Securing Your WordPress
WordPress is open source which means that everyone, including hackers with a malicious intent, can scour the source code looking for holes in its security. That is why I’m going to show you some good precautionary steps to take to protect you, your WordPress and most importantly, your users.
Keep up to date with the latest WordPress Version
Always keep your WordPress site updated with the latest version of WordPress. This give you 80% protection to your wordpress site as every new version comes with some security patches and features updates.
Choose a Strong Password
Regardless of the type of site you are running, you may be at risk for a brute-force attack. In the first step when we deleted the admin username, probably deterred most hackers but there are always those that are very persistent or already know your username. The next step to take is to choose a very difficult password and diverse password. A good way to determine whether or not your password is secure is to enter it into an online password checker like passwordmeter.com or to generate a random password.
Remove the Admin Superuser
The easiest thing you could do to protect yourself is start off by changing/removing the admin superuser. Anyone who uses WordPress knows that there is a user called admin with a top-level security clearance, especially hackers. If the username is admin, how hard can it be to crack the password. Create a new administrative account but this time with a different name, and then delete the admin account.
In fact, what I would personally recommend is to create an administrative account with a very complex username and password (something like x7duEls91*), store it somewhere, and make another account for you to publish content that has your name that does not have executive powers. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis – an editor account would be sufficient.
Secure Your Password
I prefer take extra precautions when protecting my blog, installing plugins can add an extra layer of security. There are numerous plugins that can handle passwords and login aspects of WordPress. One plugin that I find very useful is Login LockDown; it records the IP address and timestamp of all failed logins in addition to IP blocking after a certain number of failed logins. This plugin is especially helpful when it comes to defending yourself against a brute force attack – most attackers give up on a site if they are IP banned every 5 minutes while running their brute force program.
Hide WordPress Version
Let’s say that you forget to update your WordPress installation, or just don’t have 5 minutes to spare. Your WordPress version gives hackers a good idea of how they can hack your site, especially if it’s out dated.
By default, WordPress displays the version, because they want it for metrics to see how many people are using which version, etc… However, this is like putting up a bright red sign on your site telling hackers what to do.
If you’re using a premium theme, odds are that the developer took the liberty of disabling for you, but it’s always better to be sure. Open your functions.php file and drop in this line of code.
php remove_action(‘wp_head’, ‘wp_generator’);
Change File Permissions
It is very important that you have the proper file permissions to ensure your site’s security. I recommend that you restrict your file permissions down to the bare, CHMOD value of 744 which essentially makes it read-only to everyone except you.
Just open your FTP program and right click the folder or file and click on “File Permissions”. If it is 777, you are very lucky that you haven’t already been hacked. You should change the CHMOD value to 744, only giving the “owner” full access.
Regardless of the level of security of your WordPress site, it is a good habit to always backup your site. There are many ways to do this. You can take advantage of automated backups by using plugins like BackUpWordPress
Hide Your Plugins
Putting a blank index file into your /wp-content/plugins/ folder will hide all of your plugins. Some of you are probably thinking, “Who cares if someone can see my plugins?”. Well, plugins can tell hackers how to hack your site, or at least if it is hackable.
Prevent directory listing
The problem in many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folder on your server. Normally it is harmless but some web hosts don’t even bother to turn off directory listing by default. This means that there are several things hackers can do. There might be loop hole in the theme and plugin you used for your site. The author of the plugin and theme might have made mistakes in their code that allow unexpected access, hackers can use your directory listing to find out if you have got those vulnerable files and then attack your site. Also people can browse the non-WordPress contents of your web server to discover folders and files that you might not be ready to announce that you thought were not accessible to the general public. Many directory listing feature a line in the footer telling visitors your server version. Hacker can cross-reference these version numbers with list of known vulnerabilities and bring your site down or gain illegal access. Tips: Edit the .htaccess file and add the following line at the bottom.
Options All –Indexes
The following plugins will be very helpful:
- WP Security Scan Plugin: It scans your WordPress installation for security vulnerabilities and suggests corrective actions.
- Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.
- Login Lockdown plugin which record the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
- WordPress Exploit Scanner: It searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
- AntiVirus Plugin: It is a smart and effective solution to protect your blog against exploits and spam injections.
- Admin SSL Plugin: Recommended only for the advance users. It secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL. Once you have activated the plugin please go to the Admin SSL config page to enable SSL, and read the installation instructions.