SEARCH
  CMS Wordpress WordPress Security: How to Secure WordPress Thoroughly

WordPress Security: How to Secure WordPress Thoroughly

WordPress is no doubt the most famous content management system in use around the Internet. Although WordPress did face criticism during its infant years yet Automattic (the reason behind WordPress) did well to come up clean every time it faced criticism. Soon, WordPress was adopted by plenty of brands that helped the famous content management system grow exponentially. Being open source makes WordPress vulnerable to hack attacks, henceforth making it very important for webmasters to consider WordPress security issues seriously.

img
Having spent the last 5 year as a blogger, I understand the importance of a blog from the owner's perspective. This article will be part of my upcoming series that will help the readers of this blog to understand WordPress security issues and how to overcome the same.

NOTE:

  1. Backup your WordPress blog (using WP Security Scan plugin mentioned later in this article) before you test any of the below tricks. We don't want our babies to act weird, do we?
  2. I will mention the usage of plugins as well as manual ways to perform respective changes. But, readers must understand that using plugins for every task in WordPress is not what a seasoned webmaster does. Also, multiple plugins tend to hog free memory which in turn slows down the respective WordPress blog. Lastly, webmasters must try the manual methods so as to increase their knowledge domain.

How to Secure Your WordPress?

Getting Started (without auto-install)

With time hosting companies have made WordPress installations a cakewalk. You can get your blog up and running in no time even if you haven't done any coding in your life. Hosting companies integrate tools like Fantastico with their cPanel to make installation of WordPress super easy. Although such tools are a boon for those short of time, they have yet to be proved to be a crutch for webmasters.

While installing WordPress manually you get the chance to create your own database with custom prefix for various tables. Please understand that by default WordPress adds wp_ as the prefix to all WordPress tables. If you do not change this prefix then half the job for hackers is already done. Therefore, it is suggested you use a custom prefix for table names. This can be done by the use of plugins (which we will discuss later) or by editing wp-config.php during the manual WordPress installation.

Open your wp-config.php before you start with the WordPress installation and change the below code:

1. $table_prefix = 'wp_';

to something different:

2. $table_prefix = 'myprefix_';

In the case of a live blog you will have to follow two additional steps to change the wp_ prefix:

1. Login to your WordPress database (using phpMyAdmin) and edit all table names with your custom prefix.

img

2. Now, you have to edit inside "options table" and "usermeta table" as they might be using the wp_ prefix for various fields. Just run the below query to complete this task:

1. SELECT * FROM `myprefix_options` WHERE `option_name` LIKE '%wp_%'
2. SELECT * FROM `myprefix_usermeta` WHERE `meta_key` LIKE '%wp_%'

Plugin for the Task
WP Security Scan is one WordPress plugin that performs the task of changing the default wp_ prefix to something different. After installation go to Security > Database and follow the instructions.

img

Akismet for Protection Against Spammers

Although most of you might be aware of our all-time-favourite anti-spam plugin, Akismet, I have to mention it due to its importance. Moving ahead without Akismet is like inviting spammers and opening your blog to endless spam comments. Never miss out on this!

SALT

Rather, SALT is the secret key authentication method of WordPress that enhances password security. Salting passwords protects WordPress installations against brute force attacks by appending complex hash strings that can be generated here (these will be random hash strings that will look different on every page refresh). Just copy the eight lines of code right below the database credentials into your wp-config.php file and you are done.

img

Firstly, if you did a fresh installation of WordPress 2.5 or later then you will find that the secret keys are already present in your wp-config.php. It is suggested that you change those to something different as the defaults are already known to hackers. Secondly, if your blog is old enough to have used a version below WordPress 2.5 but now runs on the upgraded version then you will have to add these manually to your wp-config.php.

Plugin for this Task
Chap Secure Login plugin does a similar job of securing WordPress login but in a different fashion. After activating the plugin only string that is transferred unencrypted is the username to access WordPress dashboard. Your password will be hashed out with a complex MD5 algorithm. Also, you won't have to perform any configuration changes as this is a zero configuration plugin.

Note:
After installation, the first login will fail but the second will be successful. So, don't panic if your first login fails after successful plugin installation. Just re-enter your correct password!

Limit Failed Login Attempts to WordPress Dashboard

As we are discussing securing your WordPress login, wouldn't it be a great idea to add another feature for enhanced security? Using Login LockDown WordPress plugin one can automatically block a certain range of IP addresses from where failed login attempts are made for a WordPress blog. The plugin locks an IP for an hour after 3 failed attempts. This can be changed in the Options panel. Also, admins have access to release the blocked IP addresses as and when required.

