Everything You Need to Know About WordPress Security

Keeping your WordPress installation secure is usually not something a lot of people spend a great deal of time on. However, I believe WordPress security, tightening up the place should be your first priority every single time you install WordPress. No exceptions.

With the recent Pharma hack, more info about it plus a solution on Chris Pearson’s blog, going round I thought it was time to focus on WordPress security today. There are a lot of things you can do build extra layers of security for your WordPress installation.

There are a few different layers involved to secure your WordPress installation. I shall list them grouped together as much as possible.

Server-side & .htaccess

WordPress security starts of course by using a proper hosting company. If a server setup is not secure by default then no amount of security measures is going to keep unwanted visitors out. Please look around before you decide which hosting partner will work best for you.

.htaccess Lockdown

Your .htaccess file can be used for a lot of neat stuff, but most certainly should be deployed to stop hackers from getting in. The .htaccess lockdown allows for you to specify which IP addresses can be used to access your admin dashboard.

Adding the following lines of code will help you doing this:

[code]AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 123.456.789.012[/code]

The 123.456.789.012 part should be replaced with your IP address. Not sure what your IP address is? A visit to What’s My IP will help you out. For an even more extensive solution visit Blog Security.

Disabling Directory Browsing

Some server setups will allow directory browsing, which means that you can see the contents of, say, your plugins folder at http://yoursite.com/wp-plugins/. Disabling this can be quickly done by adding the following piece of code to your .htaccess file:

[code]Options All -Indexes[/code]

Secure .htaccess

It should be obvious by now how important a secure .htaccess file is. Firstly you should restrict the file permissions to CHMOD 644.
Log onto your server with your favorite FTP browser and navigate to the root of your domain (Usually this in the public_html folder, unless you have setup your blog installation in its own folder). Find the .htaccess file and right-click the file and set permissions to 644.
The second method – and I would do both – is to add the following code to the very bottom of the content of your .htaccess file:

[code]<files wp-config.php>
Order Deny,Allow
Deny from All
</files>[/code]

This is basically only allowing your .htaccess file to access your wp-config.php file.

For more specific and advanced Apache hardening techniques checkout Ask Apache on WordPress and Perishable Press 3G Blacklist.

Optimizing your wp-config file

Optimizing your .htaccess file is a good start, but next your wp-config.php should get some love.

Moving your wp-config file

Starting from WordPress 2.6, you can move your wp-config.php file to one directory above the current location. WordPress will check automatically if the wp-config file is not found in the WordPress directory one directory above the current one.

Change the WordPress table prefix

When installing WordPress the table prefix is wp_ by default. Upon installation it’s easy changing this so something custom, like i.e. blpro_, but it’s a bit harder to do when you already have your site up and running. This is where the plugin WP Security Scan comes to the rescue. This plugin will allow you to change the prefix to a custom one. This way you have given hackers trying to hack into your installation one extra hurdle.

Define Your Secret Keys

When you look in your wp-config file you will find a section that says this:

[code]/**#@+
* Authentication Unique Keys.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
/**#@-*/[/code]

The link mentioned here provides you with a new set of rules which you can replace the bottom four define rules with, like this:

[code]define(‘AUTH_KEY’,’lj+_ .[6c1=13n rhZBhjXd0o|miL<bacpyhqzrl }o2a|irZy-]Wy8PYW+a]zE]5′);
define(‘SECURE_AUTH_KEY’,’s8p1+WgH0{Ph/)Vr;pFggsp{xoh8Cy>>#/+]EJ|P|yQfS* /SJO7XuK#G3&f1rnZ’);
define(‘LOGGED_IN_KEY’,’h$eIl%#nZ|.}z-U)Z:O$u,y c[N;7^j-x,)Zs*wUHheGO-(KKpONVC664X$uO$Mt’);
define(‘NONCE_KEY’,’d=>/Uh@%RnZ|*<bgq [2<_R@spP*oE[7oE?<#%xyoowmU0XzxK DjhyLXLcifX32k’);[/code]

With this step you have made your login passwords a lot stronger than before. Don’t copy the line above, but simply visit https://api.wordpress.org/secret-key/1.1/ for you personal Secret Keys.

WordPress Security plugins

There are many WordPress Security plugins out there, thankfully. I will list the most important ones, plugins I all use on a day to day basis here.

WP Security Scan

WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions. This is what the plugin will do and look at:

passwords
file permissions
database security
version hiding
WordPress admin protection/security
removes WP Generator META tag from core code

Download WP Security Scan

Login LockDown WordPress Security

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Download Login LockDown WordPress Security

Stealth Login

This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://yoursite.com/login for an easy way to login to your website.
Download Stealth Login

AntiVirus for WordPress

AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Some of its features include: monitors possible platform vulnerabilities, virus injections, malicious links, etc. It can also send you email notifications and whitelisting.

Download AntiVirus for WordPress

General Precautionary Measures

This is just a short list of general precautionary measures:

Always have your WordPress software and WordPress plugins updated to the latest version.
Got any unused WordPress themes and WordPress plugins installed but not activated? Delete them!
Always use a strong password. Check out this guide on choosing a strong password at the Blog Herald.
Ditch that admin account and make it a lot harder for hackers to guess your login.
Use correct file permissions on your WordPress files. General rule is that Files should have a CHMOD value of 644 and folders 755.
Back up your WordPress database on a regular basis. Any of these plugins will do the job for you in an automated fashion

Sources & Extra Resources

5 Minutes and Counting

WordPress claim to a quick and easy installation of 5 minutes still stands. But, you can easily see how adding a few extra layers of security easily adds a bit of extra time after the installation. Time very well spent though. So what’s your thought? Have I forgotten your favorite WordPress Security tip?

This article first appeared on BloggingPro: WordPress Security – A Comprehensive Guide