I’ll be the first to admit that security is far from a fun issue to deal with. If it wasn’t for this cool masthead I whipped up for the occasion, I probably wouldn’t even be excited to talk about it!
But in all seriousness, without taking these precautions you will, eventually, suffer the consequences. It happens to big sites hoping to profit and smaller personal weekend blogs. No one is safe. The most you can do, and the smartest you can be, is to follow the steps I’ve outlined below. With any luck you’ll avoid any WordPress security issues in the future.
First: un-cross your fingers. That won’t help you at all. Okay, now proceed.
Don’t be dumb: cover the basics
Your primary protection against the most common WordPress insecurities is to stay smart and on your game.
Tip 1: Update your version of WordPress
And here comes what is probably the least clever tip on this list: keep an up to date version of WordPress. The team responsible for keeping all of our sites safe is pretty quick to take care of any immediate security concerns, so as long as you keep an eye on the WordPress.org development blog (or alternatively the automatic updater in the most recent version of WP) you should be set to go.
Tip 2: Keep your Plugins up to date
“…Remove any inactive, unnecessary themes and Plugins. The less mess to keep track of the more likely you are to take care of it.”
The second potential security loophole most likely to claim you as its victim is an insecure or out of date Plugin (or theme, technically). More likely it’s a Plugin that needs updated, but themes can sometimes carry along with them assets which will require updating time to time. The easiest way to stay safe is just to update Plugins when WordPress prompts you. If you follow me on Twitter, I’m sure to sound the alarm any time a Plugin shows signs of being vulnerable.
It also wouldn’t hurt you to remove any inactive, unnecessary themes and Plugins. The less mess to keep track of the more likely you are to take care of it.
Tip 3: Maintain recent backups
While it won’t necessarily help you to prevent yourself being compromised, it’s still good thinking to keep steady backups of your database and your
wp-content folder. If you run into a situation where your site is compromised, however it happens, having a backup on hand will greatly speed up your recovery time. Which would you rather lose: a couple of comments by reverting back to the weekend’s backup, or 5 hours removing spam content from the end of each of your posts and pages?
For convenient WordPress database backup, check out WP-DB-Backup, a Plugin that makes it painless. Just remember to look after your
wp-content folder as well!
Don’t show the house your cards
Certain things won’t necessarily jeopardize you on their own, but letting them hang out won’t help you either.
Tip 4: Hide your directories
Take the effort to hide your directories so that they can’t be viewed by anybody that’s curious. As of WordPress 2.8 (if not 2.7?) we now have an
index.php file in each directory that we’d otherwise be concerned about someone malicious viewing in a browser. We’re talking about the Plugins folder, for instance. Without a blank index file to prevent the folder contents from showing, anyone could see the Plugins you have, which would only make it that much easier for them to exploit any of your site’s weaknesses.
Keep in mind that if you have an older version of WordPress running (assuming you can’t upgrade, for some reason) then be sure that you have an empty
index.html file in your Plugins directory. Be safe.
Tip 5: Hide login page error feedback
Something else the general public shouldn’t be able to see is the error feedback on your login page. Remove your error feedback to stop anyone from whittling away at potential logins.
See, normally when you try to login and mess something up, WordPress dishes out a helpful sentence or two either explaining that your username or your password is incorrect. While this is helpful for you and your site’s members, it’s also helpful for anyone trying to do bad things to your site.
Luckily it’s just a simple addition to your theme’s
functions.php file in order to get rid of this info:
add_filter('login_errors',create_function('$a', "return null;"));
Tip 6: Hide your version number
The third thing nosy do-badders will poke around your site looking for is your WordPress version number. Depending on your theme, this information may be printed into your
footer.php file, proudly displayed for all to see.
In most cases, though, it will be inserted automatically by WordPress into your header via the
wp_head(). When it’s working, it will print this at the top of your page’s source:
<meta name="generator" content="WordPress 2.8" />
That’s showing a little more skin than we want. But how do we kill it? After all, we need the
wp_head() around for just about any Plugin we might use. Just like the above tip, this one can be remedied with a single line in your
functions.php file also:
Presto change-o, no more version number.
Don’t be like everyone else
One thing that hackers have on just about every WordPress site out there is that they know there are a certain number of givens, some default settings that every user starts with. Your best bet is to change these defaults to things that only you know.
Tip 7: Delete the admin user
The first thing you should do is replace the default username of “admin” with something less obvious. Use a variation on your name, same as you would with any users you would add to your site.
There’s a best way to do this. First, create your new username and all of the info attached to it. Make sure the new username is an administrator on your site. Then log out and log back in under your new account. Delete the admin username, and attribute all of admin’s posts/pages to your new user account.
Tip 8: Create a secure password
I’m not security guru or anything, but if I had to guess more people get burned for having completely guessable passwords than for any other reason. The simplest test: if you can look up your password in a dictionary, it’s a bad password.
My test: if you know your password, it’s a bad password. Pick up a nifty app like 1Password, which is what I use, and protect your password. While you’re at it, do the same thing for everything you log in to. You’ll be amazed how much you can do with all of the space in your head you used up storing passwords before.
Not really, but that sounds pretty enticing doesn’t it?
Tip 9: Change the database prefix from
WordPress stores your site’s content in a number of tables within your database, and each is named with a prefix to group them together. When you are setting up your
wp-config.php file, you will have the option, toward the bottom of the file, to change the database prefix. Pick something short, nothing nuts, but something other than
This is just adding another layer of obscurity between your site and those trying to get in. Why let them count on your tables being named a certain way if you don’t have to?
Go the extra mile, crazy
So far at least a few of these tips should be things that you have either done, or thought about doing in the past. Here are a few of the techniques that only the most secure WordPress sites will worry about. Odds are not many of us are taking advantage of one of these last three tips, let alone all three. Any takers?
Tip 10: Limit login attempts
But let’s assume they (yeah, they — scared yet?) get lucky and try to login with your actual username. What’s to stop them?
We talked about hiding the error printouts on the login page, and about changing the default username from “admin” to something else. But let’s assume they (yeah, they — scared yet?) get lucky and start trying to login with one of your actual usernames. What’s to stop them from using a brute force attack for as long as it takes to guess the right password?
Well, there is one simple way. Grab the aptly titled Limit Login Attempts from the WordPress Plugins directory and activate it on your site (2.7+). Then you’ll be able to set how many chances a user will have to attempt to login for a specified amount of time.
Tip 11: Use SFTP instead of FTP
This one should seem obvious, but it’s always the little things like a stray “S” which throw us off. Are you using a plain old standard FTP connection when you should be using a secure FTP connection? Shame shame.
Avoid anyone listening in to your site activity by securing that connection. Any program you’re using to connect will have that option. Use it. There’s a good sport.
Tip 12: Move the
Did you even know you could move the
wp-config.php file? No? That’s okay, I wasn’t aware until doing research for this tutorial either.
Apparently a recent WordPress update allows us to move our config files for an added level of security. You can freely move the
wp-config.php file up one level higher than the rest of your WordPress installation. See the mention regarding this in the Codex.
For anyone interested in doing more heavy lifting with their config files, see WordPress Configuration Tricks as well.
Time to hug and share
Odds are someone here has a story or two regarding WordPress security. It’s one of those things that never seems to come to our minds until we get burned by it, at some point. Anyone here burned?
Or, an even better question: how many of these tips can you proudly say you are already following?
Or, what tips did I leave out? I showed you my cleverness, now you show me yours.