11 Best Ways to Improve WordPress Security

dbsec1

"Why should I care about WordPress security?"

That is the question I usually get when I start talking about how to install WordPress securely. Believe it or not, many people think the chance of a hacker -- or precisely, cracker or web site intruder -- getting into their blog and causing havoc is slim to none.

The bad news is, it happens more often than you think.

I'm sure you've seen search results in Google that were tagged with the This site may harm your computer message directly below the title, or read stories about this blog and that blog being hacked.

If you perform a quick search on the National Vulnerability Database, you'll find that WordPress has an increasing number of vulnerabilities. It was 2 in 2004, but the number quickly increased over the years to 63 in 2007.

This isn't an attack on WordPress. It's simply that no software is immune to security problems. This is made even worse when the application is very popular and opensource.

In this article, I'm going to show you some quick fixes that you can do to block the holes that may occur during or after WordPress installation. Some of the tips here are for more advanced users though, and make sure that you always take a backup of your database before writing any sort of MySQL query.

1 - Secure WordPress Database

WordPress requires access to a database and it doesn't care if you share that database with other web applications. For simplicity, you should create a database just for WordPress though so even if someone breaches your blog through one database access, not all of your data are in jeopardy.

Basically, here are things you should do with WordPress database creation:

  • Create a database for WordPress. WP uses only a few tables but giving whole database just for the blog instead of sharing it is more like limiting its access.
  • Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
  • Pick a strong database password. It can be as random as possible because you don't have to remember it.

For the majority of us, you would do all this from your webhost's control panel, when you set up the database. But for the MySQL-confident, you can use these queries:

1
2
3
4
5
$ mysql -u root -p
mysql> create database 'myblog';
mysql> grant select, insert, delete, update, create, drop, alter on myblog.* to 'bloguser'@'localhost' identified by 'mypassword';
mysql> flush privileges;
mysql> exit;

If you use cPanel to create your database, pick the right checkboxes to give the database user just enough privilege to perform WordPress operation.

db-privileges

2 - Populate wp-config.php Properly

Go through each line in wp-config.php, not only the first block for database configuration.

Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user's cookies.

You also want to modify the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp23jk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.

3 - Don't Use the Default admin Username

If you install WordPress manually, this involves modifying the database. Fantastico users are able to pick admin user and password as part of the installation process. There are more fields to fill in but you may end up with more secure WordPress installation.

1
2
3
4
5
$ mysql -u bloguser -p
Password: mypassword
mysql> use myblog;
mysql> update wp23jk1_users set user_login='myadm' where user_login='admin';
mysql> exit;

You may use phpMyAdmin and paste the SQL command (the update line) to execute it.

update-wp-admin

Alternatively, you may edit the value manually using phpMyAdmin web interface.

update-user-manual

Now your admin user name is myadm instead of admin.

4 - Pick Secure Password for Admin

Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.

With that assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.

5 - Use Secure Login via Encrypted Channel

WordPress users who have SSL enabled for their domain (Talk to your host about this first. You won't have this by default!) should use that encrypted channel to access WordPress Dashboard. You can force admin sessions over HTTPS by setting FORCE_SSL_ADMIN variable in wp-config.php to true.

Copy and paste the following into your wp-config.php file.

1
define('FORCE_SSL_ADMIN', true);

6 - Upgrade as New Version Becomes Available

When WordPress releases new version, especially one that includes security fixes, upgrade as soon as time permits, even though it doesn't include features that you use.

7 - Backup Your Database and Files

Install a plugin or use cronjob to create database and file backups on a regular basis. This may not be directly related to security, but in case you detect intrusion, you will be glad you make a backup.

Refer to this post to backup your WordPress database directly to a Gmail account.

8 - No Directories Should be Available for Browsing

By default in most hosting, index of directories are shown in web browsers. This has a purpose but it also means that you reveal the content of any directory that has no index.html or index.php.

Modifying this behavior is easy with Apache, just add the following line of code to the .htaccess file in the root directory (In the same place as the wp-config.php file).

1
Options All -Indexes

9 - Protect WordPress Administration Files

WordPress administration files reside in wp-admin directory of your WordPress installation, except wp-config.php. The latter contains basic WordPress configuration that can not be modified through the Dashboard.

You may use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option.

Note that you may also allow access from a range of IPs. Refer to Apache's documentation on mod_access for complete instruction on how to set this up.

You need to put a .htaccess file in wp-admin.

Example:

1
2
3
Order Deny,Allow
Allow from ww.xx.yy.zz
Deny from all

Protecting wp-admin directory with user and password combination also adds another level of security. Apache has complete information on authentication, authorization and access control.

Example:

1
2
3
4
AuthType Basic
AuthName "WordPress Dashboard"
AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd
Require user adminuser

and then generate the encrypted password using the htpasswd command.

