As you know, WordPress is one of the most popular blogging platforms and content management systems available. Developed in PHP and driven by a MySQL database, WordPress is used by approximately 8.5% of all websites on the web. Securing WordPress should be a primary concern since website delivered malware and website cracking are becoming increasingly more common. With such a large percentage of websites using WordPress, any security vulnerabilities in WordPress’ coding or framework could affect millions of websites – even YOURS.
This post will explain some steps that can be taken to help protect your website and will prevent your WordPress installation from being more easily attacked.
The most basic step to help in securing WordPress installations is to keep it updated to the latest release. This helps patch security vulnerabilities discovered by WordPress developers. Updating WordPress is easy and fast and can be accomplished by most anyone.
Upgrading WordPress can be accomplished directly from your WordPress admin panel or by directly uploading the new WordPress files to the appropriate location on your hosting account.
The same is true for any purchased or free plugins that are installed. Whenever there is a new version of a plugin available, be sure to update. If you are not using any of the plugins installed, it’s better to remove them from the dashboard altogether.
Be sure to make a backup of your WordPress database and files before any upgrade.
The default username for a WordPress installation is always [admin]. Changing the default admin name to something else is an easy step to make it more difficult to be hacked. By not changing the username, you are giving hackers a head start because they only have to crack your password to get access to your dashboard and installation.
The password you set for your admin ID needs to be a complex one with a mix of letters, numbers and symbols. Using a strong password is essential on all entry points to secure your website fully. This includes your FTP ID and password as well. Don’t use anything related to your specific website, or name.
File permissions should be restricted to prevent breach of security of your site. The file permissions should be set to the bare minimum. Setting the CHMOD value to 755 for folders means only the owner has write permissions and others will have read and execute permissions. Therefore, permissions should be set to at least a 755 to aid in securing WordPress.
You should keep ongoing backups of all important files. Keeping a backup of the WordPress database and files can come in quite handy in an emergency. Having a backup readily available, you can save yourself hours of time in correcting any hack that does occur.
You should consider restricting or completely denying access to your WordPress plugins directory. Depending on your version of WordPress, a simple visit to www.your-website.com/wp-content/plugins/ directory can reveal all the plugins that have been used or are being used in your website. Some of these plugins may contain vulnerabilities, which might put the site’s security at risk and attract hackers.
During the installation of WordPress, using the default values and options, WordPress tables use table prefixes such as wp_. Hackers can take advantage of this feature. So it is a recommended practice to change the default table prefix wp_ to something else, just be sure to use a underscore after the letters. If you want to change the database table prefixes after an install, there are plugins available to help facilitate that process.
When you first install WordPress, there are four secret keys written to the core configuration file. Visit this site and copy all the eight keys and paste them in place of the existing keys in the wp-config.php file. These are the random keys generated by WordPress and are changed every time you refresh the page (while on that site). This helps in making your passwords more secure and if anybody is logged into WordPress at that time, they will be logged out of the dashboard immediately as the cookies become invalid.
Like with any other secured networks or account, be very careful not to share the username or password with anyone you don’t fully trust. Even if you have hired a webmaster to manage your website, it is better to create a separate account for them with required permissions.
It is also very crucial that your FTP password is very complex with a combination of upper and lower case letters, numbers and even symbols.
You can safely move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your web host, you can store wp-config.php outside the root folder where most hackers would be looking for it.
If you use a server with .htaccess, you can add the following to that file (at the very top) to deny access to anyone surfing for it:
<files wp-config.php> order allow,deny deny from all </files>
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has an action to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
This cannot prevent an attacker from uploading malicious files to your site, but might stop some attacks.
This post was not intended to be an exhaustive list of all the possible ways of securing your WordPress installation. However, it does provide a good list of WordPress security issues and some ways they can be addressed. If you need assistance with implementing any or all of these processes? Feel free to contact us and we will be happy to help.