11 Best Ways to Improve WordPress Security
"Why should I care about WordPress security?"
That is the question I usually get when I start talking about how to install WordPress securely. Believe it or not, many people think the chance of a hacker -- or precisely, cracker or web site intruder -- getting into their blog and causing havoc is slim to none.
The bad news is, it happens more often than you think.
I'm sure you've seen search results in Google that were tagged with the This site may harm your computer message directly below the title, or read stories about this blog and that blog being hacked.
If you perform a quick search on the National Vulnerability Database, you'll find that WordPress has an increasing number of vulnerabilities. It was 2 in 2004, but the number quickly increased over the years to 63 in 2007.
This isn't an attack on WordPress. It's simply that no software is immune to security problems. This is made even worse when the application is very popular and opensource.
In this article, I'm going to show you some quick fixes that you can do to block the holes that may occur during or after WordPress installation. Some of the tips here are for more advanced users though, and make sure that you always take a backup of your database before writing any sort of MySQL query.
1 - Secure WordPress Database
WordPress requires access to a database and it doesn't care if you share that database with other web applications. For simplicity, you should create a database just for WordPress though so even if someone breaches your blog through one database access, not all of your data are in jeopardy.
Basically, here are things you should do with WordPress database creation:
- Create a database for WordPress. WP uses only a few tables but giving whole database just for the blog instead of sharing it is more like limiting its access.
- Create and grant limited access to a database user. Create a user to access this database only and grant limited access to SQL commands on this database (select, insert, delete, update, create, drop and alter).
- Pick a strong database password. It can be as random as possible because you don't have to remember it.
For the majority of us, you would do all this from your webhost's control panel, when you set up the database. But for the MySQL-confident, you can use these queries:
1 2 3 4 5 | $ mysql -u root -p mysql> create database 'myblog'; mysql> grant select, insert, delete, update, create, drop, alter on myblog.* to 'bloguser'@'localhost' identified by 'mypassword'; mysql> flush privileges; mysql> exit; |
If you use cPanel to create your database, pick the right checkboxes to give the database user just enough privilege to perform WordPress operation.
2 - Populate wp-config.php Properly
Go through each line in wp-config.php, not only the first block for database configuration.
Use WordPress secret key generation tool to generate random salts for WordPress cookies. These keys are used to insure better encryption of information stored in WordPress user's cookies.
You also want to modify the WordPress table prefix to something other than wp_. Adding random characters and numbers to the end of wp, such as wp23jk1_ obfuscates it enough but still allows you to recognize the tables as those belong to WordPress.
3 - Don't Use the Default admin Username
If you install WordPress manually, this involves modifying the database. Fantastico users are able to pick admin user and password as part of the installation process. There are more fields to fill in but you may end up with more secure WordPress installation.
1 2 3 4 5 | $ mysql -u bloguser -p Password: mypassword mysql> use myblog; mysql> update wp23jk1_users set user_login='myadm' where user_login='admin'; mysql> exit; |
You may use phpMyAdmin and paste the SQL command (the update line) to execute it.
Alternatively, you may edit the value manually using phpMyAdmin web interface.
Now your admin user name is myadm instead of admin.
4 - Pick Secure Password for Admin
Changing your admin username to something else is not a guarantee that people will not be able to guess it. For instance, if you use your username as the displayed meta data in every post, or you enable author specific page in multi-author blog, you will reveal your user name to the world.
With that assumption, you should pick secure password for your WordPress login. Combine upper and lowercase characters and numbers.
5 - Use Secure Login via Encrypted Channel
WordPress users who have SSL enabled for their domain (Talk to your host about this first. You won't have this by default!) should use that encrypted channel to access WordPress Dashboard. You can force admin sessions over HTTPS by setting FORCE_SSL_ADMIN variable in wp-config.php to true.
Copy and paste the following into your wp-config.php file.
1 | define('FORCE_SSL_ADMIN', true); |
6 - Upgrade as New Version Becomes Available
When WordPress releases new version, especially one that includes security fixes, upgrade as soon as time permits, even though it doesn't include features that you use.
7 - Backup Your Database and Files
Install a plugin or use cronjob to create database and file backups on a regular basis. This may not be directly related to security, but in case you detect intrusion, you will be glad you make a backup.
