“Why should I care about WordPress security?”
That is the question I usually get when I start talking about how to install WordPress securely. Believe it or not, many people think the chance of a hacker — or precisely, cracker or web site intruder — getting into their blog and causing havoc is slim to none.
The bad news is, it happens more often than you think.
I’m sure you’ve seen search results in Google that were tagged with the This site may harm your computer message directly below the title, or read stories about this blog and that blog being hacked.
If you perform a quick search on the National Vulnerability Database, you’ll find that WordPress has an increasing number of vulnerabilities. It was 2 in 2004, but the number quickly increased over the years to 63 in 2007.
This isn’t an attack on WordPress. It’s simply that no software is immune to security problems. This is made even worse when the application is very popular and opensource.
In this article, I’m going to show you some quick fixes that you can do to block the holes that may occur during or after WordPress installation. Some of the tips here are for more advanced users though, and make sure that you always take a backup of your database before writing any sort of MySQL query.
1 – Secure WordPress Database
WordPress requires access to a database and it doesn’t care if you share that database with other web applications. For simplicity, you should create a database just for WordPress though so even if someone breaches your blog through one database access, not all of your data are in jeopardy.
Basically, here are things you should do with WordPress database creation:
- Create a database for WordPress. WP uses only a few tables but giving whole database just for the blog instead of sharing it is more like limiting its access.
- Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
- Pick a strong database password. It can be as random as possible because you don’t have to remember it.
For the majority of us, you would do all this from your webhost’s control panel, when you set up the database. But for the MySQL-confident, you can use these queries:
1 2 3 4 5 | $ mysql -u root -p mysql> create database 'myblog'; mysql> grant select, insert, delete, update, create, drop, alter on myblog.* to 'bloguser'@'localhost' identified by 'mypassword'; mysql> flush privileges; mysql> exit; |
If you use cPanel to create your database, pick the right checkboxes to give the database user just enough privilege to perform WordPress operation.
2 – Populate wp-config.php Properly
Go through each line in wp-config.php, not only the first block for database configuration.
Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user’s cookies.
You also want to modify the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp23jk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.
3 – Don’t Use the Default admin Username
If you install WordPress manually, this involves modifying the database. Fantastico users are able to pick admin user and password as part of the installation process. There are more fields to fill in but you may end up with more secure WordPress installation.
1 2 3 4 5 | $ mysql -u bloguser -p Password: mypassword mysql> use myblog; mysql> update wp23jk1_users set user_login='myadm' where user_login='admin'; mysql> exit; |
You may use phpMyAdmin and paste the SQL command (the update line) to execute it.
Alternatively, you may edit the value manually using phpMyAdmin web interface.
Now your admin user name is myadm instead of admin.
4 – Pick Secure Password for Admin
Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.
With that assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.
5 – Use Secure Login via Encrypted Channel
WordPress users who have SSL enabled for their domain (Talk to your host about this first. You won’t have this by default!) should use that encrypted channel to access WordPress Dashboard. You can force admin sessions over HTTPS by setting FORCE_SSL_ADMIN variable in wp-config.php to true.
Copy and paste the following into your wp-config.php file.
1 | define('FORCE_SSL_ADMIN', true); |
6 – Upgrade as New Version Becomes Available
When WordPress releases new version, especially one that includes security fixes, upgrade as soon as time permits, even though it doesn’t include features that you use.
7 – Backup Your Database and Files
Install a plugin or use cronjob to create database and file backups on a regular basis. This may not be directly related to security, but in case you detect intrusion, you will be glad you make a backup.
Refer to this post to backup your WordPress database directly to a Gmail account.
8 – No Directories Should be Available for Browsing
By default in most hosting, index of directories are shown in web browsers. This has a purpose but it also means that you reveal the content of any directory that has no index.html or index.php.
Modifying this behavior is easy with Apache, just add the following line of code to the .htaccess file in the root directory (In the same place as the wp-config.php file).
1 | Options All -Indexes |
9 – Protect WordPress Administration Files
WordPress administration files reside in wp-admin directory of your WordPress installation, except wp-config.php. The latter contains basic WordPress configuration that can not be modified through the Dashboard.
You may use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option.
