WordPress is very popular platform these days (around 8.5% of all world’s websites are powered by WordPress!). As it is Open Source, everybody has access to its Source Code and can experiment with new cracking/hacking methods easily. Don’t get me wrong, WordPress is secure piece of software.
With little effort you can protect your WordPress site following this few easy steps to harden the security of your WordPress installation.
Did you know that more than one million WordPress sites were cracked last year. Was your site or your client’s site among them?
Table of Contents
1. Don’t use ‘admin’ username
As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.
If you are running older version of WordPress (which I do not recommend), you can change admin username directly in the database. Open your phpMyAdmin and run this query:
[code lang=”sql”]
UPDATE wp_users SET user_login = ‘your_new_login’ WHERE user_login = ‘admin’;
[/code]
2. Install Login LockDown Plugin
Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. Login LockDown Plugin will prevent that.
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
You can download Login LockDown plugin from here.
3. Install Secure WordPress plugin
There are many places inside your WordPress site that is telling a potential hacker a version of your WordPress installation, as well as other dangerous information.
Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.
- Removes error-information on login-page
- Adds index.php plugin-directory (virtual)
- Removes the wp-version, except in admin-area
- Removes Really Simple Discovery
- Removes Windows Live Writer
- Removes core update information for non-admins
- Removes plugin-update information for non-admins
- Removes theme-update information for non-admins (only WP 2.8 and higher)
- Hides wp-version in backend-dashboard for non-admins
- Removes version on URLs from scripts and stylesheets only on frontend
- Blocks any bad queries that could be harmful to your WordPress website
You can download this plugin from here.
4. Move your wp-config.php file
In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.
To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.
This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.
5. Change database table prefixes
By default, WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables.
You can change your table prefix during installation by entering new prefix in your wp-config.php file. For changing the prefix after install, use WP Secure Scan plugin.
6. Change default secret keys
When you open your wp-config.php file, you will see 4 secret keys:
[code lang=”php”]
define(‘AUTH_KEY’, ”);
define(‘SECURE_AUTH_KEY’, ”);
define(‘LOGGED_IN_KEY’, ”);
define(‘NONCE_KEY’, ”);
[/code]
I am amazed how many people, even experienced ones, do not change this keys. A secret key is a hashing salt that is used against your password to make it even stronger.
Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. It’s that simple.
7. Update
Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.
Updating your WordPress installation, plugins and Themes is really easy to do from your admin, so do it as soon as possible. WordPress is terrific piece of software and y updating you will rarely or never brake some site functionality.
8. Protect your wp-admin
AskApache Password Protect Plugin adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. as well.
9. Use strong password
This is the most trivial task to do to protect your WordPress installation. But, many people use weak passwords which are easy to break to modern brute force attack programs used.
There are many tips how to make a strong password, I personally like this Strong Password Generator. Read some tips over there to help you understand what a strong password is.
10. Backup your data regularly
This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.
Regular backup is a must. There is a great list of WordPress Backup Plugins available here.
A few more general tips for securing WordPress installation:
- Remove unused users from WordPress.
- Remove unused WordPress themes.
- Remove all unused WordPress plugins.
If you don’t have time to follow all of the above tips, please follow at least two of them. It will help you to enjoy the effort you invested in your WordPress site.
Is your site secured? Have some more tips like these? Please, share your thoughts with me in comments section.
Hi Zvonko, some great tips here. You often hear of people’s blogs being hacked. Thanks heavens it hasn’t happened to me. My hubby (and coder:) takes care of the security and always nags me to get a decent password:)
Hi Annabel, thanks for your comment.
I hope that after you read this article, and especially the part about 1 million WordPress sites being hacked, you will get that decent password 🙂
Seems Login LockDown hasn’t been updated in a while. Have you been running it with more recent WP versions? If so, any issues of note?
Hi Vance,
I am running it with the latest version of WordPress (3.2.1). No issues whatsoever.
Thanks for the response, and the original post of course!
I am running the latest version of WordPress but it still tells me I can’t change my user name from admin. I went into phpMyAdmin and couldn’t figure out how to run the query. Can you advise?
Thanks!
Jenelle
Hi Jenelle,
when you open phpMyAdmin, click on the SQL tab. Then copy the query from above into the SQL field, change the username in whatever you want, and click Go.
It also works to make the “admin” account just a subscriber. I like this, because it still lets them waste their energy and focus on trying to hack an account that won’t achieve much for them anyway :-).
Hey Z,
Great article – It still amazes me how many people just leave their WP sites vulnerable.
Just this past week I’ve been able to gain access to pretty much all of my client’s WP sites without asking for their username/password. Just by using admin/password combo.
Pingback: Link del giorno 30 August 2011 | Geppy.it notizie dalla community
can u plz suggest a plugin that can automatically ban ip address if the site/blog gets more than x no of click in a given period of time or if an ip address visits too often. but before the ip is blocked i want to set the above statistics.
These are some good tips. There are plenty of users who leave their sites as default who are usually the ones who get hacked.
I have a list of some tips that I use for WordPress Security here:
http://www.otreva.com/blog/10-steps-to-securing-wordpress/
I have been hacked for the first time today !!!!
I’ll follow your advice now !
Julien
Pingback: Sécuriser Wordpress, Cpanel et WHM.
Hi Zvonko,
Sir yesterday someone hacked my website (ApnaKamoke.com). Now in future I will follow your nice advices. Please tell me one thing how can i secure my website made in html? Any article?
Great tips, hope all realize that the default setup has its security issues. I actually went one step further and disabled all file updates except for sitemap and the uploads directory. using the following commands in the wordpress directory:
sudo chmod -R u-w *
sudo chmod -R g-w *
sudo chmod -R o-w *
sudo chmod u+w sitemap.xml*
sudo chmod -R u+w wp-content/uploads/*
sudo chmod u+w wp-content/uploads
This disables wordpress updates but one can open temporarily by the following command:
sudo chmod -R u+w *
Assuming that all files are owned by the correct user of course.
I also disabled the execution of php files in the uploads directory by using the following Directory directive in the apache site config:
php_admin_value engine Off
Finally, apache actually recommends not using .htaccess files but Directory directives instead. One can disable .htacess files by “AllowOverride None”. This also disables wordpress from updating .htaccess files which is done when changing settings for permalinks, etc. (you need to update apache manually when this happens)
Pingback: 10 советов по усилинию безопасности сайта под управлением WordPress | ITPROGER
most things here can simply applied using one better wp security plugin
I agree, but which one 🙂
This is a great list of things to do to secure your WordPress site…
I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…
I have now written up my experiences in a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.
My checklist has a few more items and detailed steps for how to get the job done.
Hopefully the checklist can help other people securing their WordPress sites…
Really useful, based on articles like yours we did a spanish translated compilation of security tips for wordpress, you may find it here: Consejos para mejorar la seguridad de WordPress
I recently released a security plugin for WordPress called PanicPress (http://www.panic-press.com) that adds two-factor authentication to your blog and allows you to remote-control shut down the administration section.
If you’re interested in a demo, email me at dan (at) danhulton (dot) com – I’d be honoured if you reviewed it on your site or even if you just had comments or suggestions about it!
Thank you for your explanation and great share.
I would like to add this point to my web site, if you would allowed me.
Of course you can, just link back to here.
Pingback: How Secure is your WordPress site? | cateca
Comments are closed.