05 Jul

WordPress Security Tips

By: Yuri Samoilov

WordPress is currently the most used Content Management System (CMS) in the world, driving over 22% of all websites, and claiming 60% of all CMS driven websites. With this in mind, hackers will target WP as a single weakness or vulnerability found in one of it’s many plugins, themes or even the WP core itself, will make many websites out there exploitable.

Here we will go through a number of ways to help make your WordPress website more secure.

Wordpress Security is not something any WP site owner should overlook.

1. Update, Rinse and Repeat.

The WordPress core, wordpress themes, and it’s many plugins will be updated from time to time. Quite often these updates will address security issues/vulnerabilities that have been found, and it’s in your best interest to update as quickly as possible. Hackers scan WordPress driven sites in hope of exploiting a known vulnerability in older versions.

You are notified of available updates via the WP Admin Dashboard, and updating is fast and painless through the browser. It is advised to backup the site & it’s database prior to updating incase something goes wrong.

The WordPress.org Download Page always has the latest stable release version for download, and it’s worth joining their mailing list on that page to be notified of new updates.

2. Usernames and Passwords

Even the most up to date, tightly secured script installs can’t defend you with commonly used, easily guessed username/password combinations.

Avoid using ‘admin’ as the administrator username. This is easily done at install time, but for existing installs, from the admin goto Users -> Add User, and create a user with a different username, with administrator privileges. Log out, and log in as the new user, then goto Users -> All Users, and delete the old “admin” user.

Passwords for any user must always be obscure, and never use a dictionary word. Use a combination of letters (with both uppercase and lowercase), digits, and special characters.

 3. Don’t use default wp_ DB Table Prefix

This is easily done at install time, when you are prompted for the database prefix to use.  Change it to something other than the default wp_.

This can help protect against any attacks which manage to make a database call (such as SQL injection attacks), as they will target default table names (for example, adding a new admin user to the wp_users table).

4. Custom Secret Keys

These are critical to your WordPress site’s security, as explained here in the WP Codex.

Simply head over to the official API page, hit refresh a few times (as it generates new random keys on each reload) and copy the output to your /wp-config.php file.

5. Keep Your Install Clean

After time you might stop using a particular plugin, or change to a different theme. Delete these unused plugins and themes from your webspace completely.

If an older previously used theme or plugin is left in place on the server, any vulnerabilities within those scripts are still exploitable and put your site at risk.

6. .htaccess Additions

Further security tightening can be done by adding the following to the .htaccess file in the root folder of your WordPress install. It’s usually best to add these below any existing content in the file.

7. Force SSL for WP Admin Area

If your hosting supports it, force the WordPress Admin area to use secure SSL by adding the following to your /wp-config.php file:


8. Remove the WordPress Version Number

Why tell hackers what WordPress version you’re running so they know which vulnerabilities to target?

WordPress by default will display the version number in thearea of your page, which can be disabled by putting this line into your theme’s functions.php file:

9. File and Folder Permissions

Typical WordPress file and folder permissions (usually set by CHMOD command over FTP) should look like:

  • files – CHMOD 664
  • folders – CHMOD 775
  • wp-config.php – CHMOD 660

If your site stops loading with wp-config.php set to 660, try setting it to 664.

If your webhost has Apache setup with SuEXEC, then you should try the following settings instead:

  • files – CHMOD 644
  • folders – CHMOD 755
  • wp-config.php – CHMOD 600

Sometimes a theme or plugin may request that a file or folder is set to 777. This should only be done temporarily, as leaving it at 777 (writeable by all) leaves your site open to attack.

10. Hide Login Error Messages

By default,  a failed login attempt will display if the username or password was incorrect, which can assist a hacker find valid usernames for a site.

Add the following to your theme’s functions.php to hide these errors:

[description]Wordpress Plugins that can help Secure your Website even further.[/description]
There are a number of excellent Free or Low Cost WordPress Plugins available which help tighten your website’s security even further. Here are some of our favourites:

1. Login Lockdown

Limits the number of login attempts from a given IP range within a certain time period, helping defend against brute force login attacks.

iThemes Security Plugin for WordPress2. iThemes Security

Formerly known as “Better WP Security”, a great all-round security plugin to help protect your WordPress site.

This plugin hides alot of information that hackers look for, protects against various types of attacks, will detect file/database changes that may indicate a compromised site, has site backup and site recovery features, and more. Free to use, and Premium version available with added features.

3. Security Ninja

Security Ninja for WordPress

Extremely popular, low cost (just $10!) and feature-rich WordPress Security plugin to protect your website. Features include:

  • perform 31+ security tests including brute-force attacks
  • check your site for security vulnerabilities and holes
  • checks for Timthumb vulnerability
  • take preventive measures against attacks
  • don’t let script kiddies hack your site
  • prevent 0-day exploit attacks
  • use included code snippets for quick fixes
  • extensive help and descriptions of tests included

Visit: http://codecanyon.net/item/security-ninja/577696

Wordfence - WordPress Security Plugin4. Wordfence

Wordfence is an enterprise class, feature rich wordpress security plugin that is free to use but does have a premium version available with additional features and support.

Visit: https://wordpress.org/plugins/wordfence/


Related Posts