11 Best Ways to Improve WordPress Security

dbsec1

“Why should I care about WordPress security?”

That is the question I usually get when I start talking about how to install WordPress securely. Believe it or not, many people think the chance of a hacker — or precisely, cracker or web site intruder — getting into their blog and causing havoc is slim to none.

The bad news is, it happens more often than you think.

I’m sure you’ve seen search results in Google that were tagged with the This site may harm your computer message directly below the title, or read stories about this blog and that blog being hacked.

If you perform a quick search on the National Vulnerability Database, you’ll find that WordPress has an increasing number of vulnerabilities. It was 2 in 2004, but the number quickly increased over the years to 63 in 2007.

This isn’t an attack on WordPress. It’s simply that no software is immune to security problems. This is made even worse when the application is very popular and opensource.

In this article, I’m going to show you some quick fixes that you can do to block the holes that may occur during or after WordPress installation. Some of the tips here are for more advanced users though, and make sure that you always take a backup of your database before writing any sort of MySQL query.

1 – Secure WordPress Database

WordPress requires access to a database and it doesn’t care if you share that database with other web applications. For simplicity, you should create a database just for WordPress though so even if someone breaches your blog through one database access, not all of your data are in jeopardy.

Basically, here are things you should do with WordPress database creation:

  • Create a database for WordPress. WP uses only a few tables but giving whole database just for the blog instead of sharing it is more like limiting its access.
  • Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
  • Pick a strong database password. It can be as random as possible because you don’t have to remember it.

For the majority of us, you would do all this from your webhost’s control panel, when you set up the database. But for the MySQL-confident, you can use these queries:

1
2
3
4
5
$ mysql -u root -p
mysql> create database 'myblog';
mysql> grant select, insert, delete, update, create, drop, alter on myblog.* to 'bloguser'@'localhost' identified by 'mypassword';
mysql> flush privileges;
mysql> exit;

If you use cPanel to create your database, pick the right checkboxes to give the database user just enough privilege to perform WordPress operation.

db-privileges

2 – Populate wp-config.php Properly

Go through each line in wp-config.php, not only the first block for database configuration.

Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies.

You also want to modify the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp23jk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.

3 – Don’t Use the Default admin Username

If you install WordPress manually, this involves modifying the database. Fantastico users are able to pick admin user and password as part of the installation process. There are more fields to fill in but you may end up with more secure WordPress installation.

1
2
3
4
5
$ mysql -u bloguser -p
Password: mypassword
mysql> use myblog;
mysql> update wp23jk1_users set user_login='myadm' where user_login='admin';
mysql> exit;

You may use phpMyAdmin and paste the SQL command (the update line) to execute it.

update-wp-admin

Alternatively, you may edit the value manually using phpMyAdmin web interface.

update-user-manual

Now your admin user name is myadm instead of admin.

4 – Pick Secure Password for Admin

Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.

With that assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.

5 – Use Secure Login via Encrypted Channel

WordPress users who have SSL enabled for their domain (Talk to your host about this first. You won’t have this by default!) should use that encrypted channel to access WordPress Dashboard. You can force admin sessions over HTTPS by setting FORCE_SSL_ADMIN variable in wp-config.php to true.

Copy and paste the following into your wp-config.php file.

1
define('FORCE_SSL_ADMIN', true);

6 – Upgrade as New Version Becomes Available

When WordPress releases new version, especially one that includes security fixes, upgrade as soon as time permits, even though it doesn’t include features that you use.

7 – Backup Your Database and Files

Install a plugin or use cronjob to create database and file backups on a regular basis. This may not be directly related to security, but in case you detect intrusion, you will be glad you make a backup.

Refer to this post to backup your WordPress database directly to a Gmail account.

8 – No Directories Should be Available for Browsing

By default in most hosting, index of directories are shown in web browsers. This has a purpose but it also means that you reveal the content of any directory that has no index.html or index.php.

Modifying this behavior is easy with Apache, just add the following line of code to the .htaccess file in the root directory (In the same place as the wp-config.php file).

