10 Steps to Securing WordPress
With WordPress being one of the most popular Content Management Systems (CMS) used today, security should be at the forefront of every install you do. Most attackers will target an unsecure WordPress install with the default settings. The goal of this guide is to offer some simple steps you can take to reduce the chance of a breach by limiting access. Our goal in securing WordPress is to contain the damage done if there was a successful attack on your blog. By having the right knowledge, keeping daily backups, and understanding some of the WordPress techniques below, you can protect yourself and limit damage done by a malicious user.
1. The simplest security steps
The simplest of all steps is to ensure you use good WordPress security habits.
- Make a strong password
- Always upgrade to the latest WP version if possible.
- Use secured networks.
As for making a strong password:
- Never use your own name
- Do not use a dictionary word
- Do not use a 4 character numeric password
This is particularly important if you do not change your WordPress administrator account name from “Admin” on install. In that scenario, half of the puzzle is solved for the hacker. A strong administrator password is not just necessary to protect your site/blog but protect from malicious scripts which could do other damage or compromise the entire WordPress installation. When connecting to your server you should also use encryption if your host allows. FTPS is the same as traditional FTP except that your password and content is encrypted as it is moved, offering a higher level of security.
Use secure networks
Your local coffee shop offers free unencrypted Wi-Fi which is great, right? Do you know who else is connected to that network you are using to login to your site? Using an unencypted wireless connection and sending passwords in cleartext is not smart. Even if you set a secure password in step one above, doesn’t mean that a sniffer can’t steal that password easily. The same goes for your home connection, ensure you have some sort of password setup on your wireless connection to ensure only trusted users are on your network.
2. Use Cloudflare’s Accelerated Secure Network
*For users who aren’t familiar with DNS, I suggest you read up on it before trying this step!
This is my favorite, most effective step that I have begun to use for all future clients. CloudFlare protects and accelerates any website on the internet. You can signup to become part of the CloudFlare community and benefit from having your web traffic routed through their intelligent global network. Cloudflare will automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. They also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.
CloudFlare can be used by anyone with a website and their own domain, regardless of your choice in platform however there is a WordPress Plugin. From start to finish, setup takes most webmasters about 5 minutes. Adding your website requires only a simple change to your domain’s DNS settings. There is no hardware or software to install or maintain and you do not need to change any of your site’s existing code to benefit. Keep in mind that although CloudFlare does a great job reading your current DNS settings, if you don’t understand what it is doing, you can really mess up e-mail and other domain related services.
Once setup I suggest turning the following settings to ON:
- Outbound Links
- E-mail Address Obfuscation
- Server Side Exclude (SSE)
- Always Online
- IP Geolocation
- Browser Integrity Check
- Hotlink Protection
The other CloudFlare settings I use are:
- Basic Security Level: Low
- Caching Level: Aggressive
- Minimum Expire TTL: 8 Days
- Auto Minify: JS, CSS, HTML
- Rocket Loader: Automatic
I leave everything else as the default setting. I can say I have used the above settings on over 11 websites already without an issue so give them a try as outlined above. If you have trouble with you site displaying correctly after enabling settings like Minify or Rocket Loader, go back and disable the settings one by one. CloudFlare has some great help and decent documentation so make sure to read up before beginning.
3. Secure wp-config.php
As you may know, the wp-config.php file is one of the most important files for your WordPress installation. It contains MySQL settings, your Table Prefix, Secret Keys, WordPress Language, and ABSPATH which would be catastrophic if accessed by the wrong person. Your wp-config.php file can be stored ONE directory level above the WordPress installation (where /wp-includes/ sits).
For example if the root of your domain and the WordPress installation is located at /username/public_html/, you can move wp-config.php up a level just in /username/. This takes an important file out of the public sphere for added security yet WordPress can still find the file and function as normal. No updating or other steps are necessary if you follow the rule of moving wp-config.php only ONE directory level above the default install location.
4. Secure wp-includes
To add a second layer of protection where scripts are generally not intended to be accessed by any user, use the following code in your .htaccess file to block them using mod_rewrite.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
Copy and paste the code in above the: # BEGIN WordPress tag.
Don’t know what a .htaccess file is? Here is some reading from apache.org.
5. Backup your site
One mistake I have observed that many WordPress admins make is forgetting to take regular data backups including the MySQL database. Even after following all of the security practices, it is possible for your site to be completely wiped out and not necessarily by a hacker. Let’s say you are taking regular backups and leaving them on the same server your site is hosted on. What happens if your host’s web server crashes and they didn’t have sound backup practices in place? Bye bye WordPress installation and all of your data, unless you had offsite backups.
A sound backup strategy I like to use is taking a set of regularly-timed snapshots of my entire WordPress install and storing it on a separate network like Amazon’s S3 which can give you piece of mind for pennies per GB. There is a great plugin in the WordPress.org directory called Automatic WordPress Backup which helps do just that.
It gives you the option to backup:
- Config file and htaccess
- Database dump
- Themes folder
- Plugins folder
- Uploaded content
And also allows you to:
- Delete backups older than one month
- Keep a monthly backup for one year
- Keep manual backups forever
If you are unfamiliar with Amazon’s S3 service, check out this video:
6. Security steps to take during install
There are a few things you can do during the WordPress install to add some security through obscurity. Although this is typically thought to be an unsound primary strategy for security, there are some areas where obscuring your information may help a bit with security.
