The Definitive Guide to Securing WordPress
In this Nettuts+ PLUS tutorial, you'll learn how to protect your web site from hackers, spammers, automated software, and bots that run rampant online. Wordpress is by far the most popular self-hosted blogging solution, and for that very reason it's also one of the most targeted for vulnerabilities.
Wordpress is so easy to setup and use from a shared hosting control panel that many non-technical people create web sites and blogs with no knowledge that they could be completely wiped out in a heartbeat -and all their hard work could be list in an instant. If you are the most experienced Wordpress hacker out there, it doesn't mean you aren't just as open to an attack if you haven't already locked down your site. You may be surprised how easy it is to take preventative measures protecting your Wordpress powered site and all the hard work you've put into it.
What are You Risking?
How Can This Happen?
The world is filled with skeptics who fail to believe this can't happen to them. Let me explain why it's more important than ever to secure your Wordpress powered site, because there are literally armies of online villains ready to attack you!
There are specific things you need to protect yourself against:
- Malware, Trojans, and Viruses - oh my! Believe it or not, your web site or blog can be hacked by a virus. Usually you think of a virus as something that attacks your personal computer. There are viruses and trojans that are designed to steal your FTP or login info and gain entry to web sites. Once inside they can chew through your PHP files like a mouse eating cheese. These types of attacks normally originate from a Windows based computer.
- Hackers, Spam-bots, and automated software - When you're sleeping your web site is being bombarded night and day by online attackers. Some of these are from real live people, but most of them are completely automated by hackers using bots and automated software. Software doesn't sleep, and it's designed to find web sites that have potential exploits. The most common targets are sites with older versions of Wordpress or plugins that have known security holes. These types of attacks happen as often on your web site as real visitors, and you don't even know they're happening because more than likely you have no way of tracking them.
- Bad Web Hosts - Would you purposely buy a home in a bad neighborhood you didn't feel safe in? When you build a web site online it's like building a real brick and mortar home, the safety of your new "web home" depends on your web neighbohood. What if the the great $9.95 per month deal you got on web hosting means that your shiny new blog is now parked in an online ghetto? Your site is only as safe as the server you're hosted on, and you might be more succeptible to attacks if their server security isn't very good, and depending on their setup you could even be at risk from the other customer's sites hosted next door to you! Maybe you never thought about your web site being attacked by neighboring accounts or lax web host security until now.
- Your own computer - Believe it or not, you are your own worst enemy. You are 80% more likely to infect your own web site or give you FTP login info away unwittingly through a trojan than you are being attacked by other means. This is mainly because the majority of people have Windows based computers, and a great percentage of them are infected with some type of malware, virus, or trojan. Even if you are the most careful person on earth, other people using your computer (or children) may not be. Your virus program could be out of date, or you could have an older version of Windows without current updates.
- Internet Security - Even if you've thought of everything to secure your own computer, what good does it make if you're still connecting to your web site in regular FTP? Are you using a wireless router at home that's not encrypted? Do you use public wifi connections and check your email and use the admin functions of your blog? Are you still logging into your Wordpress blog unsecured? All or any of these could compromise you site.
Where Do You Begin?
If you want to secure and harden you Wordpress powered site there are some very simple steps you can take to protect yourself:
- Upgrade Wordpress and all plugins to the latest versions available
- Examine your site for potential exploits and security holes
- Limit access to your site through permissions, robots.txt, and .htaccess file
- Examine the security of your web host
- Make all usernames, passwords, and logins more secure
- Don't encourage bad behaviour by allowing spammy accounts or comments
- Consider tracking attack attempts against your site to keep aware of potential problems
- Use secure connections at all times
- Secure your wp-config file
- Keep your personal computer up to date and protected
This guide will explain in easy to understand steps how to do all those things and more. By the end of this tutorial you will be able educate other bloggers about Wordpress security and potential online attacks.
Before you make any changes at all the first thing you need to do is backup your web site and database. If you're not doing that already, now is the time to start! There are all kinds of plugins that will do this for you, but to be honest I'm not a very big fan of that technique. Mainly because at some point in time the database file will probably be too large to manipulate via Wordpress plugin - especially if you have an active blog. The Wordpress Backup plugin can help you with that if that's the route you choose.
