Top Tips for Securing WordPress Installations
An out-of-the-box WordPress installation is not very secure. The tool is great for blogging but, unfortunately, an easy target for the unscrupulous to hack your site.
The result of being hacked could be anything from changed &/or deleted content (obvious when you look at the site) to subtle things such as putting links to other sites that you can’t even see. These links sound harmless but if these sites are “undesirable” this can get your site blocked by browsers and severly penalised by search engines. The best approach is to make your site difficult to hack and therefore not worth their time.
Here’s our Top Tips for securing WordPress installations to ensure you get your well-deserved 15 minutes of fame for the right reason.
1. Keep WordPress Updated
Ensure your WP installation is keep up to date with the latest version. You can do this via the WordPress admin interface – that’s where you edit your blog. Keeping WP updated ensures you pick up the latest security patches.
2. Keep Your Theme Updated
In the same vein as your base WP install the people who created your them will also release updates. Sometimes these will be for security reasons, sometimes to avoid clashes with the latest version of WP, and sometimes to take advantage of new features.
3. Hide Your WordPress Version Information
A lot of themes include the WP version as a meta tag. This allows the average novice to easily identify what version of WP you have installed. Check your header.php file for a line of code that looks something like this:
<meta content=”WordPress <?php bloginfo(’version’); ?>;” name=”generator” />
If you find it, delete it.
4. Limit The Number of Login Attempts
Install a plugin such as Login LockDown or Limit Login Attempts. These limit the number of times someone can get the password wrong in a given amount of time. The idea being to stop brute force attempts to crack your password. If you make a number of mistakes then just wait a while and try again.
5. Hide Your Plugin List
If a hacker knows what plugins you have installed & their version information they can much more easily break into your site.
To stop them getting this information, create a blank index.html file and load it into your wp-content/plugins/ directory. Alternatively you could put the following line into your .htaccess file (NB: I don’t yet know the full implications of this on other directories …)
Options All -Indexes
6. Move Your Configuration Parameters
Your wp-config.php file contains, amongst other things, authentication strings & a list of credentials for accessing your database. If someone is playing nice and using a browser there’s no problem – the webserver together with the WP install will process the file and hide the contents. However, what hacker plays nice? There are ways of viewing the contents of php files to obtain your site’s credentials.
So, move the entire contents of your wp-config.php file to a file in a directory outside the web root then modify your original wp-config.php file to contain a single php line which will pick up the copied file now stored outsdie the web root. For example, say your site is set up as follows with the original configuration file in the following location:
/home/sites/myblog/www/wp-config.php
Create a new directory, say:
/home/sites/myblog/secure_area/
Copy the original wp-config.php file to here (this is the copy), then edit the original file so that it contains only the following lines:
<?php
/** WordPress absolute path to the WordPress directory. */
if ( !defined(’ABSPATH’) )
define(’ABSPATH’, dirname(__FILE__) . ‘/’);
require_once(’/home/sites/myblog/secure_area/wp-config.php’);
?>
7. Restricting Access to Your Configuration File
There are some who recommend going one step further and restricting access to you configuration file by adding the following line to your .htaccess file:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
Don’t. This certainly prevents the file from being accessed – at the expense of a now-broken site.
8. Change Your Password
Still using the default password emailed to you? Change it. Use a mix of uppercase, lowercase, numbers, misspelt or silly words (not real ones found in a dictionary).
9. Use sFTP
sFTP is more correctly known as FTP over SSH, this is encrypted and much harder to break than plain FTP which transmits everything in clear text – including your username and password.
10. Block Search Engines From Mining Your Settings
You want the search engines to access your content, not your WordPress settings. Make sure none of the files containing your actual blog or any tags or categories start with wp- and add the following line to the robots.txt file in your web root:
Disallow: /wp-*
11.Backup Your Site
There are tools for backing up your site and database, search for backup in the official WordPress plugins. NB: having a backup is great, but make sure you test the restore function – the only purpose to having a backup is to quickly rebuild your site if something goes wrong.
Keep a copy of your theme offline, eg on your home PC. Even if you think there’s no problem with your theme, refresh this periodically, eg monthly. It takes less than a minute to do and ensures that if your site has been subtley compromised then the effect is short-term.