WordPress out of the box is pretty easy to get up and running, install some plugins to extend it’s functionality and focus on writing your next big time blog post. With what WordPress provides out the box, an area over looked by a lot of users running a self hosted WordPress is security.
Now don’t get me wrong, this doesn’t mean WordPress isn’t secure! With any system, security issues always arise in even some of the biggest software manufactures in the world. The excellent team behind this powerful system has a lot of security baked in. There is form sanitization that is available to developers with some amazing documentation on how to harness this power in your custom themes and plugins, they update the core code on a regular basis, notifying all users when there are major security updates required to keep your site secure. These are just some of the basics as far as security goes when applied to WordPress out of the box.
The type of security WordPress doesn’t provide out of the box is the security of your computer and the server your WordPress site is installed on. Over the last few years I have been doing some research on security and have complied a crash course tutorial here on how I go about securing all of my websites, new or existing and I feel are required, good practices for anyone running a WordPress site. In reality, WordPress is secure, it’s the thousands of 3rd party themes and plugins that introduce these issues. Installing any third party theme or plugin can impose security threats if the proper precautions aren’t met.
Now, why should you care? You run a small business that markets to local customers? In my experience, hackers don’t care. I have worked on projects from small mom & pop shops to large networked WordPress Multisite installs geared for community involvement world wide that see daily traffic of 100,000 unique visitors a day. And both of these types of websites get attacked by hackers or bots all the time, trying to get in, to either market something to your users without your knowledge, use your site as testing grounds for fresh hackers, religious based hackers trying to spread a message, and lastly the malicious hacker with the intention of stealing sensitive data. The motivation to hack any website is beyond the usual thought of “They want money”. Some hacking is influenced by black hat SEO and creating unauthenticated back-linking. The reality is, if your website is up and available for anyone in the world to view, it’s worth any hackers time to try and make some use of your site as they wish.
Ok, let’s dig in and get working on securing our WordPress sites! Of course, all of these steps are best implemented from the beginning, but a lot of this is a great place to start for an existing site or after dealing with a hacked install.
Harden the Configuration file
First place I start when creating a new WordPress site is with the wp-config.php file. If you haven’t guessed it, this is the configuration file for our WordPress site. There are three major spots of this file.
This may seem like a given, but I don’t know how many times I’ve acquired a site, and found the proper levels of security were not applied to the MySQL Settings section. This section of our configuration file holds the connections to our database, which is essentially the brain of our WordPress site. If anything were to happen to our database, we would lose everything in our WordPress site without a proper backup.
Security is not to be taken lightly here. I try to use descriptive, but yet cryptic naming schemes for the database name, the username and the password. You’ll want to use something descriptive but not too obvious for hackers to figure out for the database name and username. Some hosts when creating these, limit the amount of characters, we’ll want to make sure they are long enough to be used with your hosts requirements.
Set Your SALTs!
The SALTs is a very important part for security and is very easy to set.
If you look in the comment code at the top, you can see they provide a URL that will auto generate the SALTs for you! <3 WordPress. All you have to do is paste that URL into your browser and copy the code they generate for you to paste back into your config.php.
Now, this is all fine and dandy, but what does this do really? These are used for user authentication and form nonces. Let’s say for instance you had a compromise and someone has logged into one of your accounts, you can reset these and that will invalidate all cookies set from user login which will then force everyone to log back in. Giving you a window of time to temporarily disable user login while you correct the issue. Pretty neat and easy ^_^
Database Table Prefix
The final important setup is the Database Table Prefix. By default, WordPress uses wp_ which is set to the beginning of every table in your database. Hackers love this, and opens a doorway for them to use SQL Injection to corrupt your database or return sensitive data through malicious scripts. Changing the default to something unique will harden your install. If you have an existing website that needs this to be updated, sadly you can’t just change the prefix in here.. You will have to manually update the table names yourself. A discussion on that is a talk of it’s own and is beyond the scope (slightly) of this post. Maybe I’ll revisit that in a later time..
