WordPress Security Tips | Hardening WordPress


Harden your WordPress. WordPress Security Tips to help you protect from hacks and malware and scripts.

Wordpress Security Tips
Wordpress Security Tips

  1. Keep up to date with the latest WordPress Version: Always keep your WordPress site updated with the latest version of WordPress. This give you 80% protection to your wordpress site as every new version comes with some security patches and features updates.
  2. Populate wp-config.php Properly: Go through each line in wp-config.php, not only the first block for database configuration. Tips: Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies. To make it more secure modify the the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp52sk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress. For more read my article Power up your WordPress with wp-config.php
  3. Correct File Permissions: You should give the correct file permission and if you give full permission to files and folders then the hackers can hack it easily. Tips: Set the permission as follows: All folder permissions should be set to 755. All files permissions should be set to 644. Files that you want to edit in the WordPress Theme editors permissions should be set to 666. Never ever use 777 for WordPress permissions
  4. Don’t Use the Default admin Username: WordPress is open source application and now most of people know that it has the administrator username as admin. This make it easy for hackers to to hack the password when they already know the administrator username. Tips: Change the default administrator username admin to something else. Now i am going to show how to change the default admin username. You may use phpMyAdmin and paste the SQL command (the update line) to execute it.
    update wp52sk1_users set user_login='myadmin' where user_login='admin';

    wp52sk1_ is the database prefex that I change. The default prefex is wp_Alternatively, you may edit the value manually using phpMyAdmin web interface. Now your admin user is myadmin instead of admin.

  5. Pick Secure Password for Admin: Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.Tips With this assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.
  6. Hide WordPress Version in the Header Tag: Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code. This will allow the hacker to know about the wordpress version you are using which will help them to hack it. Tips: Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)
    <?php remove_action('wp_head', 'wp_generator'); ?>
  7. Nobody should be allowed to search your entire server: If you allow then the hacker will find the way to hack easily. Tips: Do not use the following search code in the search.php in your theme folder
    <?php echo $_SERVER ['PHP_SELF']; ?>

    Use the following instead:

    <?php bloginfo ('home'); ?>

    Also block WP-folder from being indexed by search engines, the best way to block them is in your robots.txt file. Add the following line to your list:

    Disallow: /wp-*
  8. Prevent directory listing: The problem in many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folder on your server. Normally it is harmless but some web hosts don’t even bother to turn off directory listing by default. This means that there are several things hackers can do. There might be loop hole in the theme and plugin you used for your site. The author of the plugin and theme might have made mistakes in their code that allow unexpected access, hackers can use your directory listing to find out if you have got those vulnerable files and then attack your site. Also people can browse the non-WordPress contents of your web server to discover folders and files that you might not be ready to announce that you thought were not accessible to the general public. Many directory listing feature a line in the footer telling visitors your server version. Hacker can cross-reference these version numbers with list of known vulnerabilities and bring your site down or gain illegal access. Tips: Edit the .htaccess file and add the following line at the bottom.
    Options All –Indexes
  9. Protect WordPress Administration Files: WordPress administration files are in wp-admin directory of your WordPress installation, except wp-config.php. Tips: Use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option. If you don’t know you IP address then you can find your IP my visiting the site: http://whatismyip.com/. You need to put a .htaccess file in wp-admin and add the code. See the Example:
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Example Access Control"
    AuthType Basic
    order deny,allow
    deny from all
    allow from xx.xx.xx.xx
    allow from xx.xx.xxx.xx

    For more refer to Apache’s documentation on mod_access to see the example: Protecting The WordPress wp-admin Folder Alternate Solution through user and password combination: There is another way to protect wp-admin directory with user and password combination. It also adds another level of security. Apache has complete information on authentication, authorization and access control. Example:

    AuthType BasicAuthName "WordPress Dashboard" AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd Require user adminuser

    and then generate the encrypted password using the htpasswd command.

    $ htpasswd –cm .htpassed adminuser

    If you have cPanel then it is very easy as it has a feature called Web Protect which allows you to accomplish the same thing.

    Note: if you find it hard to use it in code then just use this plugin AskApache Password Protect

    Further, I recommend the plugin Login Lockdown plugin which record the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

    Note: the Htaccess and Htpasswd generator helps to create the necessary files with desired values.