- Change the table_prefixMany WordPress-specific SQL-injection attacks assume your table_prefix is set to the default “wp_”. I like to change this to something like “trfg_” or anything you want really. I like to stick with 2-4 letters, just don’t forget the underscore.
- Rename the Administrative AccountNever leave your administrative account name as “admin”. As mentioned earlier, leaving this as the default “admin” username gives malicious users half the answer to the puzzle of your WordPress account credentials. Always rename it during install. If you have already installed and are using the default “admin” account, you can create a new account in your administrative area by creating a new user with administrative privileges and then deleting the default “Admin” account. Don’t worry WordPress will ask you to assign the pages, posts, etc. when you click delete on the “admin” account. You can assign everything to the new username you just created.
7. Block unwanted IPs
If you are the only user of your WordPress install and you normally use the same internet connection when editing, there is no need to leave the administrator section open to the entire internet. This is a simple .htaccess tip that allows you to deny access to your /wp-admin/ folder from all IP Addresses except for your own. Using a text editor like Notepad++ with the NppFTP plugin, you can browse to your /wp-admin/ folder in your WordPress install and open the .htaccess file located within this folder. If there isn’t an .htaccess file there already, you can use a simple text editor like mentioned above to create the file. Just save the file as htaccess.txt and then once on your server, rename it to.htaccess.
Inside the /wp-admin/.htaccess file add the following code, replacing 126.96.36.199 with your IP Address to allow access only from your IP to /wp-admin/
allow from 188.8.131.52
deny from all
Users from any other IP address will receive a 403 Forbidden error message when trying to access your administrator section. Please note if you have an ISP that uses dynamic IP addresses, your address can change at any time and you would be denied access. For those who may not understand what is going on here, use this tip at your own risk. However, the worst that could happen is you get blocked and you would have to FTP into your server to find the /wp-admin/.htaccess file and change the IP address to your new IP.
You can also allow many IP address by simply adding another ‘allow from xxx.xxx.xx.xx’ line.
allow from 184.108.40.206
allow from 220.127.116.11
allow from 18.104.22.168
deny from all
For those of you that have a WordPress site with multiple users where this isn’t feasible you can use a plugin called Login Lockdown to block unwanted hacking. Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Don’t know what a .htaccess file is? Here is some reading from apache.org.
8. Be wary of plugins
If you are heavy plugin user, be wary of which plugins you add to a WordPress install. If a plugin wants write access to your files and directories, you better check the code and check that it is legit. Two places you can check are the WordPress Support Forums and IRC Channel. Limiting damage done by a successful attack is again one of the main goals of this article. Installing a plugin that allows arbitrary PHP or other code to execute from entries in your database just magnifies the damage the attack can cause.
For users who may not be able to read the code of their plugins to understand what is going on, check the plugin rating, comments, and of course the WordPress support forums. It is more likely that a heavily reviewed and downloaded plugin has a lower chance of containing unsecure or malicious code.
9. File Permissions
Some of WordPress’s features come from the ability to write to some files by the web server. In a public environment, allowing an application to have write access can be a dangerous thing. As with most security, it makes sense to tighten permissions way down and loosen them on the occasion where it is deemed necessary. All files should be owned by your user account and should also be writeable by you. If you have a file that needs write access from WordPress should be group-owned by the user account used by the webserver.
Here is one possible permissions scheme listed in the WP Codex:
- / — the root WordPress directory: all files should be writable only by your user account.
- EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you
- /wp-admin/ — the WordPress administration area: all files should be writable only by your user account.
- /wp-includes/ — the bulk of WordPress application logic: all files should be writable only by your user account.
- /wp-content/ — variable user-supplied content: intended by Developers to be completely writable by all (owner/user, group, and public).
- /wp-content/themes/ — theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account
- /wp-content/plugins/ — plugin files: all files should be writable only by your user account.
- other directories under /wp-content/ should be documented by whatever plugin / theme requires them. Permissions may vary.
10. Trusted Security Plugin
There are two plugins I would recommend for a user who may not understand all of the steps above. WP Security Scan and Secure WordPress by WebsiteDefender. WP Security scan offers a scanning tool that will check common yet important WordPress file permissions to make sure you aren’t giving certain files too much permission:
You can also create an account on WebsiteDefender and once you get your site configured, they will monitor and send you e-mails based on security issues they find specific to WordPress. I would not recommend making this your first step in securing WordPress, however I think this is a good all-in-one tool for less experienced users.
Secure WordPress offers the following options:
- Removes error-information on login-page
- Adds index.php plugin-directory (virtual)
- Removes the wp-version, except in admin-area
- Removes Really Simple Discovery
- Removes Windows Live Writer
- Removes core update information for non-admins
- Removes plugin-update information for non-admins
- Removes theme-update information for non-admins (only WP 2.8 and higher)
- Hides wp-version in backend-dashboard for non-admins
- Removes version on URLs from scripts and stylesheets only on frontend
- Blocks any bad queries that could be harmful to your WordPress website
WordPress is a terrific Content Management System (CMS) offering a plethora of free themes, plugins, and tricks. However since it is arguably the most popular CMS by users like you and I, it is most likely also the most popular target for hackers and malicious users. By following the 10 Steps to Securing WordPress above, I’m confident that your WordPress install is exponentially more secure than if you had a default install out of the box.