WordPress Security Tips

Search Google and just about every article you come along will tell you that in order to have a secure blog, you need X amount of plugins. I disagree. I use none yet I’m satisfied I have a reasonable level of security. I use a number of techniques to keep the site safe, which I’ll discuss over the course of the post.

1. Restrict access to wp-admin by IP

Something I started doing recently is only allowing my IP to access the wp-admin directory. This stops someone taking the site by brute force (unless they’re on my PC!) and ensures that only I can control the site the easy way. Of course, the database is still relatively vulnerable, but this is a fairly good way of stopping attacks at the front door:

<Files wp-login.php>
Order deny,allow
Deny from All
Allow from 123.456.789.0
</Files>

2. Super strong database password.

Using the cPanel password generator, I can create a fairly secure database password, something vitally important. If I hacker had access to the database, they can do anything. Quite literally. A second step I take is to always rename the database from the Fantastico generated name as Fantastico always generates a wp_ style name, making the site easily identifiable as running WP. Doing so is fairly easy manually although this is one of the few times I’d recommend a plugin; the security scan plugin can rename your database in a single click.

3. Protect wp-config.php

With a strong database name and password, you obviously now need to protect the file that contains these. The following .htaccess code does the trick by preventing access to the most important file you’ve got.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Another interesting trick from site is to move the sensitive data in the wp-config.php to an unreachable location (ie below www in your directory) and then do a PHP include to the sensitive information – I found this on DevLounge and it’s actually quite clever if you think about and certainly something to look into more closely (ie read the post linked to).

4. Be careful with plugins

Plugins are often a way into your blog. Something badly coded can be a backdoor for hackers – for that reason you should always be careful about the plugins that you use. I personally limit myslef to ten plugins and popular ones at that that are less likely to have a hole in them (making the presumption that they’re good so they must be well coded) and that as they’re popular if a problem is found an update will be released in good time. Plugins which want updating a lot go, regardless of how useful the functionality may be.

5. Use SSL if you can

A favourite of list posts about WordPress security is to say how important using SSL is and here’s a plugin to use it. I’ll explain a bit more. Essentially, SSL or secure socket layer is encrypting your data. That does mean by standard your WordPress password is being sent with no protection at all and so could be intercepted with relative ease by a hacker. If your web host offers an SSL certificate, take it and use it (with one of the plugins available). If it doesn’t offer you a certificate, certainly seriously consider tip #1. The codex has some excellent info on this subject.

6. Keep users in check.

Now that you’ve got a super secure site, safe from attack from the outside, now it’s time to like at the inside. You thought you could trust John to write stuff? Turns out he’s inserting dodgy links in your theme and using your server to host his images. This is all relatively easy to stop – you just need to be very careful what permissions you give other users in the first place. WordPress by default has a number of user options – Subscriber, Contributor, Author, Editor and Administrator. It’s so so important that you get these permissions right as if you don’t then John has the power to wreck your blog. There are also a number of plugins available which allow you to customise user permissions – Justin Tadlock’s members plugin and the role manager plugin, which is my personal favourite; install it and it lists just about every single permission there is and offer you the option to add or remove it. As Justin Lee Collins might say, “good times!”

7. Stay up-to-date

New WordPress releases are frequent and often the upgrade is a security fix, so staying up-to-date with the new releases is paramount. Staying updated is as simple as clicking the upgrade button when a new version of WP is available, but before you do that, make sure you’ve backed up. Doing so is really easy with the WordPress Database Backup plugin which you can set to email backups to an email address (set up a Gmail account specifically for this purpose) at regular intervals — mine backs up every day to my email, not my hosting.

8. Protect the installation files

Big thanks to Jeff Starr for his help with the rest of this post – I wanted to make sure I had a good range covered, so Jeff kindly pointed me in a couple of different directions, which includes his “Important Security Fix for WordPress“, essentially pointing out that the install.php file may display to anyone if your server goes down, allowing said anyone to completely reinstall WordPress on your site and have control of it too. Bad times. Thankfully, there’s a blissfully easy solution: delete the install.php file. FTP (that is a verb :P) into /wp-admin/ and delete the install.php file and you’ll have that street of vulnerability closed.