Note that you may also allow access from a range of IPs. Refer to Apache’s documentation on mod_access for complete instruction on how to set this up.
You need to put a .htaccess file in wp-admin.
Example:
1 2 3 | Order Deny,Allow Allow from ww.xx.yy.zz Deny from all |
Protecting wp-admin directory with user and password combination also adds another level of security. Apache has complete information on authentication, authorization and access control.
Example:
1 2 3 4 | AuthType Basic AuthName "WordPress Dashboard" AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd Require user adminuser |
and then generate the encrypted password using the htpasswd command.
1 | $ htpasswd -cm .htpasswd adminuser |
cPanel has a feature called Web Protect which allows you to accomplish the same thing.
If you implement all of those above, you should be accessing the wp-admin directory from the allowed IP address, authenticate with adminuser and then login normally to your WordPress Dashboard with your WordPress admin account (myadm).
10 – Restrict File Access to wp-content Directory
The wp-content directory contains your theme files, uploaded images and plugins. WordPress doesn’t access the PHP files in the plugins and themes directories via HTTP. The only requests from web browsers are for image files, javascripts, and CSS.
For that reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly.
Include the following lines in .htaccess within wp-content:
1 2 3 4 5 | Order Allow,Deny Deny from all <files ?\.(jpg|gif|png|js|css)$? ~> Allow from all </files> |
11. Hide WordPress Version in the Header Tag
Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.
Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)
1 | <?php remove_action('wp_head', 'wp_generator'); ?> |
It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those crackers from targeting your blog.
New exploits are discovered every so often and when a fix has not been made available yet, everyone is at risk. However, by implementing all or some of the tips above, at the very least it should give you peace of mind that you are not leaving your house unlocked.
Do you have any other tips, or do you do something differently? If so, please share!
Click here if you want to learn more about WordPress security.
About the author: Hendry Lee helps solopreneurs and small business owners overcome strategic and technological challenges in starting and growing their blogs. Get fresh blog tips from his blog, updated daily.
Custom Search
David Airey (55 comments)15 December 08
Great insight, Hendry. Nice to see you over here on Michael’s blog with a very worthy guest post.
Chuck Reynolds (4 comments)15 December 08
Great post and soooo needed by everybody. I’ve done very similar things when setting up my wp sites but never have the “i’m a blogger” mentality to write it down as well (or at all) as you have. Therefore I’ve bookmarked it to get tweeted and hopefully RT’d. Thanks for the post!
@chuckreynolds
Brad Blogging.com - Personal Blog Tips And Blog Help (8 comments)15 December 08
I agree with every point except upgrading when new versions come out.
The only real reason you should upgrade is that if there is something that effects you. For instance, One of the updates (2.6.3 I believe) fixed Admin issues with the different users registered on the blog, But since it doesn’t effect me, I didn’t upgrade till 2.5.
Usually, most people wait until they are around 10 versions behind and then upgrade their Wordpress.. It is very time consuming.
Jason Newlin (1 comments)15 December 08
Thanks to @chuckreynolds, I got to this post. Its the little things that are always overlooked, and always a ‘why didn’t I do that – after the fact’. Great list, your examples are key, your explanations are very detailed and easy to read. like Chuck, bookmarked. Thanks for the great info.
Arjen (13 comments)15 December 08
Great post, I think that it’s important to have a look at your blog’s security, especially when your blog gets more popular…
I’ll try this on one of those rainy Sundays, thanks!
Michael Carnell (1 comments)15 December 08
All very good points, and with the new 2.7 even better. Why? Because with 2.7 you can upgrade not only plug-ins but the entire WP installation from within the admin panel. That makes it much easier and faster and very, very little reason not to keep up to date. As long as your themes or plug-ins aren’t doing anything odd, you should be able to do the in-place upgrade and just keep on going.
Jestep (3 comments)15 December 08
If you are using cpanal and you have dedicated server I highly recommend using this service: http://www.configserver.com/cp/cpanel.html
Costs about $100 and is hands down the best server hardening package for the money I’ve ever seen. It does a lot to prevent attacks and break-in attempts. I wouldn’t even consider using cpanel without it.
