WordPress Security

Security is an important issue for all blogs. The developers at WordPress do a good job of keeping an eye on security issues and plugging any holes that are discovered. However, it’s good practice to take additional steps to ensure that your site is buttoned up. These are a few key plugins and hacks that I rely on to ensure a higher standard of security for my own site.

Recommended Plugins

Akismet This is the standard, and effective, anti-comment-spam plugin that comes bundled with WordPress. It is important that you get an API key and configure Aksimet when you setup your WordPress site – having a site open to spam comments screams “inexperienced” and is an open invitation for trouble makers to come make trouble.

Bad Behavior is a very powerful plugin that uses HTTP headers, IP address, and other metadata to determine if a visitor is unwanted. It can prevent spammers, hackers, and other nefarious visitors from having access to your site.

Login LockDownrecords IP addresses for failed login attempts. After 3 failed attempts the IP address is banned for an hour. This prevents brute force attacks.

Redirection is a plugin that allows you to setup redirections. While the plugin is not classified as a security plugin, I regularly use the 404 error log to find out what is being requested, but not found. Through this log I’ve discovered several problems with plugins and themes calling for files that don’t exist. I’ve also seen hackers looking for standard backdoors in folders like cgi-bin. You can add redirects that send hackers looking for these files and folders back to the home page (or to a page with a custom message). Just be careful with your redirects, if you redirect an essential directory or file your could break your blog. (You can easily “unbreak” it by simply renaming the redirection directory, which will disable the plugin.)

WordPress Database Backup Regular backups are the most important part of a good security plan. Should anything happen to your site, having a backup is the best option for regaining full control.

Wp-scanner activatoris a plugin you can use to check for any security holes in your own WordPress site. Visit the link for more information on scanning your site.

Security Hacks

These hacks/tips/tricks are good additional steps to take for added security.

Split the Config File
By splitting your wp-config.php file you can ensure that the high risk information isn’t available to hackers. At the top of the wp-config.php file, after ‘<?php’, add

// Get database info
include(‘/home/username/config.php’);

The new config.php file should be located in a directory that isn’t accessible by the outside world. In that new file you should have all of the other settings that were originally in wp-config – including database name, user, password, secret keys, etc. From “/* That’s all, stop editing! Happy blogging. */” on down should be left in the wp-config.php file.

Disallow: /wp-*
You should have a robots.txt file in the root directory of the website. This allows you to control what is and isn’t seen by search engines. At the very least you should add to the file

User-agent: *
Disallow: /wp-*

If WordPress is installed in another directory, like ‘blog,’ then then entry should be “Disallow: /blog/wp-*” Adding this value will keep your plugin, theme, and wordpress files hidden from search engines and others. While WordPress is good about plugging security holes, sometimes theme and plugin authors aren’t. This helps to keep your list of plugins private.

Strong password
Yes, it’s obvious, but so worth mentioning. Don’t use anything that is a word or contains a word. Don’t use anything with a name (including pets, domain names, or user names). Use a password generator to create a random collection of letters, numbers, and special characters (!@#$%^&.[]|). Don’t think you’re fooling anyone with ‘1q2w3e4r’, ‘qwerty’, ‘poiuyt’, ‘1qazxsw2’ or by simply substituting numb3rs for v0w3ls. These are all common practices and are tried during brute force attacks.

Change default table prefix from wp_
This is something that should be done from the beginning, when first setting up your site. However, there are ways of doing it after you’ve launched.

First things first, make a backup of the database. Then edit your config file and change the $table_prefix value from wp_ to ‘something-new_’. It’s best to make something-new at least 3-6 characters, with letters and numbers.

Use the plugin phpMyAdmin. Access phpMyAdmin from the Tools menu, and rename each table that begins with wp_  to ‘something-new_’. Then open the wp_options (which is now called ‘something-new_options) and edit all of the wp_ entries within. Repeat for the wp_usermeta table.

For a more detailed walk-through, checkout wpcanada.ca.

Once all of the changes are made you should be up and running. Your final step is to make a new backup, immediately. Making this change renders all of your old backups obsolete.

Change admin login name
The default login name for any WordPress installation is admin. Don’t use this account. Create a new admin account with a unique name and strong password. To really secure the admin account you need to use the plugin phpMyAdmin and change the login name admin to something new. Change it to something unusual, but something you’d remember. You’re Grandmother’s name might work well.

To change the username for Admin you’ll need to login with another administrative account. In phpMyAdmin find the wp_users (if you changed the default prefix, it might be something other than wp_). Click the browse button. There you’ll see the entry for admin. Click on the pencil icon to edit this entry. In the field ‘user_login’ change the value to whatever you like. At the bottom of the page be sure that ‘save’ is selected, then hit the go button.

Use secret keys
Secret keys provide for a better level of encryption for information stored in visitor cookies, including cookies that keep you logged in as an admin. Be sure to use the key generator to generate keys for your WordPress site. Add these keys to the config file. If you’ve split your config file as mentioned above, the keys go in the split part, not the wp-config.php file.

Don’t allow directories to be browsed
Any secure host will have this already set. However, should your host be set to allow viewing of directories, you can remedy this by adding ‘Options All -Indexes’ to you .htaccess file.

Use SSH/SFTP to connect
There are many known security issues with ftp, the biggest being that the password associated with the ftp account is sent out over the internet unencrypted with every connection. If at all possible you should be using SSH/SFTP to connect to the server. Unfortunately, the built in ftp upgrade option within WordPress doesn’t support SSH/SFTP, yet. It’s a small price to pay for security.

If you must use ftp, be sure the username and password for your ftp account is different than your username and password for your website. And, if possible, create a second user account that has very limited privileges with your host, but can still upload files. That way, if that account is ever compromised, the damage that can be done is limited.