Secure Your WordPress Site

No matter how big or small your website is you will always have people trying to hack your site. These people will use bots to find your login pages and use a brute force tactic to gain access into your site admin area.

Brute force means they will try multiple times and the most common username and passwords combinations in hope that they can access your admin area.

On a WordPress site the security loops holes are open for everyone to find out, that's the problem with open source software that if you look hard enough you could find a way around the security in the site. But on the flip side if you know about the security problems then you will know what you have to do to fix these problems.

In this article I will go through what you must do on any WordPress site to protect it from being hacked. If you think your site isn't big enough to be hacked, you are wrong, to find out if your website has have an attempted attack look at your 404 error logs and you will see some people trying different ways of accessing your database, admin and login pages.

Move wp-config.php File

The first thing I do to secure WordPress is move wp-config up one level to above the website root, WordPress in setup to first search for the wp-config file in the website root then if it can't find that it will move it above one level.

Remove The Admin User

Author
On a default WordPress install it will provide you with a default user called admin. This is what you would first use when entering your WordPress install. As this is the first user you will need to make sure you change the admin user. This is the first login hackers will use to enter your site. I know you will have a secure password so they won't be able to enter but changing the admin user will make it twice as hard to get in.

The admin user has full access of your WordPress site if it gets hacked they will be able to completely bring down your entire site.

All you have to do is create a new user with admin rights and delete the old user.

Use a Strong Password

Keys
This goes without saying, but I have to include it here just to make sure you don't forget about it. In any of your accounts online you should always use a strong password.

As most hackers will use a program to go through many combinations of passwords choosing a strong password will make it harder for then.

If you find it hard to remember strong passwords use software to remember it for you, use something like LastPass to remember all your passwords.

If you want help coming up with a strong password there is a PHP script to help you generate strong passwords.

Disable Unused User Accounts

If you have multiple users on your WordPress site, you need to keep these updated and remove any accounts which aren't being used anymore.

If a user has an account to your admin area they can do things on your site, they can add posts, delete posts, edit files anything. People can reset their own passwords if you secure your password but other users don't it's another door into your admin area.

If their not being used delete them.

Always Update WordPress ASAP

Update
Wordpress has so many features now and so many plugins to add additional features that the updates don't come with major feature updates most of the updates are to fill security loopholes and to fix bugs.

When they are made aware of security problems they will fix the problems and release a new update. This is why it's so important to update your WordPress install ASAP, to make sure your site can no longer be attacked by the old security loophole.

Remove WordPress Version Number

Login Manager Lock
Giving the hackers the WordPress version you are running on will allow them to know exactly how to attack your website to gain the most success. If you remove the WordPress version they can only assume that you are on the latest version and would most likely not waste their time trying to access your site.

I wrote a previous article about how you can remove the version number from your WordPress site.

Change File Permissions

Lock
Make sure you change your files permissions to 0744 which means they they are read-only to everyone except you. This makes sure that other people are not able to change any of the files on your server.

All you need to do is login to your FTP server right click on your folder or files and check the permission. Make sure that they are not 0777 as this give others write access to your files.

Set file permissions at 644 and 755 for folders.

Backup Your Database

Database
Despite all the best security precautions things can still go wrong, it's best to get in the habit of backing up your database so that if anything does go wrong you can recover quickly.

A good plugin to use for automatic backups is WordPress Database Backup, you can set it to backup your database weekly and it will send the SQL file to your email address. If you have a lot of space on your email account you can use this to store your weekly backups.

Some of the best automatic WordPress backup plugins are:

You can just set them up forget about them until you really need them.

Hide Your WordPress Plugins

Wordpress
A plugin is a piece of code that runs on your WordPress site, just like your WordPress site they too can have security loopholes. They are just pieces of code which can access your WordPress database. If a hacker knows which plugins you are using they can see if there are any security loopholes in these plugins and use this to attack your site.

Make sure that you hide the plugins you are currently using.

Navigation to /wp-content/plugins/ and see if you can see a list of your plugin folders. If you can make sure that you add a index.php or a index.html file into this folder.

Install AntiVirus

Secure WordPress
Viruses, worms and malware exist for WordPress and could easily attack your WordPress installation. AntiVirus for WordPress monitors malicious injections and warns you of any possible attacks. With multilingual support. Simply, the plugin you must have.

AntiVirus For WordPress

Be Careful Of Plugins

Wordpress plugins are the features that help makes WordPress so great, but they are code you are installing on your site. You are trusting the developer of the plugin to not do anything that is going to harm your site.

You don't want to download a WordPress plugin for it to delete your entire post database table and you lose everything. The plugins are moderated but things can always slip through the net, make sure you check the ratings and comments of a plugin before you download it. If a plugin has been downloaded millions of times you can normally ensure that this plugin is going to be safe.

Secure WordPress With htaccess

Using htaccess you can secure your WordPress site in multiple ways.

Deny access to the wp-config.php file.

<Files wp-config.php>
 Order Allow,Deny
 Deny from all
</Files>

Block WordPress Admin By IP

order deny,allow
allow from MY IP ADDRESS (replace with your IP address)

Block access to your whole site for certain IP addresses.

<Limit GET POST PUT>
order allow, deny
allow from all
deny from 123.123.123.1
deny from 555.555.555.5
deny from 000.000.000.0
</Limit>

Blacklist IP Addresses With htaccess.

