WordPress Security – A Comprehensive Guide
Written by Remkus de Vries in
26 Comments
Keeping your WordPress installation secure is usually not something a lot of people spend a great deal of time on. However, I believe WordPress security, tightening up the place should be your first priority every single time you install WordPress. No exceptions.
With the recent Pharma hack, more info about it plus a solution on Chris Pearson’s blog, going round I thought it was time to focus on WordPress security today. There are a lot of things you can do build extra layers of security for your WordPress installation.
There are a few different layers involved to secure your WordPress installation. I shall list them grouped together as much as possible.
Server-side & .htaccess
WordPress security starts of course by using a proper hosting company. If a server setup is not secure by default then no amount of security measures is going to keep unwanted visitors out. Please look around before you decide which hosting partner will work best for you.
.htaccess Lockdown
Your .htaccess file can be used for a lot of neat stuff, but most certainly should be deployed to stop hackers from getting in. The .htaccess lockdown allows for you to specify which IP addresses can be used to access your admin dashboard.
Adding the following lines of code will help you doing this:
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 123.456.789.012
The 123.456.789.012 part should be replaced with your IP address. Not sure what your IP address is? A visit to What’s My IP will help you out. For an even more extensive solution visit Blog Security.
Disabling Directory Browsing
Some server setups will allow directory browsing, which means that you can see the contents of, say, your plugins folder at http://yoursite.com/wp-plugins/. Disabling this can be quickly done by adding the following piece of code to your .htaccess file:
Options All -Indexes
Secure .htaccess
It should be obvious by now how important a secure .htaccess file is. Firstly you should restrict the file permissions to CHMOD 644.
Log onto your server with your favorite FTP browser and navigate to the root of your domain (Usually this in the public_html folder, unless you have setup your blog installation in its own folder). Find the .htaccess file and right-click the file and set permissions to 644.
The second method – and I would do both – is to add the following code to the very bottom of the content of your .htaccess file:
<Files wp-config.php> Order Deny,Allow Deny from All </Files>
This is basically only allowing your .htaccess file to access your wp-config.php file.
For more specific and advanced Apache hardening techniques checkout Ask Apache on WordPress and Perishable Press 3G Blacklist.
Optimizing your wp-config file
Optimizing your .htaccess file is a good start, but next your wp-config.php should get some love.
Moving your wp-config file
Starting from WordPress 2.6, you can move your wp-config.php file to one directory above the current location. WordPress will check automatically if the wp-config file is not found in the WordPress directory one directory above the current one.
Change the WordPress table prefix
When installing WordPress the table prefix is wp_ by default. Upon installation it’s easy changing this so something custom, like i.e. blpro_, but it’s a bit harder to do when you already have your site up and running. This is where the plugin WP Security Scan comes to the rescue. This plugin will allow you to change the prefix to a custom one. This way you have given hackers trying to hack into your installation one extra hurdle.
Define Your Secret Keys
When you look in your wp-config file you will find a section that says this:
/**#@+
* Authentication Unique Keys.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
/**#@-*/
The link mentioned here provides you with a new set of rules which you can replace the bottom four define rules with, like this:
define('AUTH_KEY','lj+_ .[6c1=13n rhZBhjXd0o|miL<baCpYhqZrl}o2a|irZy-]Wy8PYW+a]zE]5');
define('SECURE_AUTH_KEY','s8p1+WgH0{Ph/)Vr;pFggsp{xoh8Cy>>#/+]EJ|P|yQfS* /SJO7XuK#G3&f1rnZ');
define('LOGGED_IN_KEY','h$eIl%#nZ|.}z-U)Z:O$u,y c[N;7^j-x,)Zs*wUHheGO-(KKpONVC664X$uO$Mt');
define('NONCE_KEY','d=>/Uh@%RnZ|*<bGq[2<_R@spP*oE[7oE?<#%xyoowmU0XzxK DjhyLXLcifX32k');
With this step you have made your login passwords a lot stronger than before. Don’t copy the line above, but simply visit https://api.wordpress.org/secret-key/1.1/ for you personal Secret Keys.
WordPress Security plugins
There are many WordPress Security plugins out there, thankfully. I will list the most important ones, plugins I all use on a day to day basis here.
WP Security Scan
WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions. This is what the plugin will do and look at:
- passwords
- file permissions
- database security
- version hiding
- WordPress admin protection/security
- removes WP Generator META tag from core code
Login LockDown WordPress Security
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Download Login LockDown WordPress Security
Stealth Login
This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://yoursite.com/login for an easy way to login to your website.
Download Stealth Login
AntiVirus for WordPress
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Some of its features include: monitors possible platform vulnerabilities, virus injections, malicious links, etc. It can also send you email notifications and whitelisting.
Download AntiVirus for WordPress
General Precautionary Measures
This is just a short list of general precautionary measures:
- Always have your WordPress software and WordPress plugins updated to the latest version.
- Got any unused WordPress themes and WordPress plugins installed but not activated? Delete them!
- Always use a strong password. Check out this guide on choosing a strong password at the Blog Herald.
- Ditch that admin account and make it a lot harder for hackers to guess your login.
- Use correct file permissions on your WordPress files. General rule is that Files should have a CHMOD value of 644 and folders 755.
