Wordpress Security Steps

Follow these steps to increase your Wordpress Security

Wordpress HackerSo, over the last 6 months, every WordPress blog I’ve set up has been hacked in one way or another. It sucks. I thought I was doing everything right, but apparently I didn’t do enough when it comes to security (you can never do enough!) The following are some of the things I did to help secure my sites from malicious evil bastards. Keep in mind that these things can help secure your site, but as far as we know there is no way to keep hackers 100% from getting into your site.  These measures merely make it harder for them, which will hopefully persuade them to move on to another WordPress Blog that isn’t as secure as yours.

CAUTION: Look at the date of this post. This information is accurate (to our knowledge) as of December 8th, 2010. We are not responsible for any damage any of our suggestions may cause. We merely compiled and used the following methods to help protect our sites, and so far it’s working.

Before you do anything:

1. If on a shared hosting server, make sure your host has security. If one site is compromised, many others can be as well.

2. Look into SSH/Shell access instead of FTP uploads.

OK, now to get into it. Many of the below items I mention are handled by the plugins listed below.

Editing your files before install:

3. Secure your wp-config as well as any other sensitive files with .htaccess by adding these lines:

# SECURE WP-CONFIG.PHP <Files wp\-config\.php>  Order Deny,Allow  Deny from all </Files> Options All -Indexes 

4. Make sure your files and folders have the correct permissions set. Some of the more important ones are:

the root, wp-admin, wp-includes, wp-images, wp-content, themes, plugins, upgrade, uploads, etc…

5. In search.php change: <?php echo $_SERVER ['PHP_SELF']; ?> to: <?php bloginfo (‘home’); ?>

6. In your themes header.php file, get rid of the name=”generator” line.

7. Add a .htaccess file to the wp-admin folder and wp-content/plugins and add this: IndexIgnore *

8. Replace the secret keys in your wp-config.php file with new ones. Visit this URL to generate new ones and cut and paste them. https://api.wordpress.org/secret-key/1.1/ Each time you refresh the page, it will come up with new, unique keys.

9. Some people suggest password protecting your wp-admin directory.

10. Change your default table prefix from wp_ to something crazy like meKH2332m23m324_ The easiest way to do this is to add a line to your wp-config.php like: $table_prefix = ‘meKH2332m23m324′; // custom table prefix

11. Change the “Upload” directory to something more obscure, like “Putapic” or something. You need to understand where to make all of these changes though (you can’t just change the name of the file.

12. You can also use an apache declaration to disable script in the uploads folder.

Installation, Settings, and Plugins:

13. install a Fresh Installation. Download the most recent version of WordPress.

14. Make sure wp-config.php has it’s permissions set to 400 immediately (or 0). This holds all of your password info. Also check for permissions on all upload, upgrade and backup directories.

15. Move wp-config.php one level above your root directory.

16. Turn off the option to organize installed uploads by month and year.

17. Use STRONG PASSWORDS and change them as often as you can. Use 12-13 character passwords with capitals, lowercase letters, numbers, and different characters like &%*.

18. Disable user registration of not needed.

19. Get rid of your admin account! Add a new user (with a more complex name) and give them the admin role with full privileges. Use a different name for the user. Then sign in with it and change the admin role to subscriber. This will limit your vulnerability to Brute Force password attacks.

20. Make sure roles and permissions are all low-access.

21. Set up your settings in the strictest ways. You only want users to comment and add content that you truly trust.

22. In the dashboard, secure your general settings. Have the new user default role be a subscriber and uncheck the ability for anyone to register under Membership. You only want users to comment and add content that you truly trust.

23. Don’t give anyone your admin passwords! Keep them in a safe place. Don’t discuss them over the phone or on emails. Make sure to change them periodically too. WP Security Scan plugin has a tool to check and see if you’re password is strong enough.

24. Make sure your computer doesn’t have any spyware, malware, adware or viruses. Sometimes this is where your security issues originate from.

25. Install Security, Back Ups and Antispam Plugins

These are the ones we’ve heard are the best. Keep in mind that some of these won’t work with others. Also, many don’t work with the most recent update of WordPress. Make sure you only use plugins that you trust. If you only download a few, do the first 4.

  • WP Security Scan – This scans your installation for weaknesses in security. Make sure to remove the WP ID META Tag. We really like this plugin.
  • WP-DBManager or WordPress EZ Backup – Back up your databases and site.
  • WP File Monitor – It tracks changes to files and notifies you on your dashboard and through email. Very helpful for knowing if you’ve been hacked!
  • Akismet – Crucial in protecting your comments from spam.
  • Headspace2 – Doesn’t work with the newest version yet, but it has some great SEO tools.
  • Google XML Sitemaps – Automatically creates and submits your sitemap to Google.
  • Block Bad Queries – It protects against malicious URL requests.
  • AskApache Password Protect – Another security wall for your blog.
  • WordPress Firewall – It screens suspicious-looking requests and often prevents attacks.
  • Invisible Defender – It protects registration, login, and comments from spambots.
  • Secure WordPress – It removes and hides an bunch of stuff that will keep you more secure.
  • Exploit Scanner – This is said to be a great plugin, but it may have issues. I’ll get back to you on this one.
  • Login Lockdown – This will stop people from trying to login after 3 wrong ties in 5 minutes. It will stop hackers from brute force access.
  • Force SSL – You’ll need to buy a renewable SSL certificate, but it will encript your back end. If you don’t want to buy one, try Chap Secure Login.
  • Anonymous WordPress Plugin – Strips your information from being sent to plugins when they automatically update.

Lastly, you need to keep up with security maintenance. Here are a few things to keep on top of:

26. Make sure the most recent version of WordPress is installed at all times. These new updates usually have security features that can help against current threats.

27. Same with Plugins and Themes. Make sure everything is up to date at all times!

28. Make sure all of your Plugins are trusted. Seriously, this is dumb of me to say. How in the heck do you know if a Plugin is trusted? Amount of downloads? Ratings? I guess those help, but if anyone has any other ideas on how to measure a plugin’s trust, I’m all ears. Hopefully they implement some kind of Trust Certificate someday.

29. Have regular backups automatically ran for the whole site including database. And don’t keep the back ups on your server.

30. Watch for new files that are suspicious looking. WP File Monitor is good for this. A lot of hackers hide backdoors in files that look like img1.jpg or similarly unsuspicious-looking generic files.

31. When adding files, consider using FTP instead of uploading from your WordPress uploader.

32. Report bugs to WordPress https://codex.wordpress.org/Submitting_Bugs WordPress can’t get any better without your help!



State of the Group

See our analytic round up for the year of 2012 across our websites and social profiles.
State of the Group