Checking Passwords for Secure Password Generation

WordPress Password Checker is a handy plugin for blogs with multiple authors. This plugin checks the password being created by a new user against a list of defined passwords and prohibits the user from using that password. This prevents the new user from using a password that is quite easy to guess.

img

One can add more passwords to the dictionary.txt file present in the plugin directory but please understand that with the increase in size of the password database the response time will also increase.

Never Use the Default "admin" User

When I will try to hack into your WordPress installation then my first approach will be to utilize the defaults that WordPress uses during installation. If you use the default "admin" user for administration roles during WordPress installation then half of my job is already done. I know your username (because you never took the pains to change it); therefore all that I have to guess is your password.

To change your admin user follow the below steps:

  • Create a new user that you plan to assign administrator privileges.
  • Delete the "admin" user.
  • Before deleting any user WordPress asks you what it should do with posts and links owned by the user that you are deleting. Select "Attribute all posts and links to".

The next time you login to your WordPress Dashboard using "admin" - remember that you deleted it already!

Smartly Protect wp-config.php

Wp-config.php is one of the most important files in your WordPress installation. This file contains some of the very important administrator credentials that can help a hacker gain access to your WordPress database. Therefore, it is suggested that you add the piece of code below into your .htaccess file:

1. # protect wp-config.php
2. <files wp-config.php>
3. order allow,deny
4. deny from all
5. </files>

The .htaccess file will be available in your www root directory. If it is not there, then you can create the file and add the above code to it.

Hide Directories Inside WordPress Installation from Public Viewing

We secured our wp-config.php above but that isn't all. A WordPress installation has plenty of directories (like wp-includes) inside itself and these can be accessed by a smart hacker. We need to add the line of code below into the .htaccess file so that public browsing of these files isn't possible:

1. Options - Indexes

This will effectively block access to every sub directory present inside the particular directory where you make this change.

Check the Strength of Your Password

At the above I talked about how you can use WordPress Password Checker plugin to restrict other users of your blog from using some of the very basic passwords. This part will help you take another step forward in order to secure your password. The basic idea is to avoid using your girlfriend's name as your administrator password! Don't take it badly, as we all do it.

Install the WP Security Scan WordPress plugin (it should be already installed) You will see a "Security" menu option in your dashboard under which you will see the "Password Tool" option. Click on it and you should be greeted with the WP - Password Tool:

img

Generate a strong password and save it somewhere so that you don't end up forgetting that again and again. Also, the password shown in the above image (in red) is meaningless.

Remove the WordPress version from the WP_head section

If you have already installed WP Security Scan then you are good to go but you must be aware of what just happened after you installed this plugin. WordPress 2.6 and above automatically includes the version of WordPress in the WP_head section of your WordPress installation. Although this won't harm you but if a hacker knows the WordPress version that you are using then he will know exactly what vulnerability can be used to crack into your WordPress installation. The WP Security Scan plugin does well to automatically hide the WordPress version from the WP_head section without you being made aware of any such changes.

This is how it will look once you installed the plugin.

img

Note:
If you are still one of the webmasters living under a rock and using an older version of WordPress (something below 2.6) then you will have to manually remove the WordPress version from the theme that you are using. In the header.php file (found in Appearance >> Editor) you will have to look for the Meta tag below and delete it. If it does not exist then you are lucky already!

1. <meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

Defining Roles for Various Users

This step is important for WordPress blogs with multiple users. Analysing the exposure that must be given to various users is important once your blog grows. This is when you can opt for the plugin below to smartly control the kind of access that various users must enjoy.

We come back to our good old plugin that we had discussed before while branding our WordPress dashboard. Adminimize does more than just editing the look and feel of your WordPress dashboard. The plugin is smart enough to activate/deactivate various options from the WordPress dashboard's menu and sub-menu for various users. One can actually activate/deactivate almost every feature of WordPress using this plugin.

Note:
Plugins like Role Scoper and Capability Manager can prove to be better options when compared to Adminimize but they don't seem to be updated for latest versions of WordPress so I cannot suggest you use them. If you have read about these and feel like using them then do so at your own risk.

Folder Permissions

Assigning optimum (and nothing extra) folder permissions to various folders of WordPress is very important to keep your blog secure. Instead of digging your head into what should be the folder permissions for every folder (as suggested by most of the WordPress critics), I will request you to install our favourite plugin - WP Security Scan! Once installed then go to Security >> Scanner from your WordPress dashboard and you should see something like the image below:

img

If it's all green then you are good to go otherwise I suggest you to follow the guidelines of the plugin and change the folder permissions.