1
Options All -Indexes

9 – Protect WordPress Administration Files

WordPress administration files reside in wp-admin directory of your WordPress installation, except wp-config.php. The latter contains basic WordPress configuration that can not be modified through the Dashboard.

You may use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option.

Note that you may also allow access from a range of IPs. Refer to Apache’s documentation on mod_access for complete instruction on how to set this up.

You need to put a .htaccess file in wp-admin.

Example:

1
2
3
Order Deny,Allow
Allow from ww.xx.yy.zz
Deny from all

Protecting wp-admin directory with user and password combination also adds another level of security. Apache has complete information on authentication, authorization and access control.

Example:

1
2
3
4
AuthType Basic
AuthName "WordPress Dashboard"
AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd
Require user adminuser

and then generate the encrypted password using the htpasswd command.

1
$ htpasswd -cm .htpasswd adminuser

cPanel has a feature called Web Protect which allows you to accomplish the same thing.

If you implement all of those above, you should be accessing the wp-admin directory from the allowed IP address, authenticate with adminuser and then login normally to your WordPress Dashboard with your WordPress admin account (myadm).

10 – Restrict File Access to wp-content Directory

The wp-content directory contains your theme files, uploaded images and plugins. WordPress doesn’t access the PHP files in the plugins and themes directories via HTTP. The only requests from web browsers are for image files, javascripts, and CSS.

For that reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly.

Include the following lines in .htaccess within wp-content:

1
2
3
4
5
Order Allow,Deny
Deny from all
<files  ?\.(jpg|gif|png|js|css)$? ~>
	Allow from all
</files>

11. Hide WordPress Version in the Header Tag

Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.

Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)

1
<?php remove_action('wp_head', 'wp_generator'); ?>

It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those crackers from targeting your blog.

New exploits are discovered every so often and when a fix has not been made available yet, everyone is at risk. However, by implementing all or some of the tips above, at the very least it should give you peace of mind that you are not leaving your house unlocked.

Do you have any other tips, or do you do something differently? If so, please share!

Click here if you want to learn more about WordPress security.

About the author: Hendry Lee helps solopreneurs and small business owners overcome strategic and technological challenges in starting and growing their blogs. Get fresh blog tips from his blog, updated daily.

Share

  1. Great insight, Hendry. Nice to see you over here on Michael’s blog with a very worthy guest post.

  2. Great post and soooo needed by everybody. I’ve done very similar things when setting up my wp sites but never have the “i’m a blogger” mentality to write it down as well (or at all) as you have. Therefore I’ve bookmarked it to get tweeted and hopefully RT’d. Thanks for the post!
    @chuckreynolds

  3. I agree with every point except upgrading when new versions come out.

    The only real reason you should upgrade is that if there is something that effects you. For instance, One of the updates (2.6.3 I believe) fixed Admin issues with the different users registered on the blog, But since it doesn’t effect me, I didn’t upgrade till 2.5.

    Usually, most people wait until they are around 10 versions behind and then upgrade their Wordpress.. It is very time consuming. :)

  4. Thanks to @chuckreynolds, I got to this post. Its the little things that are always overlooked, and always a ‘why didn’t I do that – after the fact’. Great list, your examples are key, your explanations are very detailed and easy to read. like Chuck, bookmarked. Thanks for the great info.

  5. Arjen (13 comments)15 December 08

    Great post, I think that it’s important to have a look at your blog’s security, especially when your blog gets more popular…

    I’ll try this on one of those rainy Sundays, thanks!

  6. All very good points, and with the new 2.7 even better. Why? Because with 2.7 you can upgrade not only plug-ins but the entire WP installation from within the admin panel. That makes it much easier and faster and very, very little reason not to keep up to date. As long as your themes or plug-ins aren’t doing anything odd, you should be able to do the in-place upgrade and just keep on going.