Block Access To wp-content Folder

The wp-content folder contains all your images, plugins and themes, it is a very important folder for your WordPress site. If this folder gets hacked they can delete all your themes and plugins on your site leaving your site blank.

To block access to your wp-content folder create a new htaccess file and save this at the root level of your wp-content folder.

Now add the following code in this new htaccess file.

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Disable Directory Browsing

If someone has access to your directories they will be able to view all the folders in this directory if you don't have an index.html or a index.php file. You can stop this with htaccess by adding the following line. This will make sure that you can not browse a directory even if an index file doesn't exist.

# directory browsing
Options All -Indexes

Block Access To wp-login.php With htaccess

Just as we can block access to the wp-config.php file we can do the same for the login page to make sure only certain IP addresses can access the login form.

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx
</Files>

Protect Against Requests That Haven't Got A HTTP_USER_AGENT

<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

Block File Types Being Served From Uploads Folder

The WordPress uploads folder should be used to serve images to the website, but because this folder is where all the uploaded content will be stored it is possible that a script can be placed inside this folder. The following code snippet is code you can place in the htaccess file to make sure that only images can be served from this folder. Add this to a htaccess file and place the htaccess file inside the uploads directory.

# Secure /uploads/ directory from unwanted file types
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png|tif|tiff)$">
Order Deny,Allow
Allow from all
</FilesMatch>

Hide Login Error Messages

On the WordPress login page if you type in an incorrect username or password it will return an error message to say that your username or password was incorrect.

The below picture lets me know that the username I am using doesn't exist and I need to try something else.

But if the username does exist and I just get the password wrong WordPress will display this message.

Now I know that there is a user called admin and I can keep trying this until I get the password right.

Yes, this is a very helpful message for real users of the site as they can see what has gone through. But for hackers this means they get a nice message on they have got wrong, meaning they will also know what they have got right.

There is a login page hook to access to remove any error message from the login page.

Copy the following in your functions.php file.

add_filter('login_errors',create_function('$a', "return null;"));

Disable Theme And Plugin Editor

When a admin user is logged into WordPress they can actually make any changes to the files which are installed on the CMS. This is great if the admin needs to make a very quick change to the theme, for example they notice a spelling mistake they can quickly change it.

But with this access if someone hacks into your admin area they can make any changes the want to your theme themes and your plugin files.

If you want to stop the editor links from appearing in the admin area you can add the following to your wp-config.php file so people can not edit the theme directly in the admin area.

define( 'DISALLOW_FILE_EDIT', true);

Change Database Prefix

As WordPress is an open source application all the database table names are known to everyone. If someone knows the name of your database table it makes it easier for them to guess a SQL injection script to delete all the records in the database table.

If you want to help secure your WordPress site you can do so by changing the prefix of your WordPress database tables. Changing the database table prefix means they can't guess your database tables.

The best time to change the table prefix is before you have installed your site, you can change the database prefix at either the installation page or changing the $table_prefix variable in the wp_config.php.

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'cantguessthisone_';
Warning! If you do this on a already installed WordPress site and don't change the database tables and values in the tables you will break your site.

To change your table prefix safely the best thing to do is to use a WordPress plugin.

DB Prefix Change

Prevent Direct Access To Your Files

By using the WordPress constant ABSPATH you can make sure that files aren't accessed directly. When WordPress loads your theme files it will define a variable ABSPATH if this is not defined then WordPress has not ran. Put the following code at the top of your theme files to prevent direct access to the file.

if ( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly

Limit Login Attempts

It's important to prevent brute force attacks on your login page, there is a very good plugin called Limit Login Attempts that will allow you to set how many failed attempted you can have to login before you will be locked.

This will record all login attempts to your WordPress admin area, the IP address and the username that they used.

If they attempted to login and failed 3 times this plugin will lock them from accessing the login page for a certain period of time. You can even set it up to send you an email when someone tried to access to your login page.

This is a veru useful plugin so make sure you install this plugin on all your WordPress sites.

Limit Login Attempts

WordPress Specialised Hosting

For secure WordPress hosting I will always use a company which specialise in WordPress hosting, this means that everyone in the company are WordPress experts and can provide your WordPress site the best service.

With giving your WordPress site the best possible service they also know how to secure your website.

The best specialised WordPress hosting company for both speed and security is WPEngine, they are very security focused, take daily backups of your database and files and will also fix your site if it does get hacked.

WPEngine

When connecting to your hosting with FTP make sure you are connecting on a secure connection instead of using FTP use SFTP. This is exactly the same as FTP except all passwords and other data is encrypted when it's transmitted to the server.

Safe!

Now you have made these changes to help secure your WordPress, but this doesn't mean it's finished. Make sure you continue to check server logs, 404 error logs and analytic reports for any strange behaviour.

What Do You Do To Secure WordPress?

If you have any more tips on securing WordPress please let me know, leave a comment.

With your help I want to make this a massive list of great ways to secure WordPress.

Books That Can Help Secure WordPress

For some people who prefer to work from books then here are a couple of WordPress books that can help you secure your site.

Locking Down WordPress

Locking Down WordPress | Code Poet
Locking Down WordPress is a book from code poet which is a website managed by the guys at automattic. In this books it looks into some of the best known security fixes of wordpress, some of these tips are mentioned above but it's really worth a read for anyone with a WordPress site.

Download Locking Down WordPress

Advertise here

Comment