10 Steps to Securing Your WordPress Installation

WordPress is open source which means that everyone, including hackers with a malicious intent, can scour the source code looking for holes in its security. That is why I’m going to show you some good precautionary steps to take to protect you, your WordPress and most importantly, your users.

#1 Remove the Admin Superuser

Probably, the easiest thing you could do to protect yourself is start off by changing/removing the admin superuser. Anyone who uses WordPress knows that there is a user called admin with a top-level security clearance, especially hackers. If the username is admin, how hard can it be to crack the password. Create a new administrative account but this time with a different name, and then delete the admin account.

In fact, what I would personally recommend is to create an administrative account with a very complex username and password (something like x7duEls91*), store it somewhere, and make another account for you to publish content that has your name that does not have executive powers. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis – an editor account would be sufficient.

“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.”
~Clifford Stoll

#2 Choose a Strong Password

Regardless of the type of site you are running, you may be at risk for a brute-force attack. In the first step when we deleted the admin username, probably deterred most hackers but there are always those that are very persistent or already know your username. The next step to take is to choose a very difficult password and diverse password. A good way to determine whether or not your password is secure is to enter it into an online password checker like passwordmeter.com or to generate a random password.

#3 Secure Your Password

Also, I prefer take extra precautions when protecting my blog, installing plugins can add an extra layer of security. There are numerous plugins that can handle passwords and login aspects of WordPress. One plugin that I find very useful is Login LockDown; it records the IP address and timestamp of all failed logins in addition to IP blocking after a certain number of failed logins. This plugin is especially helpful when it comes to defending yourself against a brute force attack – most attackers give up on a site if they are IP banned every 5 minutes while running their brute force program.

#4 Always Update WordPress

As I said earlier, WordPress is open source, making it an easier target for hackers. Nearly 60 million sites use WordPress, when Automattic pumps out an update, the sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed. Also, it doesn’t take long to update your WordPress installation, according to WordPress it takes 5 minutes to complete.

#5 Hide WordPress Version

Let’s say that you forget to update your WordPress installation, or just don’t have 5 minutes to spare. Your WordPress version gives hackers a good idea of how they can hack your site, especially if it’s out dated.

By default, WordPress displays the version, because they want it for metrics to see how many people are using which version, etc… However, this is like putting up a bright red sign on your site telling hackers what to do.

If you’re using a premium theme, odds are that the developer took the liberty of disabling for you, but it’s always better to be sure. Open your functions.php file and drop in this line of code.

<?php remove_action('wp_head', 'wp_generator'); ?>

#6 Change File Permissions

It is very important that you have the proper file permissions to ensure your site’s security. I recommend that you restrict your file permissions down to the bare, CHMOD value of 744 which essentially makes it read-only to everyone except you.

Just open your FTP program and right click the folder or file and click on “File Permissions”. If it is 777, you are very lucky that you haven’t already been hacked. You should change the CHMOD value to 744, only giving the “owner” full access.

#7 Whitelist

Whitelists allow you to manage who is able to access certain parts of your website. It’s like building the Great Wall of China around your admin folder, so that no one, except for you, can access the folder. We do this using the .htaccess file.

Navigate to your /wp-admin/ folder, then check if there is already a .htaccess file, if there isn’t one, just make one. If there is already one there, I suggest making a backup of it before doing any edits. Please make sure you are in the wp-admin folder, and not the root folder.

Paste the following code into the .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# Whitelist Your IP address
allow from xx.xx.xx.xxx
# Whitelist Your Office's IP address
allow from xx.xx.xx.xxx
# Whitelist Your IP address While Your Traveling (Delete When You Come Back Home)
allow from xx.xx.xx.xxx
</LIMIT>

Replace the xx’s with your IP address, which you can find out at WhatsMyIP.org. Now every time you are going to be logging in from some where other than the places you added into your .htaccess file, you have to add the new IP address before you can use it.

#8 Backup

Regardless of the level of security of your WordPress site, it is a good habit to always backup your site. There are many ways to do this. You can take advantage of cron jobs, if you’re hosting company provides it, by using this command:

DBNAME=DB_NAME

DBPASS=DB_PASSWORD

DBUSER=DB_USER

EMAIL="you@your_email.com"

mysqldump --opt -u $DBUSER -p$DBPASS $DBNAME > backup.sql
gzip backup.sql
DATE=`date +%Y%m%d` ; mv backup.sql.gz $DBNAME-backup-$DATE.sql.gz
echo 'BLOG BACKUP:Your Backup is attached' | mutt -a $DBNAME-backup-$DATE.sql.gz $EMAIL -s "MySQL Backup"
rm $DBNAME-backup-$DATE.sql.gz

Alternatively, you can use VaultPress, a service from Automattic. If you’re interested in learning more about VaultPress, then I recommend checking out this tutorial.

The easiest way to go is to just log into the admin panel, navigate to Tools and then click on Export. This makes your life easier especially when you need to re-set up your WordPress.

#9 Hide Your Plugins

Putting a blank index file into your /wp-content/plugins/ folder will hide all of your plugins. Some of you are probably thinking, “Who cares if someone can see my plugins?”. Well, plugins can tell hackers how to hack your site, or at least if it is hackable.

As you can see, the plugins are clearly visible to anyone who navigates to the /wp-content/plugins folder. If a hacker sees no security plugins, then they immediately know that this will be an easy job. Adding blank index.html into the plugins folder is like putting a security sign in your lawn, it doesn’t matter if you actually have the security system, but as long as the hacker doesn’t know, he will be less inclined to try anything.

#10 Analyze Server Logs

The best security tool, regardless of whichever plugin/software you install, is you. In order to be confident that you are completely protected, you have to take a proactive approach to your website’s security. Three times a day I check my server logs and web analytics to see if there is any unusual behavior.

You’re Set!

Now with a safe and secure WordPress installation, you are ready to freely post your content without having to be afraid if you’re vulnerable to be hacked.

If you have any questions about this tutorial, WordPress security or security in general, just leave a comment and I will get back to you as soon as I can.