WordPress is no doubt the most famous content management system in use around the Internet. Although WordPress did face criticism during its infant years yet Automattic (the reason behind WordPress) did well to come up clean every time it faced criticism. Soon, WordPress was adopted by plenty of brands that helped the famous content management system grow exponentially. Being open source makes WordPress vulnerable to hack attacks, henceforth making it very important for webmasters to consider WordPress security issues seriously.
Image credit: Secure WP
Having spent the last 5 year as a blogger, I understand the importance of a blog from the owner’s perspective. This article will be part of my upcoming series that will help the readers of this blog to understand WordPress security issues and how to overcome the same.
- Backup your WordPress blog (using WP Security Scan plugin mentioned later in this article) before you test any of the below tricks. We don’t want our babies to act weird, do we?
- I will mention the usage of plugins as well as manual ways to perform respective changes. But, readers must understand that using plugins for every task in WordPress is not what a seasoned webmaster does. Also, multiple plugins tend to hog free memory which in turn slows down the respective WordPress blog. Lastly, webmasters must try the manual methods so as to increase their knowledge domain.
How to Secure Your WordPress?
Getting Started (without auto-install)
With time hosting companies have made WordPress installations a cakewalk. You can get your blog up and running in no time even if you haven’t done any coding in your life. Hosting companies integrate tools like Fantastico with their cPanel to make installation of WordPress super easy. Although such tools are a boon for those short of time, they have yet to be proved to be a crutch for webmasters.
While installing WordPress manually you get the chance to create your own database with custom prefix for various tables. Please understand that by default WordPress adds
wp_ as the prefix to all WordPress tables. If you do not change this prefix then half the job for hackers is already done. Therefore, it is suggested you use a custom prefix for table names. This can be done by the use of plugins (which we will discuss later) or by editing
wp-config.php during the manual WordPress installation.
wp-config.php before you start with the WordPress installation and change the below code:
$table_prefix = 'wp_';
to something different:
$table_prefix = 'myprefix_';
In the case of a live blog you will have to follow two additional steps to change the
1. Login to your WordPress database (using phpMyAdmin) and edit all table names with your custom prefix.
2. Now, you have to edit inside “options table” and “usermeta table” as they might be using the
wp_ prefix for various fields. Just run the below query to complete this task:
SELECT * FROM `myprefix_options` WHERE `option_name` LIKE '%wp_%' SELECT * FROM `myprefix_usermeta` WHERE `meta_key` LIKE '%wp_%'
Plugin for the Task
WP Security Scan is one WordPress plugin that performs the task of changing the default
wp_ prefix to something different. After installation go to Security > Database and follow the instructions.
Akismet for Protection Against Spammers
Although most of you might be aware of our all-time-favourite anti-spam plugin, Akismet, I have to mention it due to its importance. Moving ahead without Akismet is like inviting spammers and opening your blog to endless spam comments. Never miss out on this!
Rather, SALT is the secret key authentication method of WordPress that enhances password security. Salting passwords protects WordPress installations against brute force attacks by appending complex hash strings that can be generated here (these will be random hash strings that will look different on every page refresh). Just copy the eight lines of code right below the database credentials into your
wp-config.php file and you are done.
Firstly, if you did a fresh installation of WordPress 2.5 or later then you will find that the secret keys are already present in your
wp-config.php. It is suggested that you change those to something different as the defaults are already known to hackers. Secondly, if your blog is old enough to have used a version below WordPress 2.5 but now runs on the upgraded version then you will have to add these manually to your
Plugin for this Task
Chap Secure Login plugin does a similar job of securing WordPress login but in a different fashion. After activating the plugin only string that is transferred unencrypted is the username to access WordPress dashboard. Your password will be hashed out with a complex MD5 algorithm. Also, you won’t have to perform any configuration changes as this is a zero configuration plugin.
After installation, the first login will fail but the second will be successful. So, don’t panic if your first login fails after successful plugin installation. Just re-enter your correct password!
Limit Failed Login Attempts to WordPress Dashboard
As we are discussing securing your WordPress login, wouldn’t it be a great idea to add another feature for enhanced security? Using Login LockDown WordPress plugin one can automatically block a certain range of IP addresses from where failed login attempts are made for a WordPress blog. The plugin locks an IP for an hour after 3 failed attempts. This can be changed in the Options panel. Also, admins have access to release the blocked IP addresses as and when required.