Refer to this post to backup your WordPress database directly to a Gmail account.
8 - No Directories Should be Available for Browsing
By default in most hosting, index of directories are shown in web browsers. This has a purpose but it also means that you reveal the content of any directory that has no index.html or index.php.
Modifying this behavior is easy with Apache, just add the following line of code to the .htaccess file in the root directory (In the same place as the wp-config.php file).
1 | Options All -Indexes |
9 - Protect WordPress Administration Files
WordPress administration files reside in wp-admin directory of your WordPress installation, except wp-config.php. The latter contains basic WordPress configuration that can not be modified through the Dashboard.
You may use .htaccess to restrict access and allow only specific IP address to this directory and file. If you have static IP address and you always blog from your computer, this can be an option.
Note that you may also allow access from a range of IPs. Refer to Apache's documentation on mod_access for complete instruction on how to set this up.
You need to put a .htaccess file in wp-admin.
Example:
1 2 3 | Order Deny,Allow Allow from ww.xx.yy.zz Deny from all |
Protecting wp-admin directory with user and password combination also adds another level of security. Apache has complete information on authentication, authorization and access control.
Example:
1 2 3 4 | AuthType Basic AuthName "WordPress Dashboard" AuthUserFile /home/user/.htpasswds/blog/wp-admin/.htpasswd Require user adminuser |
and then generate the encrypted password using the htpasswd command.
1 | $ htpasswd -cm .htpasswd adminuser |
cPanel has a feature called Web Protect which allows you to accomplish the same thing.
If you implement all of those above, you should be accessing the wp-admin directory from the allowed IP address, authenticate with adminuser and then login normally to your WordPress Dashboard with your WordPress admin account (myadm).
10 - Restrict File Access to wp-content Directory
The wp-content directory contains your theme files, uploaded images and plugins. WordPress doesn't access the PHP files in the plugins and themes directories via HTTP. The only requests from web browsers are for image files, javascripts, and CSS.
For that reason you may restrict wp-content so that it only allows those file extensions but not PHP or any other file extensions. This prevents people from accessing any files directly.
Include the following lines in .htaccess within wp-content:
1 2 3 4 5 | Order Allow,Deny Deny from all <files ?\.(jpg|gif|png|js|css)$? ~> Allow from all </files> |
11. Hide WordPress Version in the Header Tag
Although you have deleted the WordPress version meta data from your theme, you may still get WordPress version line in the page returned by the blog software. The culprit is, since version 2.5 WordPress has added the feature to generate this code.
Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn't already have one)
1 | <?php remove_action('wp_head', 'wp_generator'); ?> |
It is important to note that even with all of those above implemented, there is no guarantee that your blog will be safe. Just that you decrease the chance tremendously and discourage those crackers from targeting your blog.
New exploits are discovered every so often and when a fix has not been made available yet, everyone is at risk. However, by implementing all or some of the tips above, at the very least it should give you peace of mind that you are not leaving your house unlocked.
Do you have any other tips, or do you do something differently? If so, please share!
Click here if you want to learn more about WordPress security.
About the author: Hendry Lee helps solopreneurs and small business owners overcome strategic and technological challenges in starting and growing their blogs. Get fresh blog tips from his blog, updated daily.
Enjoy this post? Get future updates sent to you for free! Join by email or RSS.
About the Author - Michael Martin is the founder of Pro Blog Design. He works as a freelance web designer, loves WordPress, and has an unhealthy addiction to smilies. Written on 15th December 2008.
Other posts tagged with Apache, Database, htaccess, MySQL, Security, Server, WordPress.
15th December, 5:54 pm GMT
Great insight, Hendry. Nice to see you over here on Michael's blog with a very worthy guest post.
15th December, 6:38 pm GMT
Great post and soooo needed by everybody. I've done very similar things when setting up my wp sites but never have the "i'm a blogger" mentality to write it down as well (or at all) as you have. Therefore I've bookmarked it to get tweeted and hopefully RT'd. Thanks for the post!
@chuckreynolds
15th December, 7:46 pm GMT
I agree with every point except upgrading when new versions come out.
The only real reason you should upgrade is that if there is something that effects you. For instance, One of the updates (2.6.3 I believe) fixed Admin issues with the different users registered on the blog, But since it doesn't effect me, I didn't upgrade till 2.5.
