Let’s begin by making an especially radical statement: 100% security is impossible to achieve with WordPress! Why? because it would be both impractical and all but impossible to maintain. Nevertheless, there are many steps you can take which will render your blog a great deal more secure than the vast majority or WordPress blogs currently online.
The most important step, is, appropriately enough, NOT to install WordPress using Fantastico! It’s unfortunate how, on forums etc., everyone posts saying use Fantastico, while I seldom read anyone explaining why this is actually such a bad foundation for a new WordPress blog.
Why? It’s simple: by default, a Fantastico installation sets “wp_” as the prefix for each WordPress table name. Knowing this, hackers find it especially easy to send malicious code targeting your wp_ based tables. It’s as if you’ve put a ‘welcome’ mat at the door for them. This knowledge makes it a doodle for them to change the appearance of your site, redirect your url to their site, plus a whole host of other nasty things.
But, virtually everyone reading this already has WordPress installed and running on their servers, so let’s move forward with how you can not only remove that ‘welcome’ mat from the door, but also install a burglar alarm.
Here is a link to the actual WordPress instructions for what they call a “Five Minute Install“.
Your Own Computer
To begin, you need to take a realistic look at your computer. Is it free from spyware, malware, and virus infections? I promise you, you can implement the tightest security on your blog, but if you have a keylogger lurking somewhere on your computer, it won’t do you an iota of good. Malicious keyloggers are very similar to viruses and trojans; they are used by hackers to violate user privacy. Keyloggers can take the form of software, or, on non-wireless keyboards, lurk between the keyboard’s plug and the computer’s keyboard. port. Spybot Search and Destroy will detect and remove most keyloggers. It is absolutely free to use, although users can make donations to its author Patrick M. Kolla
As with most software packages today, in order to address security issues, WordPress gets updated regularly, so, let me begin by reminding you of the importance to always stay updated with the latest version. Since version 2.7, WordPress has featured automatic updates, made available for you to install through your Dashboard, and although many purists will insist you do it manually, I disagree.
Provided you always make it a habit to perform a full backup first, there is nothing wrong with using the automatic update option, especially if it’s the difference between updating “now”, or leaving it “until you have some spare time”. But note my caveat: a full backup. Many backups do nothing more than backup the blog’s MySQL database and these are of little use to you in the event of a catastrophic loss. I use and highly recommend the WordPress Backup To Dropbox plugin.
Plugins and Theme
Similarly, always keep your plugins and theme updated to the latest version and delete any you are no longer using. Delete any plugins and themes you are no longer using.
NOTE: I always keep the default theme which installed with WordPress, just as a fallback in the event of any issues suddenly cropping up with your chosen theme.
Change Your Theme File Permissions
This is one of the most secure moves you can implement, and it’s especially simple. After your blog is set up, just change your theme file permissions to 444. They can be read, but they cannot be changed (ie- hacked by an automated bot).
The ONLY downside to this is whenever, in the future, you need to modify your theme you will first have to change the permissions back to 666 temporarily. But, this is a small price to pay when it prevents your blog from being hacked.
Delete the ‘Admin’ User Account
Everyone who’s ever dealt with WordPress knows that ‘admin’ is usually the default user account for WordPress installations, and most people never delete the account. This makes it especially easy to employ brute force cracking techniques since the username is already known.
So create a new account with administrator privileges and delete the admin account; you will be given the opportunity to change attribution of all posts to your new administrator username.
Getting into the habit of using strong passwords is critical to security. You need to make it difficult for anyone to guess your password and hard for ‘brute force’ attacks to succeed. WordPress also features a password strength meter which is shown when changing your password in your Admin. Use this when changing your password to be certain your choice is adequate. Remember, your password is your ‘key’ to your blog.
When choosing a password, mix letters, numbers and symbols, and use case sensitivity (upper and lower case letters). This mixture is known as “pseudo-random alpha-numeric combination”; using this, it is almost impossible to “crack” somebody’s password. (i.e. instead of “password,” try “pAsS34%(6*2woRd,” etc.)
Install Login Lockdown. This plugin records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Use Secret Keys in your WP-Config File
The WordPress wp-config.php file is the file which stores the database information required by WordPress to make the connections correctly. This file contains the name, address and password of the MySQL database which stores all of your user info, blog posts and other important content.
Using a secret key, you can make it even more difficult for an evildoer to gain access to your account.