1
$ htpasswd -cm .htpasswd adminuser

cPanel has a feature called Web Protect which allows you to accomplish the same thing.

If you implement all of those above, you should be accessing the wp-admin directory from the allowed IP address, authenticate with adminuser and then login normally to your WordPress Dashboard with your WordPress admin account (myadm).

10 - Restrict File Access to wp-content Directory

The wp-content directory contains your theme files, uploaded images and plugins. WordPress doesn't access the PHP files in the plugins and themes directories via HTTP. The only requests from web browsers are for image files, javascripts, and CSS.

For that reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly.

Include the following lines in .htaccess within wp-content:

1
2
3
4
5
Order Allow,Deny
Deny from all
<files  ?\.(jpg|gif|png|js|css)$? ~>
	Allow from all
</files>

11. Hide WordPress Version in the Header Tag

Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.

Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn't already have one)

1
<?php remove_action('wp_head', 'wp_generator'); ?>

It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those crackers from targeting your blog.

New exploits are discovered every so often and when a fix has not been made available yet, everyone is at risk. However, by implementing all or some of the tips above, at the very least it should give you peace of mind that you are not leaving your house unlocked.

Do you have any other tips, or do you do something differently? If so, please share!

Click here if you want to learn more about WordPress security.

About the author: Hendry Lee helps solopreneurs and small business owners overcome strategic and technological challenges in starting and growing their blogs. Get fresh blog tips from his blog, updated daily.

About the Author - Michael Martin is the founder of Pro Blog Design. He works as a freelance web designer, loves WordPress, and has an unhealthy addiction to smilies. Written on 15th December 2008.

Other posts tagged with , , , , , , .

Comments

40 Comments

  1. Great insight, Hendry. Nice to see you over here on Michael's blog with a very worthy guest post.

  2. Great post and soooo needed by everybody. I've done very similar things when setting up my wp sites but never have the "i'm a blogger" mentality to write it down as well (or at all) as you have. Therefore I've bookmarked it to get tweeted and hopefully RT'd. Thanks for the post!
    @chuckreynolds

  3. I agree with every point except upgrading when new versions come out.

    The only real reason you should upgrade is that if there is something that effects you. For instance, One of the updates (2.6.3 I believe) fixed Admin issues with the different users registered on the blog, But since it doesn't effect me, I didn't upgrade till 2.5.

    Usually, most people wait until they are around 10 versions behind and then upgrade their Wordpress.. It is very time consuming. :)

  4. Thanks to @chuckreynolds, I got to this post. Its the little things that are always overlooked, and always a 'why didn't I do that - after the fact'. Great list, your examples are key, your explanations are very detailed and easy to read. like Chuck, bookmarked. Thanks for the great info.

  5. Great post, I think that it's important to have a look at your blog's security, especially when your blog gets more popular...

    I'll try this on one of those rainy Sundays, thanks!

  6. All very good points, and with the new 2.7 even better. Why? Because with 2.7 you can upgrade not only plug-ins but the entire WP installation from within the admin panel. That makes it much easier and faster and very, very little reason not to keep up to date. As long as your themes or plug-ins aren't doing anything odd, you should be able to do the in-place upgrade and just keep on going.

  7. If you are using cpanal and you have dedicated server I highly recommend using this service: http://www.configserver.com/cp/cpanel.html

    Costs about $100 and is hands down the best server hardening package for the money I've ever seen. It does a lot to prevent attacks and break-in attempts. I wouldn't even consider using cpanel without it.

  8. I implemented many of your suggestions today--the ones I could--after somehow, someway, some hacker got into my blog and added a link for some foreign real estate company in my blogroll.

    Another tip then I would add is to visit your own blog often, especially if you use a remote blogging platform like LiveWriter or ScribeFire.

    • Good tip Chris. I hadn't thought of that, but it's completely true! You'll have no idea what little bugs are cropping up on your site if you aren't visiting it constantly.

      On top of that, it's worth subscribing to your RSS feed as well, just to make sure it's always working properly too (Otherwise, if it fails, your only hope is for a nice reader to take it upon themselves to email you).

  9. I am always worrying about the security of all of my blogs. This will help me feel a little bit safer.

  10. Thanks all. I'm glad you enjoyed my post.

    @Brad, exactly. I recommend people to upgrade if it is security related because that would be something that affect everybody.

  11. Very often we overlook that very important security issues, and the fact is that we should over them at first. Thanks for the great tips, some of which i wasn't aware, and some that i will implement for sure. Bookmarked!

  12. I don't like to upgrade WP too often, as long as there's no security fixes it's fine.

    I think the use custom DB name and change Admin name is already 2 of the easier but effective steps. :)

    • Hehe, I ended up with a custom database name by necessity originally (Already had a wp_ in the database and host won't allow more than 1 database), but now I'm quite happy to label it a "feature" of my database. ;)

  13. Hello,

    Really, I'm not that great with all the backend stuff. Would it be possible for you to put together a bid on all this? Securing wordpress n all.

