Advertisement
Security

10 Steps to Securing Your WordPress Installation

by

WordPress is open source which means that everyone, including hackers with a malicious intent, can scour the source code looking for holes in its security. That is why I'm going to show you some good precautionary steps to take to protect you, your WordPress and most importantly, your users.


#1 Remove the Admin Superuser

Probably, the easiest thing you could do to protect yourself is start off by changing/removing the admin superuser. Anyone who uses WordPress knows that there is a user called admin with a top-level security clearance, especially hackers. If the username is admin, how hard can it be to crack the password. Create a new administrative account but this time with a different name, and then delete the admin account.

In fact, what I would personally recommend is to create an administrative account with a very complex username and password (something like x7duEls91*), store it somewhere, and make another account for you to publish content that has your name that does not have executive powers. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis - an editor account would be sufficient.

“Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.”
~Clifford Stoll


#2 Choose a Strong Password

Regardless of the type of site you are running, you may be at risk for a brute-force attack. In the first step when we deleted the admin username, probably deterred most hackers but there are always those that are very persistent or already know your username. The next step to take is to choose a very difficult password and diverse password. A good way to determine whether or not your password is secure is to enter it into an online password checker like passwordmeter.com or to generate a random password.


#3 Secure Your Password

Also, I prefer take extra precautions when protecting my blog, installing plugins can add an extra layer of security. There are numerous plugins that can handle passwords and login aspects of WordPress. One plugin that I find very useful is Login LockDown; it records the IP address and timestamp of all failed logins in addition to IP blocking after a certain number of failed logins. This plugin is especially helpful when it comes to defending yourself against a brute force attack - most attackers give up on a site if they are IP banned every 5 minutes while running their brute force program.


#4 Always Update WordPress

As I said earlier, WordPress is open source, making it an easier target for hackers. Nearly 60 million sites use WordPress, when Automattic pumps out an update, the sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed. Also, it doesn't take long to update your WordPress installation, according to WordPress it takes 5 minutes to complete.


#5 Hide WordPress Version

Let's say that you forget to update your WordPress installation, or just don't have 5 minutes to spare. Your WordPress version gives hackers a good idea of how they can hack your site, especially if it's out dated.

By default, WordPress displays the version, because they want it for metrics to see how many people are using which version, etc... However, this is like putting up a bright red sign on your site telling hackers what to do.

If you're using a premium theme, odds are that the developer took the liberty of disabling for you, but it's always better to be sure. Open your functions.php file and drop in this line of code.

<?php remove_action('wp_head', 'wp_generator'); ?>

#6 Change File Permissions

It is very important that you have the proper file permissions to ensure your site's security. I recommend that you restrict your file permissions down to the bare, CHMOD value of 744 which essentially makes it read-only to everyone except you.

Just open your FTP program and right click the folder or file and click on "File Permissions". If it is 777, you are very lucky that you haven't already been hacked. You should change the CHMOD value to 744, only giving the "owner" full access.


#7 Whitelist

Whitelists allow you to manage who is able to access certain parts of your website. It's like building the Great Wall of China around your admin folder, so that no one, except for you, can access the folder. We do this using the .htaccess file.

Navigate to your /wp-admin/ folder, then check if there is already a .htaccess file, if there isn't one, just make one. If there is already one there, I suggest making a backup of it before doing any edits. Please make sure you are in the wp-admin folder, and not the root folder.

Paste the following code into the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# Whitelist Your IP address
allow from xx.xx.xx.xxx
# Whitelist Your Office's IP address
allow from xx.xx.xx.xxx
# Whitelist Your IP address While Your Traveling (Delete When You Come Back Home)
allow from xx.xx.xx.xxx
</LIMIT>

Replace the xx's with your IP address, which you can find out at WhatsMyIP.org. Now every time you are going to be logging in from some where other than the places you added into your .htaccess file, you have to add the new IP address before you can use it.


#8 Backup

Regardless of the level of security of your WordPress site, it is a good habit to always backup your site. There are many ways to do this. You can take advantage of cron jobs, if you're hosting company provides it, by using this command:

DBNAME=DB_NAME

DBPASS=DB_PASSWORD

DBUSER=DB_USER

EMAIL="you@your_email.com"

mysqldump --opt -u $DBUSER -p$DBPASS $DBNAME > backup.sql
gzip backup.sql
DATE=`date +%Y%m%d` ; mv backup.sql.gz $DBNAME-backup-$DATE.sql.gz
echo 'BLOG BACKUP:Your Backup is attached' | mutt -a $DBNAME-backup-$DATE.sql.gz $EMAIL -s "MySQL Backup"
rm $DBNAME-backup-$DATE.sql.gz

Alternatively, you can use VaultPress, a service from Automattic. If you're interested in learning more about VaultPress, then I recommend checking out this tutorial.