Chris (18 comments)15 December 08
I implemented many of your suggestions today–the ones I could–after somehow, someway, some hacker got into my blog and added a link for some foreign real estate company in my blogroll.
Another tip then I would add is to visit your own blog often, especially if you use a remote blogging platform like LiveWriter or ScribeFire.
Michael Martin (1286 comments)19 December 08
Good tip Chris. I hadn’t thought of that, but it’s completely true! You’ll have no idea what little bugs are cropping up on your site if you aren’t visiting it constantly.
On top of that, it’s worth subscribing to your RSS feed as well, just to make sure it’s always working properly too (Otherwise, if it fails, your only hope is for a nice reader to take it upon themselves to email you).
Franklin Bishop (2 comments)16 December 08
I am always worrying about the security of all of my blogs. This will help me feel a little bit safer.
Hendry Lee (13 comments)16 December 08
Thanks all. I’m glad you enjoyed my post.
@Brad, exactly. I recommend people to upgrade if it is security related because that would be something that affect everybody.
Web Design Beach (28 comments)16 December 08
Very often we overlook that very important security issues, and the fact is that we should over them at first. Thanks for the great tips, some of which i wasn’t aware, and some that i will implement for sure. Bookmarked!
Michael Martin (1286 comments)19 December 08
Glad you liked the post, hope the implementation goes well for you!
goldfries (81 comments)16 December 08
I don’t like to upgrade WP too often, as long as there’s no security fixes it’s fine.
I think the use custom DB name and change Admin name is already 2 of the easier but effective steps.
Michael Martin (1286 comments)19 December 08
Hehe, I ended up with a custom database name by necessity originally (Already had a wp_ in the database and host won’t allow more than 1 database), but now I’m quite happy to label it a “feature” of my database.
JeffMHoward (1 comments)17 December 08
Hello,
Really, I’m not that great with all the backend stuff. Would it be possible for you to put together a bid on all this? Securing wordpress n all.
- Jeff
玩WordPress (1 comments)17 December 08
You still need this filter to disable the feed print the wordpress vertion:
add_filter( 'the_generator', create_function('$a', "return null;") );Michael Martin (1286 comments)19 December 08
Thanks, I’ll try that out!
Lady Maksima (3 comments)17 December 08
Great post. It seems to me that change of password is very important too. Security is very important thing for all bloggers.
Michael Martin (1286 comments)17 December 08
That’s a very good point! All of the advanced techniques here stand for nothing if someone guesses your password, or you’re using the same one you use on other sites.
Zaslony (1 comments)19 December 08
I’m still waiting for plugin upgrades to be compatible with 2.7. I guess there weren’t any security upgrades with new wordpress so there’s no problem I think.
Michael Martin (1286 comments)19 December 08
Do you know which plugins need upgraded? I heard some bad things about PodPress, which is a shame, but beyond that, I’ve had no trouble with plugins, and haven’t heard of many people having problems.
Hendry Lee (13 comments)22 December 08
Otto has just replied to the mailing list. Here’s various ways to remove the generator line.
To just remove it from the web page:
remove_action('wp_head', 'wp_generator');To remove it from everything:
add_filter('the_generator', create_function('', 'return "";'));To remove it from specific places:
add_filter('get_the_generator_TYPE', create_function('', 'return "";'));Sumesh (39 comments)22 December 08
I already use some of these techniques. I really liked the suggestions for restricting file access through HTTP (been looking for this), switching to a username other than admin (hope MySQL doesn’t get messed up).
PS:I would have really liked to restrict admin to only my IP, but unfortunately I’m on dynamic IP. Does anyone know a method to do the same for dynamic IPs?
Hendry Lee (13 comments)24 December 08
It is just a simple update instruction, but if you are worry please make sure you have a backup of your entire database.
Regarding dynamic IP, I think it is possible but it will involve a hack of some sort and that involves write access to your .htaccess file, which may or may not be a good idea.
Possible idea is to run script after dialing your Internet connection. That script connects to your SSH and change the allowed IP address in the server setting.
An ugly solution but works if you insist.
Perhaps others have a better idea.
Gary LaPointe (1 comments)7 January 09
For the IP address, I was thinking of just enabling a chuck of IPs in case my number changes.