Usually, most people wait until they are around 10 versions behind and then upgrade their Wordpress.. It is very time consuming.
15th December, 7:53 pm GMT
Thanks to @chuckreynolds, I got to this post. Its the little things that are always overlooked, and always a 'why didn't I do that - after the fact'. Great list, your examples are key, your explanations are very detailed and easy to read. like Chuck, bookmarked. Thanks for the great info.
15th December, 7:59 pm GMT
Great post, I think that it's important to have a look at your blog's security, especially when your blog gets more popular...
I'll try this on one of those rainy Sundays, thanks!
15th December, 8:26 pm GMT
All very good points, and with the new 2.7 even better. Why? Because with 2.7 you can upgrade not only plug-ins but the entire WP installation from within the admin panel. That makes it much easier and faster and very, very little reason not to keep up to date. As long as your themes or plug-ins aren't doing anything odd, you should be able to do the in-place upgrade and just keep on going.
15th December, 9:16 pm GMT
If you are using cpanal and you have dedicated server I highly recommend using this service: http://www.configserver.com/cp/cpanel.html
Costs about $100 and is hands down the best server hardening package for the money I've ever seen. It does a lot to prevent attacks and break-in attempts. I wouldn't even consider using cpanel without it.
15th December, 11:58 pm GMT
I implemented many of your suggestions today--the ones I could--after somehow, someway, some hacker got into my blog and added a link for some foreign real estate company in my blogroll.
Another tip then I would add is to visit your own blog often, especially if you use a remote blogging platform like LiveWriter or ScribeFire.
19th December, 3:00 pm GMT
Good tip Chris. I hadn't thought of that, but it's completely true! You'll have no idea what little bugs are cropping up on your site if you aren't visiting it constantly.
On top of that, it's worth subscribing to your RSS feed as well, just to make sure it's always working properly too (Otherwise, if it fails, your only hope is for a nice reader to take it upon themselves to email you).
16th December, 1:19 am GMT
I am always worrying about the security of all of my blogs. This will help me feel a little bit safer.
16th December, 2:03 am GMT
Thanks all. I'm glad you enjoyed my post.
@Brad, exactly. I recommend people to upgrade if it is security related because that would be something that affect everybody.
16th December, 12:02 pm GMT
Very often we overlook that very important security issues, and the fact is that we should over them at first. Thanks for the great tips, some of which i wasn't aware, and some that i will implement for sure. Bookmarked!
19th December, 3:02 pm GMT
Glad you liked the post, hope the implementation goes well for you!
16th December, 6:21 pm GMT
I don't like to upgrade WP too often, as long as there's no security fixes it's fine.
I think the use custom DB name and change Admin name is already 2 of the easier but effective steps.
19th December, 3:01 pm GMT
Hehe, I ended up with a custom database name by necessity originally (Already had a wp_ in the database and host won't allow more than 1 database), but now I'm quite happy to label it a "feature" of my database.
17th December, 2:13 am GMT
Hello,
Really, I'm not that great with all the backend stuff. Would it be possible for you to put together a bid on all this? Securing wordpress n all.
- Jeff
17th December, 11:35 am GMT
You still need this filter to disable the feed print the wordpress vertion:
add_filter( 'the_generator', create_function('$a', "return null;") );19th December, 2:29 pm GMT
Thanks, I'll try that out!
17th December, 12:48 pm GMT
Great post. It seems to me that change of password is very important too. Security is very important thing for all bloggers.
17th December, 7:10 pm GMT
That's a very good point! All of the advanced techniques here stand for nothing if someone guesses your password, or you're using the same one you use on other sites.
19th December, 9:43 am GMT
I'm still waiting for plugin upgrades to be compatible with 2.7. I guess there weren't any security upgrades with new wordpress so there's no problem I think.
19th December, 2:29 pm GMT
Do you know which plugins need upgraded? I heard some bad things about PodPress, which is a shame, but beyond that, I've had no trouble with plugins, and haven't heard of many people having problems.
22nd December, 5:39 am GMT
Otto has just replied to the mailing list. Here's various ways to remove the generator line.