Checking Passwords for Secure Password Generation
WordPress Password Checker is a handy plugin for blogs with multiple authors. This plugin checks the password being created by a new user against a list of defined passwords and prohibits the user from using that password. This prevents the new user from using a password that is quite easy to guess.
One can add more passwords to the
dictionary.txt file present in the plugin directory but please understand that with the increase in size of the password database the response time will also increase.
Never Use the Default “admin” User
When I will try to hack into your WordPress installation then my first approach will be to utilize the defaults that WordPress uses during installation. If you use the default “admin” user for administration roles during WordPress installation then half of my job is already done. I know your username (because you never took the pains to change it); therefore all that I have to guess is your password.
To change your admin user follow the below steps:
- Create a new user that you plan to assign administrator privileges.
- Delete the “admin” user.
- Before deleting any user WordPress asks you what it should do with posts and links owned by the user that you are deleting. Select “Attribute all posts and links to “.
The next time you login to your WordPress Dashboard using “admin” – remember that you deleted it already!
Smartly Protect wp-config.php
Wp-config.php is one of the most important files in your WordPress installation. This file contains some of the very important administrator credentials that can help a hacker gain access to your WordPress database. Therefore, it is suggested that you add the piece of code below into your
# protect wp-config.php <files wp-config.php> order allow,deny deny from all </files>
.htaccess file will be available in your www root directory. If it is not there, then you can create the file and add the above code to it.
Hide Directories Inside WordPress Installation from Public Viewing
We secured our wp-config.php above but that isn’t all. A WordPress installation has plenty of directories (like wp-includes) inside itself and these can be accessed by a smart hacker. We need to add the line of code below into the
.htaccess file so that public browsing of these files isn’t possible:
This will effectively block access to every sub directory present inside the particular directory where you make this change.
Check the Strength of Your Password
At the above I talked about how you can use WordPress Password Checker plugin to restrict other users of your blog from using some of the very basic passwords. This part will help you take another step forward in order to secure your password. The basic idea is to avoid using your girlfriend’s name as your administrator password! Don’t take it badly, as we all do it.
Install the WP Security Scan WordPress plugin (it should be already installed) You will see a “Security” menu option in your dashboard under which you will see the “Password Tool” option. Click on it and you should be greeted with the WP – Password Tool:
Generate a strong password and save it somewhere so that you don’t end up forgetting that again and again. Also, the password shown in the above image (in red) is meaningless.
Remove the WordPress version from the WP_head section
If you have already installed WP Security Scan then you are good to go but you must be aware of what just happened after you installed this plugin. WordPress 2.6 and above automatically includes the version of WordPress in the
WP_head section of your WordPress installation. Although this won’t harm you but if a hacker knows the WordPress version that you are using then he will know exactly what vulnerability can be used to crack into your WordPress installation. The WP Security Scan plugin does well to automatically hide the WordPress version from the
WP_head section without you being made aware of any such changes.
This is how it will look once you installed the plugin.
If you are still one of the webmasters living under a rock and using an older version of WordPress (something below 2.6) then you will have to manually remove the WordPress version from the theme that you are using. In the
header.php file (found in Appearance >> Editor) you will have to look for the Meta tag below and delete it. If it does not exist then you are lucky already!
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
Defining Roles for Various Users
This step is important for WordPress blogs with multiple users. Analysing the exposure that must be given to various users is important once your blog grows. This is when you can opt for the plugin below to smartly control the kind of access that various users must enjoy.
We come back to our good old plugin that we had discussed before while branding our WordPress dashboard. Adminimize does more than just editing the look and feel of your WordPress dashboard. The plugin is smart enough to activate/deactivate various options from the WordPress dashboard’s menu and sub-menu for various users. One can actually activate/deactivate almost every feature of WordPress using this plugin.
Plugins like Role Scoper and Capability Manager can prove to be better options when compared to Adminimize but they don’t seem to be updated for latest versions of WordPress so I cannot suggest you use them. If you have read about these and feel like using them then do so at your own risk.