Manually downloading all your wordpress files to a directory on your computer is as easy as it was to upload a theme or plugin. Download everything, so you have a current working version of all wordpress files, themes, and plugins. Nearly all web hosts provide you with a web control panel to manage your web site. Login and find the section for managing your databases. You should have access to a web tool called "phpMyAdmin" which allows you to administer your database via web page. Find this tool, select your database from the drop down menu, and then export!
1. Upgrade Wordpress and Plugins
Now that you have backups of everything in your current version of Wordpress, it's safe to upgrade everything! Since version 2.8 of Wordpress, it's been possible to upgrade your Wordpress installation from your admin dashboard, as well as updated versions of your plugins (as they become available). If you're not up to version 2.7 of Wordpress, you'll need to update by downloading the lastest version from wordpress.org first, and the uploading the files via FTP. Then you'll be able to update your plugins via the admin dashboard plugin page. This may be the first step, but it's one of the most important, because exploits in outdated versions of Wordpress and plugins are exactly what hackers are looking for. Staying up to date is your best defense against issues like this.
The following images show how easy it is to updating both Wordpress and plugins in version 2.7x and above by simply clicking a link to do it live in your Wordpress dashboard admin.
Releases of Wordpress are pretty solid, but when new versions become available sometimes themes and plugins get broken until they are updated. It always pays to view the latest plugin compatibility list BEFORE UPGRADING, in case something you rely on might be immediately broken. It doesn't mean to never upgrade in fear of breaking things, but rather be more aware of conflicts that might need fixing once you do. Just google wordpress x.x compatibility for the lastest official list (replace x.x with the version number you're searching for in google).
2. Examine Your Site for Exploits
There are some really good plugins that can help you to find existing problems and potential exploits with your Wordpress site. Here are are some Wordpress security plugins that perform scanning and alerting functions:
WP Security Scan will check you blog for some essential items. Once you download and install the plugin you're presented with the initial results, which are conveniently displayed in either green or red depending on whether they need attention:
You can see in the image above there were only 2 things that needed attention in my test blog. Here's a list of the initial checks it performs:
1. That you have the latest version of Wordpress (as we said before, stay updated!)
2. The prefix of your wordpress tables, which by default is "wp_". You can set the default prefix of wordpress database tables to something different, and leaving it as the default leaves you open to SQL injection attacks. Learn how to change your default WP database prefix in 6 easy steps here.
3. Your Wordpress version is hidden
4. That Wordpress database errors are turned off. Most web hosts already have "MySQL errors" turned off, ask yours if this is red.
5. That the Wordpress ID metatag has been removed, learn how to remove it here.
6. The Admin user has been removed (Add your own user, grant it "admin" rights and delete the default admin account).
7. There's an .htaccess file protecting your /wp-admin directory (learn more about .htaccess files later in this article, or visit this .htaccess file generator).
It also has a scanner function which will check the permissions of key files and folders within your Wordpress installation, letting you know if you are open for attack. Green means the permissions are good, red behind any listing means they should be changed ASAP.
This plugin is a good way to automatically check some of the major items on our checklist, but while it reports the issues, it doesn't give you the ability to make the necessary changes from your Wordpress admin. It does have a section for attempting to change the prefix of your wordpress tables, but even though my test site had the proper database ALTER permissions, it still wouldn't allow the plugin to make the changes for me. Just know that your mileage may vary on that part of the plugin. All the other items you'll need to change on your own manually.
Another way to check your blog for potential exploits is to install the Wordpress plugin Exploit Scanner. The plugin author is Donncha O Caoimh, author of WP Super Cache. It has but one function, which is to search your wordpress files and database to see if you have wordpress plugins with known issues, or to see if you have suspicious posts or comments. This is very important because your plugins are checked against a database list of known "suspicious plugins", and if you already have spam posts or comments your Wordpress installation might be compromised already. I ran the scan on my test blog:
As you see in the image, I didn't have any suspicious plugins installed, and I had only one post listed to check out (which turned out to be fine). This plugin is more for making sure you haven't already somehow been hacked. If the results indicated your Wordpress blog was compromised - you need to take action (which will also be covered shortly).