The easiest way to go is to just log into the admin panel, navigate to Tools and then click on Export. This makes your life easier especially when you need to re-set up your WordPress.


#9 Hide Your Plugins

Putting a blank index file into your /wp-content/plugins/ folder will hide all of your plugins. Some of you are probably thinking, "Who cares if someone can see my plugins?". Well, plugins can tell hackers how to hack your site, or at least if it is hackable.

As you can see, the plugins are clearly visible to anyone who navigates to the /wp-content/plugins folder. If a hacker sees no security plugins, then they immediately know that this will be an easy job. Adding blank index.html into the plugins folder is like putting a security sign in your lawn, it doesn't matter if you actually have the security system, but as long as the hacker doesn't know, he will be less inclined to try anything.


#10 Analyze Server Logs

The best security tool, regardless of whichever plugin/software you install, is you. In order to be confident that you are completely protected, you have to take a proactive approach to your website's security. Three times a day I check my server logs and web analytics to see if there is any unusual behavior.

You're Set!

Now with a safe and secure WordPress installation, you are ready to freely post your content without having to be afraid if you're vulnerable to be hacked.

If you have any questions about this tutorial, WordPress security or security in general, just leave a comment and I will get back to you as soon as I can.

Related Posts
  • Code
    Web Development
    Securely Handling User's Login CredentialsSecure wide retina preview
    Consider the following tips on how to properly secure your user's login credentials.Read More…
  • Code
    WordPress
    An Introduction To Deploying WordPress with MinaImage400
    As a PHP application, WordPress is usually deployed by a very old method: uploading files via FTP. We have some deployment tools, but they often requires some type of Ruby skill. For example, one popular, powerful tool is Capistrano, but it's also very heavy with many Ruby/Rails related features. I also think that it's little bit tricky to install Capistrano for a PHP developer without any Ruby knowledge. So what options do we have as WordPress developers? In this tutorial, I will introduce you Mina: A small, light tool aims to fast deployment and server automation.Read More…
  • Computer Skills
    Security
    How to Perform a Password Security AuditPassaudit400
    With password breaches, like Adobe's recent loss of up to 130 million passwords, becoming all too common, now is a very good time to conduct an audit of your password security. In this tutorial I'll show you how to use 1Password or LastPass to analyse how secure your passwords, and where necessary, create new, secure ones.Read More…
  • Computer Skills
    App Training
    An In-Depth Look at 1Password 41password4 updatedretinathumb
    Passwords protect our digital lives from prying eyes and malicious individuals. Since so much emphasis is placed on passwords protecting our banking information, saved credit card information on online stores, and the ability to use our digital identity on social media, the risks associated with using the same password on multiple sites is greater than ever before. In this tutorial I will explain how to use 1Password 4 ($49.99 in the Mac App Store) to manage your digital identity, including passwords, credit cards, software licenses and more.Read More…
  • Business
    Freelance
    The Top WordPress Plugins You Need for Your Authority Blog5 preview authority blog wordpress plugins
    In the last post we got your blog setup with a unique-looking design courtesy of the Canvas theme framework. But aesthetics are just one piece of the puzzle -- in reality, any successful blog needs to function well in order to succeed. Although WordPress has great functionality out the box, its true power lies in its extensibility, which is exactly what we're going to cover today. I'm going to take you through the top WordPress plugins you can use to elevate your authority site to another level. We're going to cover everything from backups, to security, to search engine optimization, to post promotion and more. This step-by-step guide will show you how to install and setup each of the WordPress plugins I consider to be must-haves for authority site owners. Enjoy!Read More…
  • Code
    Security
    Imposing SSL and Other Tips for Impenetrable WP SecurityImposing ssl and other tips for impenetrable wp security b
    Internet security has always been as important as your personal security. If you are making money through your blog or website, the security of your website becomes as critical as securing your bank account. Luckily, WordPress strives to ensure better security with every new version. Besides, there are plenty of plug-ins you can use to fortify your website or blog’s security. However, not all users, including developers, are as security savvy as they can and should be. The most interesting part is that optimizing a WordPress blog/website for better security requires only small tweaks, most of which are previously covered in one of our posts. Today, we share a few more interesting and effective tips to help you secure your website/blog against information theft, breaches, intrusions and interception.Read More…