Even if I just blocked out all the non-North America IPs, it’s gotta help some….
zetaas (1 comments)22 December 08
awesome post!
just what i need
Donace (3 comments)2 January 09
Very useful post man, would just like to reiterate the point mentioned above about wordpress versions, indeed upgrading asap is NOT recommended as the newer version may bring bugs previously not there.
2) http://semperfiwebdesign.com/p.....rity-scan/ a very useful plugin that helps you achieve a number of the points you have mentioned.
Ralph (9 comments)4 January 09
Your post help me to think about wordpress security for my own blog about my diploma project. Ralph
joao (1 comments)6 January 09
great article!
i will implement some of this tips inmy blog
Seb86 (1 comments)7 January 09
Tip No. 10 stoppped my theme from loading along with any images that were posted in my topics. Inless I missed something this tip does not work for me. Any help would be appreciated.
Mikael (1 comments)10 January 09
@Seb86 – I had a similar issue. I used a bit different code and it blocked access to some of my plugins functionality. That was just the comment I was gonne ask. What is the benefit of having a .htaccess in the wp-config, doesnt the Options -Indexes take care of that?
Niko (1 comments)15 January 09
Hi, great guide. I followed most of them for my two blogs. But I don’t use Apache, I use lighttpd (so I don’t have a .htaccess file), does anyone know how to “translate” these actions?
BlaKKJaKK (1 comments)31 January 09
I don’t understand why anyone thinks it takes time to update. I still do manual updates and its a snap. I may wait a day or two before updating so I can upgrade my local test site and test compatibility with plugins but that is it.
The small updates (ones with three digits 2.7.1) are primarily security fixes and minor bugs. People should be upgrading to those very quickly. I could see taking a few days to test on a local or dev server before a major change (one with a two digit number, 2.6, 2.7 etc) as those are major code changes.
I still have to contact my host because when I try to run admin in encrypted it breaks.
One thing I think should be noted is using the .htaccess file to restrict IPs to admin is not going to work for a lot of folks. Anyone that gets a dynamic IP from their ISP and that is a whole lot of people could lock themselves out.
mtsandeep (3 comments)7 February 09
I just made my password stronger and done the 8th point. Make directories unavailable for browsing.
I think i am more safe than earlier, now.
Thanks for the useful infos.
Mark (13 comments)11 February 09
You all might want to have a look at Maximum Security for Wordpress since it’ll help implement a lot of what’s in this article, plus adds a lot of other Wordpress security features that you won’t find anywhere else.
Praneeta (1 comments)26 February 09
Nice post and i am going to impliment these tips.Thank you.
Rick Winkler (1 comments)14 May 09
I am moving to Wordpress after many years of using Joomla for my company site and blog. These tips are nice starting point for me. Thanks!
Mikko (5 comments)26 May 09
Nice, but how this all affect SEO?
Harvin (1 comments)13 June 09
Great post!
I have 3 questions:
1/ When a plugin create a table, it will be using by default wp_something, right? If I change that in my database, will the plugin still work?
2/ The following lines in .htaccess within wp-content:
Order Allow,Deny
Deny from all
Allow from all
Won’t they make some plugins to stop working if I only allow access to jpeg, etc files?
3/ What’s the difference between:
Options All -Indexes
and:
Options -Indexes
Is there one safer than the other?
And last one: like Mikko asked, does that affect SEO?
Thanks you very much for your help!
WCC (1 comments)21 November 09
Harvin:
Regarding your #3: I was wondering the same thing, too. After poking around Google, I found the answer on the Apache site: http://httpd.apache.org/docs/2.....ml#options
I think I prefer to leave out the ‘All’ and just specify the ‘-Indexes’ option, but it looks like ‘All’ is the default, so it probably doesn’t matter either way.
(Michael Martin: Thanks for this great/handy/helpful post with super tips!)
-WCC
Hikari (3 comments)12 July 09
Thise are nice tips!
But I tried to set password access to wp-admin and Askimet stopped working. It says it can’t access its servers and I had to remove the pass lock.
Any idea on how to make Askimet happy? :p
Hikari (3 comments)15 July 09
Update: it seems I was unlucky and tried this at the same moment Askimet had some kind of connectivity bug, you all must be aware if this for now.