After that last plugin, you're probably wondering if there is plugin out there that could monitor your site and alert you if it was compromised. Another wordpress security scan plugin to consider is WP Antivirus. Once installed it will automatically scan your wordpress theme files to make sure they haven't been hacked or compromised by a virus. It doesn't do anything else, but it DOES send the admin an email if a "virus" is found in your theme files. You can also run a manual check to check your theme files if you don't want to enable email notification:
All my files were fine in my test blog theme except for one, and there was no virus - but there was a potential problem with one section of my functions file. As you can see safe files are in green, potential problems are red. It would be nice if this plugin did the same type of database scan as Wordpress Exploit Scanner as well, maybe it will in a future version.
Unlike some of the previous plugins that look for problems, Secure Wordpress actually takes care of some of them by setting options in plugin admin in your dashboard.
As you can see in the images above, it's as easy as clicking a checkbox to remove the version of Wordpress in all areas, remove update links for non-admins, and it can even create an index file in your plugins directory to keep people from "directory browsing". The last thing it can do is add a comment to your html code while enable you to use the next tool we'll talk about "WP Scanner".
Wordpress Exploit Scanner checks your blog via the web. Before they do that, they want to ensure that you're actually the owner (and not scanning someone else's blog!), so a simple comment has to be added to your html code. They offer a free plugin that adds it automatically if you don't want to edit your theme files, or you can add the code by checking an option in the previously mentioned plugin "Secure Wordpress".
Once you enable the plugin, you Visit the WP Scanner web site to start a scan. The image above shows what the results look like from the WP Scanner web report. It assigns a risk factor to items it finds, but does not give much additional information. It did come up with results for me that the other plugins did not, like some readme files that could clue a hacker in to what version of Wordpress or plugins I'm using.
3. Limit Access to Your Site
Limit Access Using .htaccess
Probably 95% of the web sites running Wordpress run on a "Linux" server that uses the "Apache" web server. By using ".htaccess" files you can control many things within a directory, and their are plugins out there that help automate this process. Unfortunately, the two most popular ones aren't updated to work beyond Wordpress 2.6x, and there were many reports of problems with each (people locking themselves out of their own blogs).
For posterity (and in case they're updated in the future), here are the links to those plugins:
As I said - those links were provided just in case you ran across them one day and thought "wow - I should try one of those". Make sure they've been updated if you do, and know that your mileage may vary. Lots of comments and support posts indicated some people experienced major problems once they were installed (on the right wordpress versions) including being locked out of their own blogs.
.htaccess files are a very tricky thing, since there are all kinds of things they can do - and some web hosts have different configurations and setups than others. The most common things an .htaccess file is used for are:
- Rewriting URL's: you know that little thing in Wordpress called "permalinks"? An .htaccess file rewrites pages from URL's like "/?p=106" to "/this-is-the-title-of-my-post"
- 301 Redirects: You can setup permanent 301 redirects to redirect incoming request to a new page if the URL has changed. This is handy if you change your permalink structure
- Limit access by IP Address: You can limit access by the IP address of your computer (or a 'range' of IP addresses)
- Limit access by Password: You can limit access by a password you set
- Stop Directory Indexing: You can stop people from traversing directories without an index file
- Show a Different index file: Although not pertinent to Wordpress, you can use an .htaccess file to show a different index file than your web site default. In other words, you could use index.htm, index.html, index.php, etc.
Because of the different configurations of apache and setup of web hosts, I can't give you definitive instructions that will absolutely work in every situation for everyone. Even though you can add password protection to an .htaccess file, you still to add users and passwords to an ".htpasswd" file. Users are easy to add, but passwords have to be encrypted in that file. This .htaccess password tutorial can help you with that, but my recommendation is to use your "web control panel" if you have one, and add your password protection there (because it's automatic). You could also use the previously mentioned .htaccess file generator and upload the files manually. Here is the Official cPanel documentation for password protecting directories. If you're unsure, submit a ticket to your web host for help password protecting your /wp-admin directory.
Another thing you could consider is limiting access to your /wp-admin directory by allowing access to specific (or a range of) IP addresses. This way you don't have to remember a password, and you could limit access to multiple groups of people easily. Once again, if you have problems doing this, submit a support ticket to your web host for assistance.
