6 Tips for a More Secure WordPress Website

Google Chrome's this website is infected with malware message

WordPress powers nearly 73M (million!) websites around the World, making it the most popular CMS in existence right now. About 15% of the top one million sites on the web use WordPress, including business heavyweights like Honda, the New York Times, CNN, NASA, TechCrunch and others.

Those are some impressive stats for something that started off as a humble little blogging platform but has grown to become so much more. WordPress’ extensibility (the ability to add plug-ins for almost any functionality you can think of) and ease of setup and use have certainly contributed to its explosion in popularity. But unfortunately that ease of use and popularity are also what make WordPress sites an attractive target for hackers.

Most hosting providers now offer simple or “one-click” installs that make installing and setting up WordPress so easy that even non-techies can do it. Unfortunately, what makes those automated setups so simple is that they create your WordPress installation using the default settings and unless you make some effort to change some of those, would be hackers can make assumptions about your site that make exploiting it easier. For example, automated WordPress setups always create an account with the username admin, which incidentally has administrative privileges (meaning, permissions to do everything). Unless you change or disable the admin account, hackers can simply use a brute force program to crack that account’s password and they have total control of your site. Not good.

Google Chrome's this website is infected with malware message

Dont’ be that site. You don’t want your visitors getting a message like this.

While there are some general security practices (like using strong passwords and changing them often) that you should be following regularly, here are 6 steps I follow (and you should too) for every WordPress installation:

6 Steps to a More Secure WordPress Website

  1. Don’t use your hosting provider’s automated setup or the admin username. It’s a little more effort and requires a little more knowledge to manually install WordPress but the added security is well worth it. Hosting providers that offer “one-click” installs should also have a simple control panel for creating databases. Once you’ve done that, WordPress’ simple 5-minute installation process will do the rest. For the reason mentioned earlier, please change the admin username to something (almost anything) else during the install process.
  2. Change your database table prefixes. By default, WordPress starts all tables it creates with the prefix wp_. Since all WordPress sites use the same table names, unless you change the prefix during setup, would be hackers will know exactly what the name of those tables are. You can change the prefix by looking for the following line in the wp-config.php file:
    $table_prefix = 'wp_';
  3. Change the default secret keys. The secret keys defined in the wp-config.php file are used for additional password hashing and cookie security. Since you should already be in wp-config.php changing your table prefixes (step 2), the extra security provided by this step is too easy to pass up. This site, https://api.wordpress.org/secret-key/1.1, will automatically generate new keys for four of the secret keys, which you can just copy and paste to replace the following lines in wp-config.php:
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
  4. Move wp-config.php. The default location of wp-config.php is in the root of your WordPress website. Like the rest of the files in your site, this technically makes it accessible to the web. That’s not ideal since it contains all your database connection information. Once you’ve uploaded all the WordPress files to your website, move wp-config.php one directory up from the root of wherever WordPress is location. WordPress will automatically look for it there if it can’t find it in the root directory and this means that only those with FTP or SSH access to your server can view it.
  5. Secure your scripts. WordPress has lots of files that aren’t necessarily intended to be accessed by site visitors. We can protect those files in a number of ways:
    • First, the wp-config.php file really only needs to be read, so we can adjust its permissions accordingly. This usually means a 400 or 440 permission. Sometimes you can change permissions through your FTP program, otherwise you’ll need to use SSH. If your server uses .htaccess, you can add an additional layer of security to wp-config.php by adding the following lines to the very top of that file to prevent anyone from attempting to browse to it:
      <files wp-config.php>
      order allow,deny
      deny from all
      </files>
    • Other files and folders in the wp-admin and wp-includes directories aren’t meant for public consumption, so let’s block access to those as well by adding mod_rewrites to the .htaccess file as long as you’re still there. Add the following rules after the wp-config lines above and before #BEGIN WordPress:
      # Block the include-only files.
      RewriteEngine On RewriteBase /
      RewriteRule ^wp-admin/includes/ - [F,L]
      RewriteRule !^wp-includes/ - [S=3]
      RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
      RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
      RewriteRule ^wp-includes/theme-compat/ - [F,L]
      
      #BEGIN WordPress
  6. Tighten up file permissions. Some interesting plug-in functionality is possible because certain files within WordPress are writeable by the server. Generally speaking however, making files writeable can be dangerous. It’s usually good practice to restrict file permissions as much as possible and only ease them when completely necessary. If you have shell access to your server, you can use the following commands to recursively lock down directories and files (respectively) in your WordPress installation:
    find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
    find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

Fear Not, Get Help

Some of the steps above may sound like gibberish to you or some terminology sounds familiar but you’re justifiably anxious about trying them on your site. Even if your WordPress website was set up years ago, it’s not too late to use some of these techniques to secure it.

