12 Clever Tips for Securing Your WordPress Site

27 Comments

WordPress Security Tips (masthead)

I’ll be the first to admit that security is far from a fun issue to deal with. If it wasn’t for this cool masthead I whipped up for the occasion, I probably wouldn’t even be excited to talk about it!

But in all seriousness, without taking these precautions you will, eventually, suffer the consequences. It happens to big sites hoping to profit and smaller personal weekend blogs. No one is safe. The most you can do, and the smartest you can be, is to follow the steps I’ve outlined below. With any luck you’ll avoid any WordPress security issues in the future.

First: un-cross your fingers. That won’t help you at all. Okay, now proceed.

Don’t be dumb: cover the basics

Your primary protection against the most common WordPress insecurities is to stay smart and on your game.

Tip 1: Update your version of WordPress

And here comes what is probably the least clever tip on this list: keep an up to date version of WordPress. The team responsible for keeping all of our sites safe is pretty quick to take care of any immediate security concerns, so as long as you keep an eye on the WordPress.org development blog (or alternatively the automatic updater in the most recent version of WP) you should be set to go.

Tip 2: Keep your Plugins up to date

“…Remove any inactive, unnecessary themes and Plugins. The less mess to keep track of the more likely you are to take care of it.”

The second potential security loophole most likely to claim you as its victim is an insecure or out of date Plugin (or theme, technically). More likely it’s a Plugin that needs updated, but themes can sometimes carry along with them assets which will require updating time to time. The easiest way to stay safe is just to update Plugins when WordPress prompts you. If you follow me on Twitter, I’m sure to sound the alarm any time a Plugin shows signs of being vulnerable.

It also wouldn’t hurt you to remove any inactive, unnecessary themes and Plugins. The less mess to keep track of the more likely you are to take care of it.

Tip 3: Maintain recent backups

While it won’t necessarily help you to prevent yourself being compromised, it’s still good thinking to keep steady backups of your database and your wp-content folder. If you run into a situation where your site is compromised, however it happens, having a backup on hand will greatly speed up your recovery time. Which would you rather lose: a couple of comments by reverting back to the weekend’s backup, or 5 hours removing spam content from the end of each of your posts and pages?

For convenient WordPress database backup, check out WP-DB-Backup, a Plugin that makes it painless. Just remember to look after your wp-content folder as well!

Don’t show the house your cards

Certain things won’t necessarily jeopardize you on their own, but letting them hang out won’t help you either.

Tip 4: Hide your directories

Take the effort to hide your directories so that they can’t be viewed by anybody that’s curious. As of WordPress 2.8 (if not 2.7?) we now have an index.php file in each directory that we’d otherwise be concerned about someone malicious viewing in a browser. We’re talking about the Plugins folder, for instance. Without a blank index file to prevent the folder contents from showing, anyone could see the Plugins you have, which would only make it that much easier for them to exploit any of your site’s weaknesses.

Keep in mind that if you have an older version of WordPress running (assuming you can’t upgrade, for some reason) then be sure that you have an empty index.html file in your Plugins directory. Be safe.

Tip 5: Hide login page error feedback

Something else the general public shouldn’t be able to see is the error feedback on your login page. Remove your error feedback to stop anyone from whittling away at potential logins.

See, normally when you try to login and mess something up, WordPress dishes out a helpful sentence or two either explaining that your username or your password is incorrect. While this is helpful for you and your site’s members, it’s also helpful for anyone trying to do bad things to your site.

Luckily it’s just a simple addition to your theme’s functions.php file in order to get rid of this info:

add_filter('login_errors',create_function('$a', "return null;"));
Tip 6: Hide your version number

The third thing nosy do-badders will poke around your site looking for is your WordPress version number. Depending on your theme, this information may be printed into your footer.php file, proudly displayed for all to see.

In most cases, though, it will be inserted automatically by WordPress into your header via the wp_head(). When it’s working, it will print this at the top of your page’s source:

<meta name="generator" content="WordPress 2.8" />

That’s showing a little more skin than we want. But how do we kill it? After all, we need the wp_head() around for just about any Plugin we might use. Just like the above tip, this one can be remedied with a single line in your functions.php file also:

remove_action('wp_head','wp_generator');

Presto change-o, no more version number.

Don’t be like everyone else

One thing that hackers have on just about every WordPress site out there is that they know there are a certain number of givens, some default settings that every user starts with. Your best bet is to change these defaults to things that only you know.

Tip 7: Delete the admin user

The first thing you should do is replace the default username of “admin” with something less obvious. Use a variation on your name, same as you would with any users you would add to your site.

There’s a best way to do this. First, create your new username and all of the info attached to it. Make sure the new username is an administrator on your site. Then log out and log back in under your new account. Delete the admin username, and attribute all of admin’s posts/pages to your new user account.

Tip 8: Create a secure password

I’m not security guru or anything, but if I had to guess more people get burned for having completely guessable passwords than for any other reason. The simplest test: if you can look up your password in a dictionary, it’s a bad password.

My test: if you know your password, it’s a bad password. Pick up a nifty app like 1Password, which is what I use, and protect your password. While you’re at it, do the same thing for everything you log in to. You’ll be amazed how much you can do with all of the space in your head you used up storing passwords before.

Not really, but that sounds pretty enticing doesn’t it?

Tip 9: Change the database prefix from wp_

WordPress stores your site’s content in a number of tables within your database, and each is named with a prefix to group them together. When you are setting up your wp-config.php file, you will have the option, toward the bottom of the file, to change the database prefix. Pick something short, nothing nuts, but something other than wp_.

This is just adding another layer of obscurity between your site and those trying to get in. Why let them count on your tables being named a certain way if you don’t have to?

