Trying improve WordPress Security?
You should be. An investigation revealed about 70% of WordPress blogs are vulnerable to hacker attacks.
I’ve rounded up some of the best WordPress Security blog posts for you. There are hundreds of tips, insights and analysis in these posts. Fortunately, for customers using our Managed WordPress Hosting, they don’t have to worry about this as we handle the security for them. But if you are managing WordPress security on your own, here’ some tips:
1. Audit Your Security
Websynthesis starts where you should start – a security audit.
Any security holes outside of WordPress, in software and hardware you use with it, can affect the CMS itself.
This is a fabulous tip. Your WordPress site will only be as safe as the weakest link.
2. Use Well Know Tools
The Theme Foundry offers this excellent advice:
If you were trying to avoid getting mugged, would you explore dark alleys late at night, or would you walk down busy main street in broad daylight? Consider this advice when you’re choosing a WordPress plugin or theme. Get your themes or plugins from reputable sources and they’re much more likely to be kept up to date and monitored for security issues.
Be sure to pay attention to when the plugin or theme was last updated. Anything more than a few months may be abandoned by the developer(s) – putting your WordPress blog at risk.
3. Generate Custom Secret Keys
In Vivek Kumar Poddar’s 10 Essential WP Tips, he reminds us to create your own secret keys:
wp-config.php file stores all the secret of your wordpress installation. It stores your mysql database username, database password and the secret key. Overall its the most important file on your complete site’s folder structure and its also important to change all its default vales to custom generated ones.
You can generate the custom secret key from this official api page. Once you visit the page just press f5 to refresh the page and to grab the newly generated and unique secret key.
4. Update Everything
WooThemes reminds us to update everything – not just WordPress itself. Themes and plugins are just as vital to security as the WordPress Core.
Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages.
Don’t ignore this!
The same applies to themes and plugins. Make sure you update to the latest versions as they are released. If you keep everything up-to-date your site is much less likely to get hacked.
[ois skin=”Wordpress Optimization”]
5. Protect Against Malicious URLs
I found this nugget over at WPSnipp.com. A place to collect WordPress code snippets:
global $user_ID; if($user_ID) {
if(!current_user_can('administrator')) {
if (strlen($_SERVER['REQUEST_URI']) > 255 ||
stripos($_SERVER['REQUEST_URI'], "eval(") ||
stripos($_SERVER['REQUEST_URI'], "CONCAT") ||
stripos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
stripos($_SERVER['REQUEST_URI'], "base64")) {
@header("HTTP/1.1 414 Request-URI Too Long");
@header("Status: 414 Request-URI Too Long");
@header("Connection: Close");
@exit;
}
}
}
This code snippet is supposed to help prevent URL injection attacks.
6. Stop PHP Execution in WP-Content
Thematosoup has an excellent roundup on how to secure your site through htaccess modifications. The best tip here is to place a htaccess inside of your wp-content directory with:
order deny,allow
deny from all
allow from all
This will block PHP fil1es from executing inside of this directory. We often see this used to upload PHP backdoors.
7. Remove Unused Plugins & Themes
This is a great tip from Copyblogger.
If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach. A messy site also makes it much more difficult for security professionals to operate should your site be compromised.
We just dealt with a case like this. The customer had tried unsuccessfully to clean up their WordPress blogs only to be attacked again. The problem? They failed to clear out an old theme with a PHP shell backdoor. As soon as the code injections were removed, the attackers just used the backdoor to put them back again. So always delete — not just disable — what you are not using.
8. Use Strong Passwords
WordPress.com – the commercial side of WP has a great article on selecting strong passwords. They remind us that modern systems and easily crack random passwords, so you have to use better methods like using a password manager.
9. Delete Extra Accounts
Zoe Rooeny offers this advice:
One you’ve got a super secure new admin user for yourself, take inventory of any other user accounts under Users > All Users. Delete any that are outdated (or at the very least convert them to subscriber status).