- Back up your WordPress database on a regular basis. Any of these plugins will do the job for you in an automated fashion
Sources & Extra Resources
- 10 Way to Stop Spam in WordPress
- WordPress Security Tips and Hacks
- Hardening WordPress with .htaccess
- How to Secure Your WordPress site
- Top 5 WordPress Security Tips
- Advanced WordPress wp-config Tweaks
- 20+ Powerful WordPress security Plugins
- 12 Essential Security Tips and Hacks for WordPress
- A to Z of WordPress .htaccess Hacks
5 Minutes and Counting
WordPress claim to a quick and easy installation of 5 minutes still stands. But, you can easily see how adding a few extra layers of security easily adds a bit of extra time after the installation. Time very well spent though. So what’s your thought? Have I forgotten your favorite WordPress Security tip?
Its so easy for us non-techies to just assume that WP is strong enough straight out the box. Probably because few of us want the extra learning curve.
Very nice post with some great info. I had never even heard of anti-virus for WP before.
Thanks
Ash
Agreed, there is a bit of a learning curve on some of these solutions, but you come out so much stronger when you do decide to implement as many as possible. Glad you liked it!
Thanks for this, it’s very timely! I seem to be part of the odd QQ829.com attack from China and hope it’s not to late to lock down my site’s security.
It’s never too late to lock down. Just make sure you use the WordPress plugins I mention to check whether your security wall has been breached already!
Another great blogpost! Thanks.
Thanks Rutger
Thanks for this post – I am doing everything on it! McAfee Site Advisor marks my site as dangerous – any ideas why? I have contacted them, but until they get back to me I want to do anything and everything to fix this.
I’m not familiar with McAfee Site Advisor, but if you get warnings when visiting your site in Chrome and Firefox as well, than most likely your site has been compromised. Be sure to you use the WordPress Security Plugins I mention to scan through your installation.
I was told this by other people who use McAfee. I am running all the scans etc. now
thnks for all, nice object
Well written article! I hope more WordPress users will be vigilant and care enough to implement these security measures on their blogs.
Btw, another security plugin that you can install along with the ones you already listed is the WordPress Firewall plugin. It detects remote arbitrary code injection, directory traversal attacks and SQL injection attacks and more. Really effective plugin.
Thanks for the compliment Jaypee and a nice plugin you mention there as well. Thanks!
That is a very good post. I have several blog powered by wordpress. I used all steps mentioned in wordpress community to secure my blogs. After reading your blog I am more knowledgeable to secure my blogs. Thanks
Thanks for the tips, they are especially useful after being hacked over the weekend. heck I’ve written plugins, and designed themes, and thought it couldn’t happen to me – even us more experienced wordpress geeks are prone to attacks..
I had a base64 encoded msg injected into the top of EVERY freaking php file on my server – which included 4 blogs… luckily godaddy has a good mechanism for restoring files to previous dates.. though their tech support sucks.
Remkus,
Most people simply implement WordPress without giving concern to security. They feel that WordPress is secure right out of the box. This is a great article to remind us of the extra steps for WordPress Security.
Thanks,
Richard
Thanks Richard. That is exactly why I wrote this guide.
I’m confused with ht.access. What happens if I enter a wrong IP address or if my address is a dynamic IP?
Nothing really. You just won’t be able to visit the wp-admin area, which is easily fixed by removing the wrong IP address from your
.htaccessfileCheck out my step-by-step guide for hardening WordPress 2.9.2
http://eyalestrin.blogspot.com/2010/05/hardening-guide-for-wordpress-292.html
More Tips:
http://www.eukhost.com/forums/f38/wordpress-blog-11966/
Fantastic article Remkus. Written for those who are not well versed in CSS. Easy to understand. Carefully chosen words. Fantastic. Thank you.
Are there any suggestions for hardening wp 3.1? or even 3.11? I’m hesitant to upgrade to 3.11 until I know all my plug-ins will work, but would be curious to know if the tips on security and links to the hardening info would also apply to 3.1 and/or 3.11 – thanks1
Pretty good list of security tips. For those who don’t think such tips are necessary to implement, check out this article about WordPress Security Statistics – that might give you some pause for thought.
Here’s another one for folks who think that there’s no such thing as security through obscurity: WordPress Security Through Obscurity? .
Thanks for the tips!
Some of these issues are tested with this free security scan http://hackertarget.com/wordpress-security-scan/
I ran it against my hosted blog and found some serious issues. Its making me consider changing to a virtual server that I can manage.
One of my sites got flagged for someone sneaking in a phishing page… can’t find it with the File Manager tool in Cpanel (it’s the site’s main URL/~novoor1/index19.htm) – any iideas? Is this something that would have been caught by one of these scans? The web hosting company support person is aware of the issue and can’t find it either to delete, but the URL ‘works’ and brings up a phishing page…
This is one of the best answer so far, I have read online. No crap, just useful information. Very well presented.Thanks for sharing with us. I have found another nice post over the internet which also explained very well, check this link…
http://mindstick.com/Articles/7c9b0acf-68a7-49b3-ad54-5c984a37d09c/?How%20to%20Implement%20Security%20in%20WordPress