Protecting wp-admin

Some of the tips in this article and the ones already suggested in Part I can help you secure your wp-admin folder for optimum security. To add that one extra layer of security to protect the wp-admin folder one can use the AskApache Password Protect plugin. Along with its other features, this plugin password protects your wp-admin directory and the login page. Therefore, when someone tries to access your wp-admin directory then he will be prompted for credentials to access the same.

Regularly Backup WordPress

Backup Backup Backup! Haven't you been warned over a zillion times already that you must backup your WordPress database regularly; otherwise you might feel the heat someday. Well it's true and you'd better comply! You can use the already installed WP Security Scan plugin to backup your WordPress database and download the .sql files. Also, you can use the WP-DB-Backup plugin which expands the backup options. WP-DB-Backup will let you:

  • Include custom tables that are not included in the default backup.
  • Download the backup to your computer, save it to your online server or email the same to your email address.
  • Schedule backups as per requirements.

Note:

  • Never save a WordPress backup in your dashboard itself. If I want to have fun with your blog (without causing serious damage) and somehow I get administrator access to your blog's dashboard then all that I will do is restore an old backup. Weirdly funny, isn't it?
  • Regularly test your backups on dummy WordPress installations. Nothing can be more frustrating than having to restore your WordPress installation to an old backup which is corrupted. You will be stuck in the middle of the highway with traffic on both sides.

MySQL Permissions for WordPress

This will require your attention so read it with eyes wide open, otherwise skip to the next section. The famous 5 minute WordPress installation suggests webmasters GRANT ALL permissions to the user that will access the WordPress database. This means that the particular user will have literally all the permissions to your WordPress database which might (in very rare cases) pose as a security threat.

Suggested permissions for MySQL database:

  • SELECT
  • INSERT
  • DELETE
  • UPDATE
  • CREATE
  • DROP
  • ALTER
  • INDEX (used in rare cases)

Suggested permissions that can be avoided:

  • EXECUTE
  • CREATE ROUTINE
  • ALTER ROUTINE
  • CREATE VIEW
  • SHOW VIEW
  • REFERENCES
  • CREATE TEMPORARY TABLES
  • LOCK TABLES (one permission that can be used by a hacker to lock your table and leave you with no clues to what just happened?)

NOTE:
Although the permissions that I ask you to provide for your WordPress database will do most of your work, there might be a rare case where your WordPress blog starts to act weird. Try to increase the permissions and see if it helps. Although such a situation should not arise but if it does then you must know that I warned you!

Use HTTPS and opt for a Reliable Hosting Company

To use an HTTPS session you will have to make few changes to your wp-config.php file. Please be aware that SSL must be configured in your domain with a virtual host in order to use the secure channel. Get in touch with your hosting company for more details.

Adding the below line of code in wp-config.php will convert all admin sessions and logins to pass through secure channels:

1. define('FORCE_SSL_ADMIN', true);
2. Please note that this line must be added above the code:
3.
4. /* That's all, stop editing! Happy blogging. */
5. ...
6.
7. require_once(ABSPATH . 'wp-settings.php');

so that it takes effect successfully.

Attaining an SSL certificate might prove to be a costly affair but if you are using one of the reliable hosts then they will surely smooth out the process for you (though you might not get any discounts.) Once the SSL certificate is installed then every session that your WordPress blog creates will be over a secured channel. It acts as another layer of security that might be hard for your hacking friends to crack through.

You can take reference from Administration over SSL codex from WordPress to understand the intricacies of SSL in WordPress. Lastly, do get in touch with your hosting company as they will be the best bet to help you get SSL security for your blog.

Remain Updated with Latest Versions

This is really very important. You must make sure that your blog is running on the latest version of WordPress so as to stay away from any known security vulnerabilities. WordPress is an open source content management system and this makes it an easy target for hackers. If you are using the latest version of code then you make the life of a hacker quiet complex.

Conclusion

Am I done? Actually, I am done for now! The tips given out to you for securing WordPress in this article should be more than enough for you to secure your WordPress installation. Are you using any other tricks that I did not include?

ABOUT THE AUTHOR

Onextrapixel OXP

Onextrapixel is a leading online magazine and resource site for designers and web developers. The Singapore based portal aims to collect, explore, as well as share useful tips, news, tutorials, tools and resources; on design, development and other inspiration. We hope that everyone will find something here that is useful and interesting.

subscribe to newsletter