  10. Restrict File Access to wp-content Directory: The wp-content directory contains your theme, plugin files and uploaded. WordPress doesn’t access the PHP files in the plugins and themes directory via HTTP. the only request from web browser are for image files, javascripts, and css. For this reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly. Tips: Include the following lines in .htaccess within wp-content:
    Oder Allow, Deny 
    Deny From all 
    <Files ~ "\.(css|jpe?g|png|gif|js)$"> 
    Allow from all 
  11. Protect Your WordPress Blog From Script Injections: You should protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUESTvariables. Make sure to always back up the .htaccess file before modifying it. Tips: Include the following lines in .htaccess within wp-content:
    Options +FollowSymLinks 
    RewriteEngine On 
    RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] 
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] 
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) 
    RewriteRule ^(.*)$ index.php [F,L]
  12. Take regular backups of your site and Database: No matter how hard you protect your site there might be some loop for hackers. There is never 100% security when it’s online. Tips: Take regular backups of your file directories as well as the database. So, if there is any problem then you can just upload the backup copy. Use WordPress Database Backup plugin or WP-DB Manager to backup your Database and User WordPress BackupPlugin to backup your upload directory (images), current theme directory, and plugins directory.If you want to go for best paid backup then you can use Backup Buddy
  13. Stop worrying about your wp-config.php file: During the server problem, I have seen in one of my friend blog that his wp-config.php file can be viewed in the browser and his database username and password are there and it can be hacked anytime. Tips: You can secure your wp-config.php by adding the following to the .htaccess file at the top level of your WordPress install:
    <FilesMatch ^wp-config.php$>deny from all</FilesMatch>

    This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.

  14. Protect Your Blog With a Solid Password: Easy password with alphabetic and number can be hacked using the software easily. Tips: Creating a strong password that is also memorable is one of the easiest defenses against being hacked. Use strong password my combining the alphabetic, numbers and symbols. There are a lot of online password strength checker that you could check.Also you might check lorelle’s article on blogherald called Protect Your Blog With a Solid Password , offering tips and tricks to help create a strong password that is also memorable, and how to deal with all the myriad passwords we seem to accumulate online.
  15. Use SSH/Shell Access instead of FTP: If someone gets your FTP login information which is usually not encrypted and easy to get, they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.

The following plugins will be very helpful:

  • WP Security Scan Plugin: It scans your WordPress installation for security vulnerabilities and suggests corrective actions.
  • Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.
  • Login Lockdown plugin which record the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
  • WordPress Exploit Scanner: It searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
  • AntiVirus Plugin: It is a smart and effective solution to protect your blog against exploits and spam injections.
  • Admin SSL Plugin: Recommended only for the advance users. It secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL. Once you have activated the plugin please go to the Admin SSL config page to enable SSL, and read the installation instructions.

Further reading:


3 Replies to “WordPress Security Tips | Hardening WordPress”

  1. Excellent post on WP security. I heard about this post on a live webinar and thought I would check it out. I’ll definitely be implementing some of the strategies for securing my blogs. Thanks

  2. Indeed a great list of common WordPress security mistakes.

    A couple of days back I faced a situation where there was some unwanted ads being displayed on my blog and that was something I did not install. When inspected I found that there was a lot of unwanted codes that were injected into the WordPress theme files and other main files.

    On further inspection I found out the following 3 things which were the reasons for this:

    1). Not updating the other WordPress installation, plugins and themes that are being run from the same hosting account if you are using a shared hosting
    2). Optimizepress 1.0 is known to have a security issue and they have released an update to it. This doesn’t update in the normal updates from your wordpress dashboard. You might want to update it manually, if you haven’t done it yet.

    3). Not Cleaning and optimizing your database periodically

    4). Leaving the default themes like twentyeleven etc. as it is and not updating them. This primarily happens if you are using a different theme and these default themes just remain there.

    5). Not uninstalling plugins that haven’t been updated for a long time by its creators.

    These are prone to attacks. A couple of solutions that I found was installing plugin like Wordfence or, Bullet Proof Security or, Better WP security.

Leave a Reply

Your email address will not be published. Required fields are marked *