9. Stopping spam

The next point Jeff pointed out was stopping spam and the well recognised way to do this is to stop annoying scripts with the stopping no-referrers technique:

#Stop annoying spammers
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\. [NC]
RewriteCond %{HTTP_REFERER} !.*wpshout\. [OR,NC]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) - [F,L]
</IfModule>

Obviously you’ll need to change wpshout to your domain.

10. Remove error messages from the login screen

Finally, this is a great tip that goes in your functions.php file and removes error messages from the login screen – thus hackers wouldn’t know if the username or password was incorrect. Clever!

add_filter('login_errors',create_function('$a', "return null;"));

19 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Vivek Parmar
March 17, 2011 8:50 pm

All the tircks and tips are helpful but what would happen after updating wordpress to latest version? all default settings will come again

Security Tips - actyp | golf management
February 10, 2011 7:19 pm
Chris M.
October 18, 2010 10:25 pm

How do you get #10 to not leave the red bar after a bad login attempt? I have seen that with the plugin “Secure WordPress” it doesn’t show you anything at all after a bad login attempt, it only shakes the login fields, and that’s it! How do we achieve this without said plugin?

Thanks!

Phoebe Clarke
August 12, 2010 5:54 pm

if you are going to get a VPS server make sure that it has cPanel coz it makes server maintennance easier..:’

‘I Didn’t Think It Would Happen to Me’: WordPress Security | Confident Writing
June 28, 2010 7:19 am

[…] 10 Practical WordPress Security Tips […]

How To Keep Your Wordpress Account Secure
May 19, 2010 11:47 am

[…] you can do to foil them. Learn about the others at these WordPress security articles from Mashable, WPSHOUT, and Wordprezzie. More Tips Like This One: Blogging, […]

WordPress Hosting » Blog Archive » How Secure is your WordPress Site?
April 13, 2010 9:26 pm

[…] Security Tips and Hacks20+ Powerful WordPress Security Plugins and Some Tips and Tricks10 Practical WordPress Security TipsLeave a Reply Name (required) Mail (will not be published) (required) […]

Tony
March 2, 2010 8:04 am

For the IP address technique, I’ve tried that before and it didn’t seem to work. It blocked me out of my own admin page. But when I used this:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic

order deny,allow
deny from all
allow from xx.xx.xx.xx

it seemed to work. At least, since I was able to get on my admin page. What gives?

Jad Limcaco
March 1, 2010 10:56 pm

Very nice post and very helpful Alex. Thank you!

Tim Wright
January 28, 2010 11:28 pm

#10 broke my commenting, the rest worked really well, thanks!

LimeSpace – IT » Der Wochenrückblick: Zend Cache + Bootstrap, Traffic, Wordpress Sicherheit
January 16, 2010 7:09 am

[…] Sicherheit und Webanwendungen, ein immer wieder beliebtes Thema. Wie ihr eure eigene WordPress Installation doch ziemlich gut gegen Angriffe absichern könnt, erfahrt ihr bei WPSHOUT [10 WordPress Sicherheits-Tipps]. […]

Il meglio della settimana #45 | BigThink
January 9, 2010 10:03 am

[…] 10 Practical WordPress security tips Degli utili consigli per migliorare la sicurezza del proprio blog. […]

Amber Weinberg
January 8, 2010 10:41 pm

Good ideas but you would have to redo it every time you upgraded WordPress (which is like a couple times of months) so it would make it unfeasible to do on client sites.

Chris
January 8, 2010 10:33 pm

Thanks for these tips. These sound like great tips for any typical website with a login, database, etc…

10 Practical WordPress Security Tips | WPShout.com « Rumball Motors Interactive
January 5, 2010 2:15 pm

[…] via 10 Practical WordPress Security Tips | WPShout.com. […]

Indrek
January 5, 2010 10:45 am

Nice tips. Actually found quite a few tips that need to be dealt with on my blog.

The tip where you pointed out that moving your wp-config.php file – so obvious yet hadn’t thought about it.

Thanks a bunch Alex!

Jim Gaudet
January 4, 2010 11:46 pm

Number one is where is should be.. Some settings can be done using ftp permissions too..

Doug Whitney
January 4, 2010 10:15 pm

Don’t forget that WordPress replaces the installation files (and other default files) any time you run an automatic upgrade.

Thanks for the post!