WordPress is one of the most popular blogging platforms and content management systems available. It is vastly becoming used on more and more websites and therefore is becoming a larger target for malicious attack. So your concern about how to secure WordPress should be a primary one.
This post helps to explain some relatively easy steps that can be taken to help protect your website and will aid your WordPress installation from being more easily attacked.
Before even installing WordPress, make sure your own computer is free of any malware or viruses. That may be an obvious thing to say but it’s very important that your system is free of malware and viruses and in a trusted state to help secure WordPress when installing.
Quite simply, if your computer is infected, any and all security measures you take could be futile. It is highly recommend to protect all your systems with antivirus, to help keep all the malware and viruses in check.
A WordPress installation and its core files can easily exist in a different location other than the root directory. While this specific technique is sometimes debated and although your results may vary, it still may assist in protecting against some attacks. A scanners and attackers can still find out where WordPress is installed. However it’s worth mentioning since the topic does come up often.
For instance, if your website has the domain mydomain.com, it would be preferable to install WordPress in something like mydoman.com/mydirectory.
Next, copy the index.php and .htaccess files to the root directory. If you cannot see the.htaccess because it is invisible, you will need to make hidden files visible with your FTP software or via the cPanel File Manager in your hosting account.
Don’t worry about the error you’ll now get if you browse to your site. Go to index.php and modify following:
Now your login URL will be www.example.com/directoy/wp-admin.
After installation, you should go to your WordPress settings in the admin panel and change the WordPress URL, so that it points at www.example.com/directory and blog URL www.example.com.
Sometimes, the WordPress version number can be a security risk if it is accessible – especially if your WordPress installation is not updated on a regular basis. It is strongly recommend to keep regular updates in addition to other regular WordPress maintenance tasks.
The code that generates the WordPress version is located in the theme’s header.php. For instance:
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />
To get rid of (remove) the WordPress version number, add the following line to your active theme’s functions.php file:
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Although we wrote about the “secret keys” in our first WordPress Security post, we wanted to provide some additional information as well as reiterate some important facts. Using Secret Keys definitely plays a role in WordPress security. Security keys help encrypt the data stored in cookies that WordPress uses. If attackers do not know these keys, they will have a harder time entering your WordPress site.
By default, WordPress creates these secret keyts at the time of installation. However the keys may not exist with older sites or if the wp-config.php file has been manually replaced. By default Secret Keys are listed listed in wp-config.php. An example is below:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
define(‘AUTH_SALT’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define(‘NONCE_SALT’, ‘put your unique phrase here’);
If you ever need to regenerate these keys, visit the Official Secret Key Generator provided by WordPress.org.
Keep in mind, if an attacker has the security keys, they can regain access to the site even if the passwords have been changed. So if your site is compromised, do not forget to change your secret keys – in addition to the passwords. This can only help to help secure WordPress further.
WordPress installations will allow a user to browse its web directories, if that user knows where to look. Certainly, this is something that should be avoided if possible. Directory browsing is sometimes used by attackers to find the most vulnerable files. It is not that uncommon for web designers and developers to have backup files in different or even unique locations.
To disable directory browsing and ensure that no one can view the contents of directories; add the below as a single line in the .htaccess
Note: Adding this line may not work in some cases. It depends on your web host’s configuration.
If you have more than one WordPress installation with the same hosting provider, be sure that you use different user credentials for each database. The database username and password in the wp-config.php files used for each of your sites should be unique. Always be sure to use a complex password. This will help to secure WordPress and assist to ensure the isolation of each site, in the event one of them gets hacked.
This may seem like a simple tip and an obvious thing to do, but using the same credentials is something people do all the time.
If you don’t feel at ease in making the above mentioned changes, there are many different plugins that assist in maintaining the security of your WordPress website. In some cases, it can even help recover quickly if you fall victim to a malicious attack.
Below is list of the most popular security plugins. While we prefer All in One WP Security & Firewall, you may find one of the other plugins suits your needs better.
With such a huge percentage of websites now being powered by WordPress, it is certainly no surprise that WordPress security is a major topic. If you are concerned and you take the security of your website seriously, you should definitely explore all the options discussed and take the extra time to lock your site down as tightly as you can.
As a reminder (and for additional steps to secure WordPress), you should also read our previously covered topics in our post Securing WordPress – A Few Steps. In this article, we covered other tips & tricks to help better manage your website security. If you’re up to learning even more, we would also recommend reading the official documentation at WordPress.org: “Hardening WordPress“.
Please let us know if you have any questions or need help to secure WordPress security on your website. We’ll be happy to help.