleth, LLC
http://www.pleth.com
http://www.cottonrohrscheib.com
Paul Harvey
Tom, I’m afraid this post falls well below your usual high standard, as comments already indicate. Would love to see you redo this after more thorough research. Perhaps a trip to the dark side?
Paul Harvey.
Tom Ewer
Hi Paul,
Thanks for the feedback, although you don’t really give me anything to go on. The previous comments offer up additional (and somewhat advanced) techniques for securing a WordPress installation, which is certainly a good thing to see. However, this post was intended as a “primer” for beginners, as I am willing to bet that the vast majority of WordPress beginners will do literally nothing to secure their site.
Not sure what you mean by “a trip to the dark side” I’m afraid!
Cheers,
Tom
BigBolts
When I setup a new wordpress site the defaults are always:
Create new super user with strong passowrd and Delete “admin” user
Always move the wp-config file above the public_html dir.
Always add Options -Indexes to .htaccess
Turn on Akismet
Delete deactivate plugins (like hello dolly) – never leave them
Bad Behaviour – to prevent script access
SABRE – to stop bot registrations
Login Lockdown – to prevent login attempts
Lockdown WP – to obscure the wp-admin/wp-login URL
Secure WordPress – for various security improvements
Cloudflare for cache & security (don’t use with bad behaviour)
Audit Trail – to see any changes
Wordpress File Monitor Plus – for emails of changed files
Sergej Müller
Another security plugin: http://wordpress.org/extend/plugins/antivirus/
Andi
Hey Tom, I always add
‘
‘Options All -Indexes’
to prevent directory browsing
and
‘
Order allow,deny
Deny from all
to prevent access to my wp-config file where Database credentilals can be found, to my .htaccess file immediately after Installation.
Also I change the ‘wp_’ Database prefix and admin user during installation to non-standards.
Then, I chmod the wp-config to 440 which is enough for daily operation without any problems.
These are the minimum options that saved me for 1 year up to now after 2 hacks in 3 weeks – so that seems to work fine so far.
I use the Bulletproof Plugin for my own Sites as additional security option.