Limit access through permissions
The vast majority of web hosts for Wordpress blog owners are Linux, and access to files within your site is controlled by UNXI based file permissions. Basic permissions are assigned in 3 areas "read, write, and execute". Permissions can be assigned to 3 groups "owner, group, and world". The Wordpress Codex has an entire page dedicated to Changing File Permissions. Essentially, it's dangerous to assign "write" permissions to the world from a web browser when it's not necessary. It's a loophole hackers can potentially use to write files and gain access to your site. 755 (and below) file permissions are best whenever possible because this removes "write" access from the group and the world.
Often you can change file pemissions in your FTP program, such as right clicking a file in "Filezilla" as in this image:
You can also do it in "telnet" if you have that kind of access, and on some web hosts you can change file permissions from your web based control panel using a web based file editor or FTP program.
Limit access through robots.txt
There's an old saying that "an ounce of prevention is worth a pound of cure", and there's a lot of truth to that. By limiting access to your site using a robots.txt file, you can prevent certain items from accidentally getting indexed in search engines - and the less hackers can find in your site, the less your chances of getting hacked are. You should limit access to your 3 wordpress install directories, and any additional directories you have (if you don't want them indexed).
For example, these lines could be in your /robots.txt file:
That example from the Wordpress Codex page on SEO limits access to your wp-admin, wp-includes, and wp-content directories, as well as your feed, trackbacks, comments, category pages, and comments. Visit the web robots pages to learn more about robots.txt files and web robots and crawlers.
4. Examine the Security of Your Web Host
The cost of a web host has nothing to do with the security or competence of their support department. If you have a web host, or are looking for a new one, just try two simple google searches for your host: "webhost sucks" and "webhost hacked". Replace 'webhost' with the name of the host you want information on. Then, read the blog and forum posts of people that had problems with that host. This takes only a few minutes and it's always good to get some "real world" opinions. It's also good to see if a host has just a few complaints, or hundreds.
Next, ask your current or potential host some very important questions.
- How often are backups performed? If you ever are hacked, you need to know you can get your data restored ASAP!
- How far back are backups kept for?
- At what time of day are they performed?
- Can I specify a specific date and time for a restore?
- Do they offer "SFTP" or "secure" FTP? If not, you don't want to host with them (explained later)
- What "account" does the apache web server use to serve pages? It should use a "www-data" type user so your files in your hosting account run under your user, and other hosting accounts on the same (shared) server run under their own user - helping to prevent cross-account attacks.
- Does MySQL run on the same server as the web server? Better web hosts typically have MySQL databases running on separate servers.
- Does your web host you allow "777" file permissions? Not only is this dangerous, but not necessary. Normally "755" permissions are all that's necessary for any web site, and hosts that don't allow "777" permissions (writeable by all groups) are normally more security concious than those that do.
- Could a virus from another users web site infect mine? If no, why not? Have your current or potential web hosting company explain to you exactly what precautions they've taken to ensure that one infected account can't take down an entire server. Companies that can't answer this question with an intelligent answer aren't worth doing business with.
On top of all this, you want to make sure that if something bad happens you find out about it right away and there's someone to talk to at all times in support. Ask if your current or potential web hosting company has 24/7 monitoring, and if they have toll free support via phone 24/7 as well. In addition, it never hurts to call a company at midnight to see if a live person actually picks up - or it goes to an answering or "call-back" service.
5. Make Usernames and Passwords More Secure
Choose strong usernames and passwords:
By default every Wordpress powered site starts with an "admin account". Every hacker in the world knows that nearly all wordpress sites have this account. So the first thing you should do is create a new account, grant it "administrator" access, and delete the "admin" account.
Strong Usernames: Make your username unique by using both letters and numbers, and make it 8 characters or more. The username you choose should be unique, don't make it the same as other online logins you have, the same as your email, or the same as your web control panel or MySQL database login.
Strong Passwords: Make your password unique by using letters, numbers, AND symbols - 8 characters or more. Don't use the same password username combination as any other login, and definitely DO NOT make your passwords the same on your Wordpress login, MySQL database login, or hosting web control panel login. Visit Strong Password Generator for examples.
Choose unique usernames and passwords for different logins: This was already mentioned, but it's worth mentioning again. You want to use different username/password combination for your Wordpress login, MySQL Wordpress database login, and web hosting control panel login. If someone breaks into one account, at least they won't have access to every account you have.