  7. If you are using cpanal and you have dedicated server I highly recommend using this service: http://www.configserver.com/cp/cpanel.html

    Costs about $100 and is hands down the best server hardening package for the money I’ve ever seen. It does a lot to prevent attacks and break-in attempts. I wouldn’t even consider using cpanel without it.

  8. Chris (18 comments)15 December 08

    I implemented many of your suggestions today–the ones I could–after somehow, someway, some hacker got into my blog and added a link for some foreign real estate company in my blogroll.

    Another tip then I would add is to visit your own blog often, especially if you use a remote blogging platform like LiveWriter or ScribeFire.

    • Good tip Chris. I hadn’t thought of that, but it’s completely true! You’ll have no idea what little bugs are cropping up on your site if you aren’t visiting it constantly.

      On top of that, it’s worth subscribing to your RSS feed as well, just to make sure it’s always working properly too (Otherwise, if it fails, your only hope is for a nice reader to take it upon themselves to email you).

  9. I am always worrying about the security of all of my blogs. This will help me feel a little bit safer.

  10. Thanks all. I’m glad you enjoyed my post.

    @Brad, exactly. I recommend people to upgrade if it is security related because that would be something that affect everybody.

  11. Very often we overlook that very important security issues, and the fact is that we should over them at first. Thanks for the great tips, some of which i wasn’t aware, and some that i will implement for sure. Bookmarked!

  12. I don’t like to upgrade WP too often, as long as there’s no security fixes it’s fine.

    I think the use custom DB name and change Admin name is already 2 of the easier but effective steps. :)

    • Hehe, I ended up with a custom database name by necessity originally (Already had a wp_ in the database and host won’t allow more than 1 database), but now I’m quite happy to label it a “feature” of my database. ;)

  13. Hello,

    Really, I’m not that great with all the backend stuff. Would it be possible for you to put together a bid on all this? Securing wordpress n all.

    - Jeff

  14. You still need this filter to disable the feed print the wordpress vertion:

    add_filter( 'the_generator', create_function('$a', "return null;") );

  15. Great post. It seems to me that change of password is very important too. Security is very important thing for all bloggers.

    • That’s a very good point! All of the advanced techniques here stand for nothing if someone guesses your password, or you’re using the same one you use on other sites.

  16. I’m still waiting for plugin upgrades to be compatible with 2.7. I guess there weren’t any security upgrades with new wordpress so there’s no problem I think.

    • Do you know which plugins need upgraded? I heard some bad things about PodPress, which is a shame, but beyond that, I’ve had no trouble with plugins, and haven’t heard of many people having problems. :)

  17. Otto has just replied to the mailing list. Here’s various ways to remove the generator line.

    To just remove it from the web page:
    remove_action('wp_head', 'wp_generator');

    To remove it from everything:
    add_filter('the_generator', create_function('', 'return "";'));

    To remove it from specific places:
    add_filter('get_the_generator_TYPE', create_function('', 'return "";'));

  18. Sumesh (39 comments)22 December 08

    I already use some of these techniques. I really liked the suggestions for restricting file access through HTTP (been looking for this), switching to a username other than admin (hope MySQL doesn’t get messed up).

    PS:I would have really liked to restrict admin to only my IP, but unfortunately I’m on dynamic IP. Does anyone know a method to do the same for dynamic IPs?

    • It is just a simple update instruction, but if you are worry please make sure you have a backup of your entire database.

      Regarding dynamic IP, I think it is possible but it will involve a hack of some sort and that involves write access to your .htaccess file, which may or may not be a good idea.

      Possible idea is to run script after dialing your Internet connection. That script connects to your SSH and change the allowed IP address in the server setting.

      An ugly solution but works if you insist.

      Perhaps others have a better idea.

    • For the IP address, I was thinking of just enabling a chuck of IPs in case my number changes.

      Even if I just blocked out all the non-North America IPs, it’s gotta help some….

  19. awesome post!
    just what i need

  20. Donace (3 comments)2 January 09

    Very useful post man, would just like to reiterate the point mentioned above about wordpress versions, indeed upgrading asap is NOT recommended as the newer version may bring bugs previously not there.