Assigning optimum (and nothing extra) folder permissions to various folders of WordPress is very important to keep your blog secure. Instead of digging your head into what should be the folder permissions for every folder (as suggested by most of the WordPress critics), I will request you to install our favourite plugin – WP Security Scan! Once installed then go to Security >> Scanner from your WordPress dashboard and you should see something like the image below:
If it’s all green then you are good to go otherwise I suggest you to follow the guidelines of the plugin and change the folder permissions.
Some of the tips in this article and the ones already suggested in Part I can help you secure your
wp-admin folder for optimum security. To add that one extra layer of security to protect the
wp-admin folder one can use the AskApache Password Protect plugin. Along with its other features, this plugin password protects your wp-admin directory and the login page. Therefore, when someone tries to access your wp-admin directory then he will be prompted for credentials to access the same.
Regularly Backup WordPress
Backup Backup Backup! Haven’t you been warned over a zillion times already that you must backup your WordPress database regularly; otherwise you might feel the heat someday. Well it’s true and you’d better comply! You can use the already installed WP Security Scan plugin to backup your WordPress database and download the
.sql files. Also, you can use the WP-DB-Backup plugin which expands the backup options. WP-DB-Backup will let you:
- Include custom tables that are not included in the default backup.
- Download the backup to your computer, save it to your online server or email the same to your email address.
- Schedule backups as per requirements.
- Never save a WordPress backup in your dashboard itself. If I want to have fun with your blog (without causing serious damage) and somehow I get administrator access to your blog’s dashboard then all that I will do is restore an old backup. Weirdly funny, isn’t it?
- Regularly test your backups on dummy WordPress installations. Nothing can be more frustrating than having to restore your WordPress installation to an old backup which is corrupted. You will be stuck in the middle of the highway with traffic on both sides.
MySQL Permissions for WordPress
This will require your attention so read it with eyes wide open, otherwise skip to the next section. The famous 5 minute WordPress installation suggests webmasters GRANT ALL permissions to the user that will access the WordPress database. This means that the particular user will have literally all the permissions to your WordPress database which might (in very rare cases) pose as a security threat.
Suggested permissions for MySQL database:
- INDEX (used in rare cases)
Suggested permissions that can be avoided:
- CREATE ROUTINE
- ALTER ROUTINE
- CREATE VIEW
- SHOW VIEW
- CREATE TEMPORARY TABLES
- LOCK TABLES (one permission that can be used by a hacker to lock your table and leave you with no clues to what just happened?)
Although the permissions that I ask you to provide for your WordPress database will do most of your work, there might be a rare case where your WordPress blog starts to act weird. Try to increase the permissions and see if it helps. Although such a situation should not arise but if it does then you must know that I warned you!
Use HTTPS and opt for a Reliable Hosting Company
To use an HTTPS session you will have to make few changes to your
wp-config.php file. Please be aware that SSL must be configured in your domain with a virtual host in order to use the secure channel. Get in touch with your hosting company for more details.
Adding the below line of code in
wp-config.php will convert all admin sessions and logins to pass through secure channels:
define('FORCE_SSL_ADMIN', true); Please note that this line must be added above the code: /* That's all, stop editing! Happy blogging. */ ... require_once(ABSPATH . 'wp-settings.php');
so that it takes effect successfully.
Attaining an SSL certificate might prove to be a costly affair but if you are using one of the reliable hosts then they will surely smooth out the process for you (though you might not get any discounts.) Once the SSL certificate is installed then every session that your WordPress blog creates will be over a secured channel. It acts as another layer of security that might be hard for your hacking friends to crack through.
You can take reference from Administration over SSL codex from WordPress to understand the intricacies of SSL in WordPress. Lastly, do get in touch with your hosting company as they will be the best bet to help you get SSL security for your blog.
Remain Updated with Latest Versions
This is really very important. You must make sure that your blog is running on the latest version of WordPress so as to stay away from any known security vulnerabilities. WordPress is an open source content management system and this makes it an easy target for hackers. If you are using the latest version of code then you make the life of a hacker quiet complex.
Am I done? Actually, I am done for now! The tips given out to you for securing WordPress in this article should be more than enough for you to secure your WordPress installation. Are you using any other tricks that I did not include?