Change password regularly: Wordpress and (most) web hosting providers don't require you to change your password on a regular basis, but most online banking does. Isn't the time you spend on your web site or blog like putting money in the bank? If you lost it all would you be losing money? Changing your password every 30, 60, or 90 days just like online banking is a good idea.
6. Don't Encourage Bad Behaviour
Do you get a lot of spammy comments on your web site? If you allow uses to register on your blog, do you get some accounts that seem to be created by automated software or bots? If you're not protected against these kinds of things, you are encouraging "bad behaviour" on your blog. Wordpress comes with "askimet" out of the box, a plugin that does a pretty decent job at cutting out spam comments - but some still manage to slip through, don't they?
Consider some additional protection such as WP Spamfree. I recommend Spamfree because it works silently, and unlike other plugins it requires no intervention from the user at all, such as challenge questions or Captcha's. It gets rid of automated comments from bots, and trackback and pingback spam. In addition, it works with WP Cache and Super Cache, as well as Wordpress MU. Oh - did I mention it's updated (as of this writing) to work with even Wordpress 2.9 (which isn't even out yet)?
Once you install WP Spamfree "it just works". It says in the documentation that it will work just fine with Askimet activated, but it's not necessary (because this plugin is more effective).
If you allow users to register on your Wordpress site, you are a target. Installing a wordpress plugin to Prevent Bot Registrations will save you a lot of headache. It will keep bots from registering from on your site, it blocks any bot who's IP shows up more than twice, anyone listed in spamhaus, or that you've blacklisted.
You've blocked the bots and the spam, but what if a live person gets through with the intent of crafting a comment with the intent on doing your site harm? Some of the latest attacks infecting blogs use "XSS" or cross-site-scripting. To guard against that you could install HTML Purified. It replaces the default wordpress comment filter with a super HTML filtering library. It produces XHTML compliant code for your comments, but more importantly it's "XSS Safe". You have fine grained control over what tags are allowed, and whether or not to filter admin users as well.
7. Track Attack Attempts
Besides protecting yourself from potential attackers, you should be tracking attack attempts whenever possible. First of all this keeps you active and aware of the fact that attackers are out there and trying to break into your site constantly. It also lets you know that the security and protections you've put in place are actually working. Most importantly, if you see constant or repeated attacks from one location you can setup your own blacklist.
Tripwire is a plugin that scans for changed files within your wordpress site. Once installed all you have to do is tell it how many days back to check, and it will list all the files that have been changed in that period. In the case of my example image, I had upgraded Wordpress on June 11th, and all those files were listed. If you check your files for the last 30 days and lots of files have been changed (and you didn't upgrade everything) - you may have an issue. It's worth mentioning again that the WP Antivirus plugin will check your wordpress theme files and email you automatically if one of them has a suspected virus. Tripwire will check all the files in your Wordpress site, but has no automatic notification.
Login Lockdown is a plugin that monitors login attempts to your Wordpress site. It records the IP address and timestamp of every attempt. If there are a certain number of attempts within a period of time, logins are disabled for that IP range. The default is 3 failed login attempts within 5 minutes, and the lockout time is 1 hour. You can of course change these in the plugin options to any amount you want. Without this plugin installed, you would never know if you have failed login attempts at all.
Error Reporting is a Wordpress plugin that will save any errors your Wordpress generates in a log file for you to view. In the configuration options you can choose what kinds of errors are saved, from what folders, and if you want repeat errors to be saved more than once. You can even choose to have the errors sent to you in email. I like this plugin because it also detects failed ping attempts as well. Every Wordpress site has errors from time to time, and sometimes then only occur once or twice. It become problematic if you get constant errors from a theme, plugin, or Wordpress itself. A plugin like this is the only way to check for those errors. Even if you can't
take care of the problem yourself, you will at least have an error message to ask about in Wordpress Support, or to give a Wordpress consultant.
Here's an image of the log file options for the "Error Reporting plugin":
Another handy plugin is "404 Notifier". Once installed, it will email you each time your site generates a "404 Not Found" error. This is helpful in 2 regards. First, if you get error for the same page all the time - you can fix them by creating that page. More importantly (and most likely) the errors you get will be ones you won't expect, like missing CSS files or includes for plugins or themes - and you can fix those too. The second reason is probably one you don't know about, many attackers will send your site a garbage request such as "http://mysite.com/crap/garbargeurl?=3o2349-admeknow.js" or something like that. It's basically just a quick check to see what your server will do, generate a 404 error, or show a directory index - and also check if you're running Wordpress (or something else), and what version.