    2) http://semperfiwebdesign.com/p.....rity-scan/ a very useful plugin that helps you achieve a number of the points you have mentioned.

  21. Ralph (9 comments)4 January 09

    Your post help me to think about wordpress security for my own blog about my diploma project. Ralph

  22. joao (1 comments)6 January 09

    great article!
    i will implement some of this tips inmy blog

  23. Seb86 (1 comments)7 January 09

    Tip No. 10 stoppped my theme from loading along with any images that were posted in my topics. Inless I missed something this tip does not work for me. Any help would be appreciated.

  24. Mikael (1 comments)10 January 09

    @Seb86 – I had a similar issue. I used a bit different code and it blocked access to some of my plugins functionality. That was just the comment I was gonne ask. What is the benefit of having a .htaccess in the wp-config, doesnt the Options -Indexes take care of that?

  25. Niko (1 comments)15 January 09

    Hi, great guide. I followed most of them for my two blogs. But I don’t use Apache, I use lighttpd (so I don’t have a .htaccess file), does anyone know how to “translate” these actions?

  26. I don’t understand why anyone thinks it takes time to update. I still do manual updates and its a snap. I may wait a day or two before updating so I can upgrade my local test site and test compatibility with plugins but that is it.

    The small updates (ones with three digits 2.7.1) are primarily security fixes and minor bugs. People should be upgrading to those very quickly. I could see taking a few days to test on a local or dev server before a major change (one with a two digit number, 2.6, 2.7 etc) as those are major code changes.

    I still have to contact my host because when I try to run admin in encrypted it breaks.

    One thing I think should be noted is using the .htaccess file to restrict IPs to admin is not going to work for a lot of folks. Anyone that gets a dynamic IP from their ISP and that is a whole lot of people could lock themselves out.

  27. I just made my password stronger and done the 8th point. Make directories unavailable for browsing.
    I think i am more safe than earlier, now.
    Thanks for the useful infos.

  28. Mark (13 comments)11 February 09

    You all might want to have a look at Maximum Security for Wordpress since it’ll help implement a lot of what’s in this article, plus adds a lot of other Wordpress security features that you won’t find anywhere else.

  29. Nice post and i am going to impliment these tips.Thank you.

  30. I am moving to Wordpress after many years of using Joomla for my company site and blog. These tips are nice starting point for me. Thanks!

  31. Mikko (5 comments)26 May 09

    Nice, but how this all affect SEO?

  32. Harvin (1 comments)13 June 09

    Great post! :)

    I have 3 questions:

    1/ When a plugin create a table, it will be using by default wp_something, right? If I change that in my database, will the plugin still work?

    2/ The following lines in .htaccess within wp-content:

    Order Allow,Deny
    Deny from all

    Allow from all

    Won’t they make some plugins to stop working if I only allow access to jpeg, etc files?

    3/ What’s the difference between:

    Options All -Indexes

    and:

    Options -Indexes

    Is there one safer than the other?

    And last one: like Mikko asked, does that affect SEO?
    Thanks you very much for your help! :)

    • WCC (1 comments)21 November 09

      Harvin:

      Regarding your #3: I was wondering the same thing, too. After poking around Google, I found the answer on the Apache site: http://httpd.apache.org/docs/2.....ml#options

      I think I prefer to leave out the ‘All’ and just specify the ‘-Indexes’ option, but it looks like ‘All’ is the default, so it probably doesn’t matter either way.

      (Michael Martin: Thanks for this great/handy/helpful post with super tips!)

      -WCC

  33. Hikari (3 comments)12 July 09

    Thise are nice tips!

    But I tried to set password access to wp-admin and Askimet stopped working. It says it can’t access its servers and I had to remove the pass lock.

    Any idea on how to make Askimet happy? :p

  34. Hikari (3 comments)15 July 09

    Update: it seems I was unlucky and tried this at the same moment Askimet had some kind of connectivity bug, you all must be aware if this for now.