    - Jeff

  14. You still need this filter to disable the feed print the wordpress vertion:

    add_filter( 'the_generator', create_function('$a', "return null;") );

  15. Great post. It seems to me that change of password is very important too. Security is very important thing for all bloggers.

  16. I'm still waiting for plugin upgrades to be compatible with 2.7. I guess there weren't any security upgrades with new wordpress so there's no problem I think.

    • Do you know which plugins need upgraded? I heard some bad things about PodPress, which is a shame, but beyond that, I've had no trouble with plugins, and haven't heard of many people having problems. :)

  17. Otto has just replied to the mailing list. Here's various ways to remove the generator line.

    To just remove it from the web page:
    remove_action('wp_head', 'wp_generator');

    To remove it from everything:
    add_filter('the_generator', create_function('', 'return "";'));

    To remove it from specific places:
    add_filter('get_the_generator_TYPE', create_function('', 'return "";'));

  18. I already use some of these techniques. I really liked the suggestions for restricting file access through HTTP (been looking for this), switching to a username other than admin (hope MySQL doesn't get messed up).

    PS:I would have really liked to restrict admin to only my IP, but unfortunately I'm on dynamic IP. Does anyone know a method to do the same for dynamic IPs?

    • It is just a simple update instruction, but if you are worry please make sure you have a backup of your entire database.

      Regarding dynamic IP, I think it is possible but it will involve a hack of some sort and that involves write access to your .htaccess file, which may or may not be a good idea.

      Possible idea is to run script after dialing your Internet connection. That script connects to your SSH and change the allowed IP address in the server setting.

      An ugly solution but works if you insist.

      Perhaps others have a better idea.

    • For the IP address, I was thinking of just enabling a chuck of IPs in case my number changes.

      Even if I just blocked out all the non-North America IPs, it's gotta help some....

  19. awesome post!
    just what i need

  20. Very useful post man, would just like to reiterate the point mentioned above about wordpress versions, indeed upgrading asap is NOT recommended as the newer version may bring bugs previously not there.

    2) http://semperfiwebdesign.com/p.....rity-scan/ a very useful plugin that helps you achieve a number of the points you have mentioned.

  21. Your post help me to think about wordpress security for my own blog about my diploma project. Ralph

  22. great article!
    i will implement some of this tips inmy blog

  23. Tip No. 10 stoppped my theme from loading along with any images that were posted in my topics. Inless I missed something this tip does not work for me. Any help would be appreciated.

  24. @Seb86 - I had a similar issue. I used a bit different code and it blocked access to some of my plugins functionality. That was just the comment I was gonne ask. What is the benefit of having a .htaccess in the wp-config, doesnt the Options -Indexes take care of that?

  25. Hi, great guide. I followed most of them for my two blogs. But I don't use Apache, I use lighttpd (so I don't have a .htaccess file), does anyone know how to "translate" these actions?

  26. I don't understand why anyone thinks it takes time to update. I still do manual updates and its a snap. I may wait a day or two before updating so I can upgrade my local test site and test compatibility with plugins but that is it.

    The small updates (ones with three digits 2.7.1) are primarily security fixes and minor bugs. People should be upgrading to those very quickly. I could see taking a few days to test on a local or dev server before a major change (one with a two digit number, 2.6, 2.7 etc) as those are major code changes.

    I still have to contact my host because when I try to run admin in encrypted it breaks.

    One thing I think should be noted is using the .htaccess file to restrict IPs to admin is not going to work for a lot of folks. Anyone that gets a dynamic IP from their ISP and that is a whole lot of people could lock themselves out.

  27. I just made my password stronger and done the 8th point. Make directories unavailable for browsing.
    I think i am more safe than earlier, now.
    Thanks for the useful infos.

  28. You all might want to have a look at Maximum Security for Wordpress since it'll help implement a lot of what's in this article, plus adds a lot of other Wordpress security features that you won't find anywhere else.

  29. Nice post and i am going to impliment these tips.Thank you.

  30. I am moving to Wordpress after many years of using Joomla for my company site and blog. These tips are nice starting point for me. Thanks!

  31. Nice, but how this all affect SEO?

  32. Great post! :)

    I have 3 questions:

    1/ When a plugin create a table, it will be using by default wp_something, right? If I change that in my database, will the plugin still work?

    2/ The following lines in .htaccess within wp-content:

    Order Allow,Deny
    Deny from all

    Allow from all

    Won't they make some plugins to stop working if I only allow access to jpeg, etc files?

    3/ What's the difference between:

    Options All -Indexes

    and:

    Options -Indexes

    Is there one safer than the other?

    And last one: like Mikko asked, does that affect SEO?
    Thanks you very much for your help! :)

Leave a Comment

Not sure how to get an image with your comment?

Link to your latest post? (If possible)