This, by itself isn't enough information, but it's a good start. I once had a site that received hundreds of incoming garbage requests like this per day, I found them in the logs about a month later. A 404 Notification plugin like this would have clued me in right away. You can then block the incoming IP address they are coming from, and you can always contact support at your web host for assistance with something like this (or follow the directions earlier to limit access to your site using your .htaccess file).
Here's an image of the 404 Notifier setup options. You'll see that not only can you get email notification, but the events are also saved via RSS feed as well.
With all of these tracking and notification plugins - your mileage may vary. I would recommend trying them all one by one, to see how they work for you. Also remember, you may not need to have them turned on all the time. You could run tripwire as needed, run login lockdown all the time, and turn on error reporting and 404 notifier as you feel necessary.
8. Use Secure Connections
Everything we've talked about so far has been very important, but I don't think anything is as important as a secure connection. Did you know that when you talk on a cell phone (or even a cordless phone) you're on an "unsecure" line? Someone with the right frequency scanner could listen in on your conversation. If you give you credit card number over an unsecured line, there is always the possibility that someone could "listen in" and get it. And yet, most of us have give our credit card numbers over the cell phone dozens (if not hundreds) of times.
When you use online banking, you use an http"s" or "secure" connection that uses 128-bit encryption to insure no one gets your login or banking information. When you use Wordpress, hopefully you are using strong usernames and passwords, but the connection is normal "http" or "unsecure". When you FTP files for themes and plugins to your Wordpress powered site you are also using an "unsecure" FTP connection. If you are using wireless Internet away from your home, it's probably "unsecured" (not encrypted), and the majority of home based wireless routers are setup to be unencrypted as well.
This means that anyone "sniffing" for login information could hijack your information when you're logging into your Wordpress admin dashboard or using FTP. It could be the guy sitting at the next table in Starbucks, your neighbor who's child is a teenage hacker, or robots or software online sniffing for login information at the same time you were logging in. The two most important things you can do are to secure your Wordpress login and secure your FTP connection. At least if you are using unencrypted wifi, your dashboard admin login and FTP connections will be secure.
Add secure authentication to Wordpress login:
Now that I've told you all the reasons why you should be using secure authentication for Wordpress login - I have some disappointing news, it's not exactly that easy to implement. First, you need web hosting that supports SSL, and second you need access to a certificate. To purchase your own Thawte SSL certificate for example is minimum $249 per year. That's more than twice the cost many of us are paying for shared web hosting itself. However, if you are willing to pay for your own secure certificate, you can add a single line to your 'wp-config.php' file to "force SSL login" - as described in this Wordpress Codex page on Administration over SSL.
Many shared web hosts supply you with free access to a "shared" secure certificate, and the Admin SSL plugin does appear to have support for that. It's even mentioned on the Wordpress Codex page for SSL login, but the latest download is for versions of Wordpress up to 2.7x, and the (1.51-b1) version listed for Wordpress 2.8 compatibility doesn't have a download link (yet). Once updated, this plugin will probably be the best bet for shared SSL certificate situations.
So - now what, you don't want to outlay the cash for a secure certificate of your own, but you want to be as secure as you can when logging in to Wordpress. There are still some solutions you can consider.
With Semisecure Login Reimagined you can increase your login security using an RSA public key to encrypt the password. As stated in the plugin page, this is useful when SSL login isn't available, but you want some additional security to log into Wordpress. It really is seamless once installed and it automatically works on activation (Wordpress 2.8+ compatible). There are options for 512 bit, 1024 bit, 2048bit, and 3072 bit encryption - you can choose whichever option you like, but the default is 1024.
Use Secure FTP (SFTP) at all times:
When connecting to your web host always use a secure connection, instead of FTP use "SFTP" (Secure FTP). Nearly all web hosts offer it for free as part of your hosting package, and most people don't take advantage of it. If you use normal FTP everything you transmit over the Internet is transmitted in "clear text" (readble by any hacker that intercepts it). If your host doesn't support Secure FTP - find one that does!