To just remove it from the web page:
remove_action('wp_head', 'wp_generator');To remove it from everything:
add_filter('the_generator', create_function('', 'return "";'));To remove it from specific places:
add_filter('get_the_generator_TYPE', create_function('', 'return "";'));22nd December, 7:24 am GMT
I already use some of these techniques. I really liked the suggestions for restricting file access through HTTP (been looking for this), switching to a username other than admin (hope MySQL doesn't get messed up).
PS:I would have really liked to restrict admin to only my IP, but unfortunately I'm on dynamic IP. Does anyone know a method to do the same for dynamic IPs?
24th December, 6:57 am GMT
It is just a simple update instruction, but if you are worry please make sure you have a backup of your entire database.
Regarding dynamic IP, I think it is possible but it will involve a hack of some sort and that involves write access to your .htaccess file, which may or may not be a good idea.
Possible idea is to run script after dialing your Internet connection. That script connects to your SSH and change the allowed IP address in the server setting.
An ugly solution but works if you insist.
Perhaps others have a better idea.
7th January, 11:04 am GMT
For the IP address, I was thinking of just enabling a chuck of IPs in case my number changes.
Even if I just blocked out all the non-North America IPs, it's gotta help some....
22nd December, 9:29 pm GMT
awesome post!
just what i need
2nd January, 5:27 pm GMT
Very useful post man, would just like to reiterate the point mentioned above about wordpress versions, indeed upgrading asap is NOT recommended as the newer version may bring bugs previously not there.
2) http://semperfiwebdesign.com/p.....rity-scan/ a very useful plugin that helps you achieve a number of the points you have mentioned.
4th January, 8:27 pm GMT
Your post help me to think about wordpress security for my own blog about my diploma project. Ralph
6th January, 5:53 pm GMT
great article!
i will implement some of this tips inmy blog
7th January, 3:39 am GMT
Tip No. 10 stoppped my theme from loading along with any images that were posted in my topics. Inless I missed something this tip does not work for me. Any help would be appreciated.
10th January, 4:22 am GMT
@Seb86 - I had a similar issue. I used a bit different code and it blocked access to some of my plugins functionality. That was just the comment I was gonne ask. What is the benefit of having a .htaccess in the wp-config, doesnt the Options -Indexes take care of that?
15th January, 5:02 pm GMT
Hi, great guide. I followed most of them for my two blogs. But I don't use Apache, I use lighttpd (so I don't have a .htaccess file), does anyone know how to "translate" these actions?
31st January, 6:53 pm GMT
I don't understand why anyone thinks it takes time to update. I still do manual updates and its a snap. I may wait a day or two before updating so I can upgrade my local test site and test compatibility with plugins but that is it.
The small updates (ones with three digits 2.7.1) are primarily security fixes and minor bugs. People should be upgrading to those very quickly. I could see taking a few days to test on a local or dev server before a major change (one with a two digit number, 2.6, 2.7 etc) as those are major code changes.
I still have to contact my host because when I try to run admin in encrypted it breaks.
One thing I think should be noted is using the .htaccess file to restrict IPs to admin is not going to work for a lot of folks. Anyone that gets a dynamic IP from their ISP and that is a whole lot of people could lock themselves out.
7th February, 7:22 am GMT
I just made my password stronger and done the 8th point. Make directories unavailable for browsing.
I think i am more safe than earlier, now.
Thanks for the useful infos.
11th February, 10:52 pm GMT
You all might want to have a look at Maximum Security for Wordpress since it'll help implement a lot of what's in this article, plus adds a lot of other Wordpress security features that you won't find anywhere else.
26th February, 1:43 am GMT
Nice post and i am going to impliment these tips.Thank you.
14th May, 3:37 am GMT
I am moving to Wordpress after many years of using Joomla for my company site and blog. These tips are nice starting point for me. Thanks!
26th May, 8:29 am GMT
Nice, but how this all affect SEO?
13th June, 11:17 am GMT
Great post!
I have 3 questions:
1/ When a plugin create a table, it will be using by default wp_something, right? If I change that in my database, will the plugin still work?
2/ The following lines in .htaccess within wp-content:
Order Allow,Deny
Deny from all
Allow from all
Won't they make some plugins to stop working if I only allow access to jpeg, etc files?
3/ What's the difference between:
Options All -Indexes
and:
Options -Indexes
Is there one safer than the other?
And last one: like Mikko asked, does that affect SEO?
Thanks you very much for your help!