“Cripple” the Admin Account
Back in the day, WordPress always created an admin account and you couldn’t rename it. That created huge issues for stoping brute force attackers as they already had the user name figured out. Since WordPress 3.0, they allowed users to install with an account of their choosing. Now I say, install with an admin account with a secure password still but “cripple” that account. What does this mean exactly? Well, I like to keep the hackers at bay and work for it. What I like to do is install WordPress with and admin account with a secure password. Then I’ll go in and create a new account with administration privileges, login with that account and set the original admin account we created in the install and set it’s privileges to subscriber. This will keep the hackers busy for quite some time, plus if they get in, awesome, now they can update their user profile and all that hard work of brute forcing into the account is wasted ^_^ Send them on a wild goose chase. Just because the account username is admin doesn’t mean they have admin privileges… lol
As I said, WordPress out of the box is pretty secure already, but we will need plugins to extend the security of our install and make things more bulletproof. I’ll list out plugins that I use in all of my websites and have been proven to prevent security holes and attacks.
On top of all of that it provides login security by blocking IP address of brute force attackers, theme and plugin checking and hiding if usernames were correct if a failed login occurs (why WordPress does this.. I don’t understand that..). It will also email you about any security vulnerabilities found in your WordPress core files, themes and plugins. One thing that is fun to experiment with is to tell Wordfence to email you when a user is blocked from logging in. That’s how I learned about the kind of hacker traffic that I get on my different websites and found just how many hackers are still trying to brute force the admin account. Reference the “Cripple” the Admin Account section above to make things really interesting.
WordPress Firewall 2
Sadly, this plugin recently hit it’s two year mark of no updates… I’m actually in process of finding a comparable plugin but so far I have found no issues with this plugin regardless of it’s developers inactivity. To this day I’ll get notifications about people trying to run SQL Injections or exploiting malicious code on some of my websites.
This plugin will listen for known hacker techniques, block anything that matches them and email you the URL it happened at and what the plugin thinks the attack was. Using this plugin also help teach me about known security vulnerabilities such as the fb_connect vulnerability that will return your username and encoded password…
I’ll be sure to update this plugin when i have located something just as good or even better.
TimThumb Vulnerability Scanner
As mentioned in the blurb about Wordfence Security, TimThumb is still lingering in some themes and plugins. If you are unsure if your website is vulnerable to this horrible zero-day hack, you can install the TimThumb Vulnerability Scanner. The name says it all really, it scans your WordPress site for out of date versions of TimThumb. The usage is pretty stright foward, you push a button to search and it will report back the version of TimThumb you are running (if it finds it) and will let you know if you are out of date or up to date. This was a huge help for my TimThumb vulnerability to stop any more back doors from being created.
What good is an install without any backups? VaultPress will handle that for you and is maintained by the company behind WordPress, Automattic. Now, admitingly, I have not used ValutPress yet because I haven’t had the needed or a client willing to pay for the service. I do have it planned for my personal site but that will be in a little while. At the moment, I have my host running backup for me which I can access at anytime and restore if I need to.
With VaultPress, they also run security checks similar to Wordfence Security. If you are paying for the package that offers security checks, you can run them both I’m sure, but that may just be a bit paranoid. I would suggest you choose between the two and stick with it. In reality you can also push to the basic plan that just offers the backup and restore features and use Wordfence Security to deal with the server checks.
If your WordPress site is running on apache (which most do), you can take advantage of some great tricks in the htaccess file which acts as a remote server configuration file. This is normally found in the root of your website, if it doesn’t exist, you can just create one. Another thing to not is that natively this is a hidden file, so make sure you have your computer or your ftp software set to display hidden files.
Secure sensitive files
The snippets below will make the following pages inaccessible in a browser. By default, technically you can load these files, but for security sake we’ll stop the server from serving our .htaccess and wp-config.php. Just copy and paste these anywhere in your .htaccess file.
# PREVENT ACCESS TO WP-CONFIG.PHP
Order Deny, Allow
Deny from All
# PREVENT ACCESS TO OUR .HTACCESS
Order Allow, Deny
Deny from All
Hide Directory Indexes
Most good hosting companies will setup your server to disallow user from navigating to a directory in your site which then lists every folder and file inside of it. This can be a bad thing as malicious users can get in there cause some havoc. Let’s prevent that just in case.
# STOP USER FROM VIEWING OUR FILE DIRECTORIES
options all - indexes
Wrapping It Up
In reality, there’s not much to securing your WordPress site. All that I spoke about above is what all of my websites use and since I started implementing these I have prevented security issues ad have been worry free about the security of sites. Of course there are many other things one can do to boost security even further. A good list is from .Net Magazine list 10 simple tricks to secure your WordPress site.
If you have a great security trick that I didn’t list out here, please leave a comment below and share with us!