I’m happy to help. Use the form below to get in touch for an honest assessment of your site’s security.

  • This field is for validation purposes and should be left unchanged.

  • http://www.chrisvanpatten.com/ Chris Van Patten

    These are great tips!

    I would add that changing your salts is not necessary unless you’re setting up WordPress manually or are securing a hacked website; WordPress pulls from that same API page when you go through the installation process so the keys are totally random. That said, it certainly doesn’t hurt (although it will force all users to re-authenticate), and it might be worth it for just the extra piece of mind.

    An excellent place to go for tips on WordPress security is WPSecure.net. In addition to comprehensive security guides*, they also track plugin vulnerabilities. If you tend to use a lot of plugins, it’s a good idea to subscribe so you can make sure to keep any vulnerable plugins updated (or remove them entirely).

    * The guides are comprehensive for Apache users, but don’t get into nginx. There’s still a lot of worthwhile reading material though, and if you’re using nginx instead of Apache for serving WordPress you probably have a good idea on how to secure a site anyway!

  • michaelrichardmurphy

    Thanks for sharing that site Chris, what a great resource! I’m realizing that the steps in this post are probably a little more technical than most of my clients would feel comfortable doing on their own (luckily it’s all stuff I do with every install) so I’m working on a supplemental about plugins that help secure WordPress and other more basic tips. I’d love any suggestions you have related to either of those topics.

    • http://www.chrisvanpatten.com/ Chris Van Patten

      One of the weakest areas in security is the login. And that’s not because of a fault in WordPress, it’s just how things are in any webapp because the weakness lies with the user. Weak passwords make it easy to crack logins. Securing the login area is crucial.

      One of the best ways to begin is with the plugin Limit Login Attempts. At VPM we tend to avoid security-related plugins (with the frequency of plugin vulnerabilities, “security plugin” is almost an oxymoron) but this one is rock solid. It’s simple, effective, and helps prevent brute-force password attacks, which many WordPress security guides overlook.

      For even more security, the Google Authenticator plugin allows you to enable two-factor authentication quickly and painlessly. It integrates painlessly with the same Authenticator app used with Gmail two-factor auth.

      Finally, I highly recommend WP-Password Generator by Steve Grunwell. I’ve contributed to it in the past, and find it to be the simplest and most effective plugin for generating complex, random passwords. Of course you need to be careful not to send said passwords out to new users via plaintext email: if you’re sending them without encryption, that defeats the purpose entirely!

  • Aprel Atkins

    Thank you so much for this Michael. I didn’t know such issues occur in WordPress. I will definitely take note of this. I now know what I’ll do when this happens to my account. Keep it up!

    http://www.msecuredatalabs.com

  • Ronie Geisler @ MalwareSecure

    I’m impressed, I have to say. Actually hardly ever do I encounter a blog that’s each educational and entertaining, and let me tell you, you have got hit the nail on the head.

  • http://twitter.com/NukshaFashion Nuksha

    Secure your wordpress login page 

    Your wordpress login page security is the most important thing you should do.Here are some plugins that will help you .
    Google Authenticator : This excellent plugin will help to secure your wordpress login page and adds a two-step verification to your wordpress blog similar to that of Google.Login Dongle : This wordpress plugin will create a bookmarklet with a secret question that you can add to your bookmarks. And it will help to increase your login page security whenever you will login to your blog.
     
    Do not show your wordpress version to the world 
    As WordPress websites and blogs always display there version number thus making it more easier for the hackers to see whether they are running an outdated version of WordPress so that it will become more  easier for them to hack.
    To remove your wordpress version from a page delete the readme.html file from your wordpress installation directory because it advertises your WordPress  version to the world.
    http://www.nuksha.com