Go the extra mile, crazy

So far at least a few of these tips should be things that you have either done, or thought about doing in the past. Here are a few of the techniques that only the most secure WordPress sites will worry about. Odds are not many of us are taking advantage of one of these last three tips, let alone all three. Any takers?

Tip 10: Limit login attempts

But let’s assume they (yeah, they — scared yet?) get lucky and try to login with your actual username. What’s to stop them?

We talked about hiding the error printouts on the login page, and about changing the default username from “admin” to something else. But let’s assume they (yeah, they — scared yet?) get lucky and start trying to login with one of your actual usernames. What’s to stop them from using a brute force attack for as long as it takes to guess the right password?

Well, there is one simple way. Grab the aptly titled Limit Login Attempts from the WordPress Plugins directory and activate it on your site (2.7+). Then you’ll be able to set how many chances a user will have to attempt to login for a specified amount of time.

Tip 11: Use SFTP instead of FTP

This one should seem obvious, but it’s always the little things like a stray “S” which throw us off. Are you using a plain old standard FTP connection when you should be using a secure FTP connection? Shame shame.

Avoid anyone listening in to your site activity by securing that connection. Any program you’re using to connect will have that option. Use it. There’s a good sport.

Tip 12: Move the wp-config.php file

Did you even know you could move the wp-config.php file? No? That’s okay, I wasn’t aware until doing research for this tutorial either.

Apparently a recent WordPress update allows us to move our config files for an added level of security. You can freely move the wp-config.php file up one level higher than the rest of your WordPress installation. See the mention regarding this in the Codex.

For anyone interested in doing more heavy lifting with their config files, see WordPress Configuration Tricks as well.

Time to hug and share

Odds are someone here has a story or two regarding WordPress security. It’s one of those things that never seems to come to our minds until we get burned by it, at some point. Anyone here burned?

Or, an even better question: how many of these tips can you proudly say you are already following?

Or, what tips did I leave out? I showed you my cleverness, now you show me yours.

27 thoughts on “12 Clever Tips for Securing Your WordPress Site

  1. Excellent post Ryan! I might link to this for my presentation at WordCamp Montreal on WordPress Security if you don’t mind. It’s a great resource for WP Security!

  2. You covered a lot of important measures here Ryan, I know I need to be more vigilant in securing my WordPress installs!

    There are some other good tips in the “Hardening WordPress” article in the Codex. I try to at least recommended File Permissions so that so that I am not leaving things too open.

  3. Hi Ryan,

    Nice post. I personally password protect the wp-admin folder, using the Password Protection function in CPanel (although the AskApache Password Protect plugin essentially does the same thing).

    • Good one Stephen! I didn’t knew about this Cpanel Protection stuff before. Works more effectively than AskApache’s, that’s for sure.
      By the way, Ryan you didn’t miss a thing. These are the most useful 12 tips one user can use to harden his WordPress! Not to say crucial. I’ve already implemented the 11 tips but I’m a bit lazy, when it comes to SFTP (never used one before and lately, had some problems using it ). So for now I will stick with the ol’ buddy.
      Thanks for the tips!

  4. Pingback: Theme Playground | 12 Clever Tips for Securing Your WordPress Site

  5. Pingback: Automate The Maintenance of your WordPress Blog – FREE!

  6. Thanks for the details, Ryan. There are a few here that I was wondering about. These are all simple techniques and, in combination, I’m sure they are very effective.

    I have been using Tip #9 for a long time, but I notice now that most web hosts – BlueHost, for example – don’t make this an option when you use their quick installation script. They create the database and the wp-config.php file for you.

    Once a database has been created, do you know if there is a way to change the prefix? If not, I might ask them to make that an advanced option when using the quick installer.

  7. Pingback: 10 Useful WordPress Security Tweaks - Smashing Magazine

  8. Didn’t understand Tip #4. I generally name my home page index.php or index.html. The tip mentions having a blank index.php or .html file??? Can anyone explain this one? :) Thanks!

    • What he means is, in each subdirectory of wordpress (ie: url.com/themes/plugins, there is an index.php file that is called when someone tries to view that directory in browser. This prevents the contents of a directory from being shown, which is done by default on many servers.

      The index.php file of your theme stays in your theme folder/directory and is used by wordpress to render your template. index pages in other directories have no affect on your theme :)

  9. Pingback: Useful WordPress Security Tweaks | UserZen

  10. Excellent article. You can have all these security measures in place but if you get hit with a phishing scam and give up your password you are in deep doo doo. Don’t ask me how I know this :)
    My point…be careful of phishing emails!!

  11. Pingback: Community links: Open source motivations edition | WPCandy

  12. Pingback: How to Setting up Limit Logon Attempts for WordPress Blog

  13. For #5 here is a more friendly approach


    // Security update hide error messages for failed login
    function login_error_msg () {
    // Custom login error message
    $login_err_msg = "Invalid User Name or Password";
    return $login_err_msg;
    }

    add_filter('login_errors','login_error_msg');

  14. I was just searching the internet for WP security tutorials, thanks for this one.
    One thing though. Everyone removes there version from the wp_head… but know what? I can still see your version.
    Check for yourself: http://wpcandy.com/readme.html
    And I will definitely go through my site tonight and make it much safer. Thanks for the tip. And remove your readme file everyone.

    • Hey alpipego you are very much right everyone use security plugins, tweaks core files, uses .htaccess tricks, hide folders, etc but they actually forget to remove or move the readme.html file, as you rightly mentioned. I think wpcandy has not yet removed it, i have just now checked out – wpcandy uses wordpress version 3.3.2. Thanks alpipego for telling this to us.

Leave a Reply

Please note that WPCandy is a moderated community.

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>