Believe it or not, all you have to do is switch the setting (in my FTP programs) to "SFTP" and then the port to "2222". Check your web host documentation if this does not work to see if they are possibly using a different non-standard port for SFTP. Click connect and voila! you are using Secure FTP!
9. Secure your "wp-config.php" file
You may not know this but there are two ways to give extra security to your wp-config file. The first is by using the included "secret key", and most people I've encountered aren't taking advantage of it - even though it's been available since Wordpress 2.6.
All you have to do is open up your wp-config.php file in a text editor and edit the following lines:
Wordpress even has it's own Secret Key Generator you can use to create strong and unique keys. Save the file and then upload back to the root of your Wordpress site!
The other thing you can do is actually move your wp-config.php outside of your public Wordpress site into a more protected area of your web hosting account. This is called moving it "outside of the root", or out of the "public_html" or "www" portion of your site. It makes sense to do this since it contains the most sensitive information (your connection info), and it's very difficult for a potential hacker to access the server level directory structure outside of your web site. To do this, your web hosting account has to have access at least one level "above the root" of your web site (public html), and all you have to do to take advantage of this added security is to move wp-config.php to that one level above, Wordpress will automatically look for it there and your web site will function normally as it did before.
Wordpress has an offcial page in the Codex on editing your wp-config.php file, if you need more information.
10. Keep Your Computer Up to Date
This point was saved until last because your own personal computer can do more harm to your Wordpress powered site more quickly than anything else. The majority of people use Windows based personal computers, and as many as 1 in 16 personal computers (6%) are infected with a single work (Downadup aka Conficker). It's stunning to learn in the Computerworld Downadup FAQ that to get the worm you don't have to do anything at all! You just have to have Windows 2000, Windows XP, or Windows 2003 Server installed that's not patched completely (past about Oct 2008). If you're not patched, and you receive a single malformed packet over the Internet from a "bot" - you're infected! You don't have to click on anything, install anything, and most of your "spyware" programs might not even do any good. Once you're infected, this worm auto-installs itself to any attached media you have, like SD cards, phones with memory cards, digital cameras, external hard drives, mp3 players with memory cards, etc. Before you know it you've infected every computer in your home and half the ones at work.
True Story: Last month I had a client that called me because his Wordpress blog was hacked. I asked him a lot of questions, and he had worked with his web host for 3 days before calling me. They had advised him to delete all his Wordpress blogs (6 web sites), and then reinstall and upgrade Wordpress. Once he did this, within one hour all his sites were hacked down again. Support at his web host was befuddled. He hired me to fix his problem, and I change his web control panel and FTP passwords to strong ones right away. Then I created a separate user and new password for each of the MySQL databases for all 6 of his web sites. I deleted all files in all sites, reinstalled Wordpress, and enabled the default theme with no plugins activated. Everthing worked fine. I waited 24 hours, everything was fine.
I called him the next day and asked, "Do you Use Windows on your PC?". "Why, yes" he said. "When was the last time you updated your virus scanner", I asked. "Actually, it expired some time ago", he said. I said, "Do me a favor. Go to housecall.trendmicro.com right now, and scan your computer - then call me back with the results." 2 hours later he called back, and his Windows XP computer had been infected with a trojan virus, the kind that "logs keystrokes". It had stolen his FTP login information, and completely trashed all his web sites in his shared hosting account (twice!).
You are your own worst enemy. Keep your computer up do date at all times!
Hopefully you've found this article before your Wordpress blog has been hacked and everything you've just learned is preventative maintenance. If you implement just a few of these security tips you'll be more secure than a default Wordpress install. If you implement them all, you'll be 'uber-secur' compared to most Wordpress powered sites out there.
What to do if your Wordpress blog was hacked
If, on the other hand, you're reading this because your Wordpress web site has been hacked, my advice would be the following:
- Update all usernames and passwords to stronger versions (web control panel, FTP, and MySQL database)
- Update Wordpress and all plugins if possible
- Scan your Wordpress site with the plugins we mentioned to find the problem if you can
- Scan your personal computer to make sure it wasn't compromised
- Plug exploits and security holes using the tools you've just learned about
If you can't fix it on your own - you might have to hire a professional to put your blog back in working order again for you.