I cannot stress this enough. Also check for any user accounts created by your developers — during development people often use poor passwords, if these are not changed they can be an easy backdoor into your WP installation.
10. Check File Permissions
Why so many people ignore the Codex I will never now. There’s a great little WordPress security tip in point 9.2.
When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server’s user. All files are set to 0644 and all directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.
I am not sure how robust WordPress’s file permission checking is. A concern here is that if a file is not writable by WordPress, then an automatic update may fail. If this is not trapped as an error, you could think you are running a fully patched version when you are not.
11. Change PHP Security Settings
While I don’t know all of these will work on your blog, wpsecure.net offers this list of PHP changes:
display_errors = Off //safe to disable on live site
register_globals = Off //off by default but a good reminder to check
expose_php = Off //safe to disable
allow_url_fopen = Off //might break something
allow_url_include = Off //might break something
log_errors = On //logging errors is always a good idea if you check them
error_log = /var/log/phperror.log
enable_dl = Off //might break something
disable_functions="popen,exec,system,passthru,proc_open,shell_exec,show_source,php
file_uploads = Off //will most likely break something
They also have tons of other suggestions for hardening WordPress by getting under the hood. If you try any of these WordPress security tips, be sure to backup and test them first. Since you are modifying code, the could break your site.
12. Get Better Hosting
While not quite WordPress specific, ElegantThemes reminds us to use RAID. If you think about it, the server’s disks are the most valuable part of the server because they have your data. Protect against downtime and data loss by using redundant disks. If you use shared hosting or a WP hosting service, ask them about what type of disk system they use. If they are not using a redundant RAID or SAN, then start looking for a new host.
13. Force SSL Usage
Another simple but great tip comes from Smashing Magazine:
Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:
define('FORCE_SSL_ADMIN', true);
When you use HTTP, your password is sent as plain text across the net. By using HTTPS, you can at least add a layer of security.
14. Block Brute Force Attacks
As recommended by WP Beginner, you should try to limit WP login attempts. Why?
Limiting the failed login attempts will lock a user out if they entered the wrong password more than the specified time. They will be locked out for a specified time. You can control the settings from your admin panel. This will also let you see how many people are trying to hack your site. If you see the same IP trying to access your site, then you can BAN that IP address.
If you have a limited number of users, I prefer logging down wp-login with HTTP Auth. However, if you have a lot of users, this could be problematic. In which case, I too recommend the Limit Login Attempts plugin.
15. Configure Automatic Core Updates
As WPTavern points out:
The fact that it’s security and minor releases only is a very important distinction here. These generally do not break anyone’s website, plugin or themes. If you’re using a plugin that gets broken due to a security release, then that raises a red flag and a few questions about how that plugin is interacting with the WordPress core.
So leave those auto-updates on.
16. Find Hacked WordPress Files
Sarah Gooding has a great round up on tools you can use to find hacked WordPress files. She reviews:
- Exploit Scanner
- Sucuri
- Wordfence
- WordPress File Monitor Plus
If you think you’ve been hacked, try out these tools.
17. Change Database Prefix
Tutsplus reminds us to change the default prefix because:
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.
This will not deter an experienced hacker but can certainly help with bot attacks.
18. Reconsider Security Plugins
Joyce Grace at ManageWP brings up a great point about security plugins:
One thing to know is that when you use security plugins with WordPress, you need to know what you’re doing. Using a security plugin, though seemingly easy, may cause problems, rather than provide solutions for the ‘average’ WordPress user.
Check out the full post for a great discussion on this WordPress security topic.
19. Backup Your WordPress Site
Even by implementing all these WordPress security tips, you could still get hacked. Freddy at WPExplorer reminds us to backup our site. And recommends 3 plugins:
20. ManageWP
Dealing with multiple WP installs? Then ManageWP may be the tool for you. You can update, monitor and maintain multiple WP sites from one dashboard.