I updated Askimet and re-enabled htaccess password, and Askimet is not reporting the error this time!
Another tip: for creating and also storing password, I suggest KeyPass. It is OpenSource, is great for security, and has a nice Usability interface.
shaunjudy (4 comments)16 July 09
This is a great list of tips for wordpress. I think everyone should perform these on their wordpress blog. Thanks for all the great info.
why.itgo.com (1 comments)29 July 09
thanks for sharing
hope this could help me , my other blog just got hack .
.-= why.itgo.com´s last blog ..melayang ke laut =-.
Frank P. Walenynowicz (1 comments)9 August 09
When it comes to /wp-admin/ protection I like restricting access to specific IP most. My IP is assigned dynamicaly by my provider and the fact that it may change from time to time does not boder me at all. It changes infrequently and changing it in .htaccess is not a big deal. I’ve followed many discussions about this method but it seems to me that very few people are concerned about one implication. On installations allowing users to register we deny them access to their own profiles. Sure we can add the new users’ IPs to .htaccess upon successful registration (simple plugin will do it), but if their IPs are dynamic and they change we are in trouble. We would need to rely on the user to provide old IP (necessary to confirm that the user is legitimate) and new IP, so we can modify .htaccess. Does anyone here have some ideas how to solve this problem?
Web Host Right (16 comments)19 August 09
With the most recent upgrades being released fairly close to each other, and with them being security fixes, i made sure i upgraded as soon as i saw the new versions available, not worth taking the chance on it and leaving it, even just for a few days.
Caillou (2 comments)10 September 09
thank so much !
Joe Lish (1 comments)1 October 09
I used the code below to protect wp-admin. Now all users who go to the main page are being prompted the the “WordPress Admin Access Control” password rather than the password assigned to their subscriber accounts. If they hit cancel several times, the login page that uses the subscriber info appears. Any ideas?
AuthName “WordPress Admin Access Control”
AuthType Basic
AuthUserFile /homepages/**/********/htdocs/.htpasswd
order deny,allow
deny from all
require valid-user
# whitelist *****’s IP address
allow from **.**.***.***
Satisfy Any
hostpapa (1 comments)29 October 09
great tips. i just wanna add:
12) stealth /wp-admin address.
it’s work like a redirect plugin, forward to new customize login url.
pretty easy but not so secured. can be applied as additional methods
Security Firm (1 comments)3 November 09
Nice write up, but you have to use SSH and not FTP. All this means nothing if someone figures out your password. And, you should always be running the latest version.
El3ments (1 comments)4 November 09
Since I am new to WP security this was very helpful. Thank you.
Keith Davis (51 comments)7 November 09
Before I pretty-up my site I’m looking at security, hence my reading this post. As usual… great list, but…
Spare a thought for the technically challenged such as me.
I can cope with a .htaccess file and moving around directories, I’m even OK with html and CSS, but once you mention php and MySQL, my knees turn to jelly.
Super post, but perhaps just a teeny weeny bit more explanation for some of the more technical issues?
steve (8 comments)19 November 09
What I would like to see is someone do a camtasia video showing how to do all the above to help secure our worpdress sites. I learn much better by watching how its done, plus you can pause, stop and do part of it then come back and watch the rest etc etc.
Anyone up for the challenge?
pulegium (1 comments)21 November 09
great tips, especially i liked the DB bit, which I always pay least attention to…
Also a good thing is that you restrict wp-content only to images and such, leaving out everything else.
you also have IP whitelist, which I always do for my wp-admin. you might want to update to auto redirect to ssl though, just as per:
http://www.grenadepod.com/2009.....wordpress/
radhika (1 comments)4 January 10
Thank you for great tips.
I also use WP security scan plugin. It scans the WP installation for few basic security issues.
anadikt (1 comments)18 January 10
Great post, thanks!
Mikko (5 comments)25 January 10
How these modifications affects SEO capabilities of WP?
LeeS (1 comments)4 February 10
Hi
I’ve just been checking some security after a hack of a server which may or may not involve my wordpress installs
2.8.4 allowed me to upload a PHP file, which could then be run.
Surely this is a huge security liability
I’m just upgrading this site to 2.9.1 and will test it again
Lee