    I updated Askimet and re-enabled htaccess password, and Askimet is not reporting the error this time!

    Another tip: for creating and also storing password, I suggest KeyPass. It is OpenSource, is great for security, and has a nice Usability interface.

  35. shaunjudy (4 comments)16 July 09

    This is a great list of tips for wordpress. I think everyone should perform these on their wordpress blog. Thanks for all the great info.

  36. thanks for sharing :)
    hope this could help me , my other blog just got hack .
    .-= why.itgo.com´s last blog ..melayang ke laut =-.

  37. When it comes to /wp-admin/ protection I like restricting access to specific IP most. My IP is assigned dynamicaly by my provider and the fact that it may change from time to time does not boder me at all. It changes infrequently and changing it in .htaccess is not a big deal. I’ve followed many discussions about this method but it seems to me that very few people are concerned about one implication. On installations allowing users to register we deny them access to their own profiles. Sure we can add the new users’ IPs to .htaccess upon successful registration (simple plugin will do it), but if their IPs are dynamic and they change we are in trouble. We would need to rely on the user to provide old IP (necessary to confirm that the user is legitimate) and new IP, so we can modify .htaccess. Does anyone here have some ideas how to solve this problem?

  38. With the most recent upgrades being released fairly close to each other, and with them being security fixes, i made sure i upgraded as soon as i saw the new versions available, not worth taking the chance on it and leaving it, even just for a few days.

  39. thank so much ! :D

  40. Joe Lish (1 comments)1 October 09

    I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?

    AuthName “WordPress Admin Access Control”
    AuthType Basic
    AuthUserFile /homepages/**/********/htdocs/.htpasswd
    order deny,allow
    deny from all
    require valid-user
    # whitelist *****’s IP address
    allow from **.**.***.***
    Satisfy Any

  41. great tips. i just wanna add:

    12) stealth /wp-admin address.

    it’s work like a redirect plugin, forward to new customize login url.
    pretty easy but not so secured. can be applied as additional methods :)

  42. Nice write up, but you have to use SSH and not FTP. All this means nothing if someone figures out your password. And, you should always be running the latest version.

  43. Since I am new to WP security this was very helpful. Thank you.

  44. Before I pretty-up my site I’m looking at security, hence my reading this post. As usual… great list, but…

    Spare a thought for the technically challenged such as me.

    I can cope with a .htaccess file and moving around directories, I’m even OK with html and CSS, but once you mention php and MySQL, my knees turn to jelly.

    Super post, but perhaps just a teeny weeny bit more explanation for some of the more technical issues?

  45. steve (8 comments)19 November 09

    What I would like to see is someone do a camtasia video showing how to do all the above to help secure our worpdress sites. I learn much better by watching how its done, plus you can pause, stop and do part of it then come back and watch the rest etc etc.

    Anyone up for the challenge?

  46. great tips, especially i liked the DB bit, which I always pay least attention to… :( Also a good thing is that you restrict wp-content only to images and such, leaving out everything else.

    you also have IP whitelist, which I always do for my wp-admin. you might want to update to auto redirect to ssl though, just as per:

    http://www.grenadepod.com/2009.....wordpress/

  47. radhika (1 comments)4 January 10

    Thank you for great tips.

    I also use WP security scan plugin. It scans the WP installation for few basic security issues.

  48. Great post, thanks!

  49. Mikko (5 comments)25 January 10

    How these modifications affects SEO capabilities of WP?

  50. LeeS (1 comments)4 February 10

    Hi

    I’ve just been checking some security after a hack of a server which may or may not involve my wordpress installs

    2.8.4 allowed me to upload a PHP file, which could then be run.

    Surely this is a huge security liability

    I’m just upgrading this site to 2.9.1 and will test it again

    Lee

Leave a Comment

Your reply will be added to the comment above (Below any other replies to this comment) -

(We DoFollow)

Not sure how to get an image with your comment?