Worpress even provides you with an online generator. Go to https://api.wordpress.org/secret-key/1.1/ and copy the results into this section of your wp-config.php file if you haven’t already set up a secret key.
Move Your Config File
Move the wp-config.php file up one level from ~/home/user/public_html/wp-config.php to ~/home/user/wp-config.php;
Keeping the config file in the expected ‘public’ place means sufficiently skilled hackers can inject malware or delete your site by compromising your WordPress configuration settings. Don’t worry, WordPress automatically knows to look for wp-config.php one level up.
NOTE: This trick will not work if your blog is located in a subdirectory (domain.com/blog) or as an add-on domain in cPanel. So beware, you can only do this if your blog is the original URL in your hosting account.
Hide Your WordPress Admin Login
NOTE: This method is for people who know their IP address doesn’t change. When in place, should someone a computer other than yours tries to login to your Admin, all they will see is a blank page.
To implement this:
- Use your FTP program to download a copy of your blog’s .htaccess file
- Below everything already in the file, paste in:
deny from all
allow from xx.xx.xx.xx
- Replace xx.xx.xx.xx with your IP address
- If you don’t know what your ip address is, just go to http://www.whatismyip.com/
- Copy the IP address they provide (make sure you aren’t using any proxies at the time) and paste it over xx.xx.xx.xx
- Save the text file as .htaccess
- Upload it to your websites wp-admin folder using FTP
- You may have to edit the name because sometimes, when uploaded, it changes to .htaccess.txt so just edit the name and remove the .txt
- Go to yourdomain.com/wp-admin, if it loads fine then you are good to go
- If you only see a blank page then something went wrong. Don’t panic, just go back into your FTP program and double check you put the correct IP address in the .htaccess file
- If you still can’t figure out whats wrong, just delete those lines of text from the file
This method blocks everyone trying to go to your Admin login page, unless their IP address is allowed in the .htaccess file. If necessary, you can include more than one IP address to this file. Just add another ‘allow from xx.xx.xx.xx’ in another line.
Turn Off Directory Browsing
One very common mistake many people make is failing to turn off directory browsing from their Cpanels. This is a very simple operation, and will prevent your web content from being stolen. People will not be able to browse the contents of your folders by typing their names into their browser. To give you an example, if you type in www.yoursite.com/wp-content/plugins and directory browsing is not turned off, you will see the contents of the entire folder.
To turn off directory browsing, simple log into your Cpanel account and look for the Index Manager icon.
Click on it. This will move you forward to another page where you can turn off directory browsing for individual folders, or for the entire site. To turn off indexing for the entire site you should click on the root folder, which is public_html
Finally, change the settings from “Default System Setting” to “No Indexing”. This will instantly protect your folders from malicious peeping toms forever.
Recommended WordPress Security Plugins
As you may already know, I’m definitely against installing random plugins just because you read about them. But, I will list below three security plugins, all of which I recommend and encourage you to install.
- Login Lockdown: I’ve already explained above why you must install this plugin, just look under the Passwords sub-heading above.
- WordPress Firewall 2: This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.
This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
- WordPress Exploit Scanner: This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
When a website is compromised, hackers leave behind scripts and modified content that can be found by manually searching through all the files on a site. Some of the methods used to hide their code or spam links are obvious, like using CSS to hide text, and we can search for those strings.
The three plugins recommended above are all free. There is one more I would like to mention called WP Bulletproof Security, which allows one-click .htaccess website security protection from within the WP Dashboard. It is offered in a free version and a much expanded paid version priced (as I write) at $39.00. However, while researching this plugin, I came across one or two negative reports from people who had installed it when found they were unable to access their blogs.
It’s not a plugin I’ve ever used, while I use all three I’ve recommended in ALL my blogs, so the complainers may simply be using it, or setting it up incorrectly. I have to admit, they appear to offer a great deal of customer support, videos, etc.
By reading this document, you assume all risks associated with using the advice given above, with a full understanding that you, solely, are responsible for anything that may occur as a result of putting this information into action in any way, and regardless of your interpretation of the advice.
You further agree that the author cannot be held responsible in any way for the success or failure of your blog as a result of the information presented above.
It is your responsibility to conduct your own due diligence and make a full backup of your blog to ensure a safe outcome should you apply any of the information and something unexpected or unforeseen occurs.