Securing your WordPress Website is critical in growing your online presence. As your Website becomes more popular it becomes more attractive for Crackers. Keeping WordPress Website secure is not something many administrators take seriously.
WordPress security starts by using a reputable hosting company. If by default, your server´s setup is not secure, then no added security measures is going to keep Crackers, Spammers, Black hat Hackers, and Script Kiddies out.
Why should I care about WordPress security? Many administrators think the chance of their Website being cracked is slim. But it happens more than you think. Your insecure Website has the potential to damage your online reputation, loss of revenues, and may even lead to your Website being dropped from Search Engines.
How can you make WordPress more Secure? If you implement some of the practical tips outlined below, you will harden your WordPress Website and keep the bad guys out. Here are the tips.
Tip1. Keep WordPress Up to Date
You should always have the latest stable version of WordPress as soon as time permits. Upgrading to the latest version is necessary because upgrades usually include security enhancements. Go and upgrade to the latest version. This is the easiest step you can take to harden the security of your WordPress Website. This is a first good step but it is not the only step, you need to take.
Tip2. Become a Plugin Minimalist & Upgrade Current Ones
Plugins add a lot of functionality to your Website. However, I want to caution you that there is almost no quality check when it comes to plugin coding. Each plugin you add, increases the risk that your Website might be compromised. Many plugins are like security holes to your Website. Badly coded plugins can be a backdoor for crackers.
Reducing the Number of plugins reduces the security risk on your Website. Ask yourself whether a plugin adds value to your Website. If it does keep it, otherwise delete (not just deactivate) it. Also when evaluating a plugin check its ratings, statistics, popularity, and its update frequency. For the plugins you decide to keep, make sure that they are updated to the latest version.
Did you know! You can just replace the functionality of many plugins by directly adding the code to your theme.
How to do that? Just Google what you are trying to do. The result will often lie in a few lines of code. Your Website will be faster and more secure with fewer plugins.
Same thing applies to your WordPress themes. Do you have any unused themes installed but not activated? Delete them.
Tip3: Complete Backup of Your Website and Database
In the event your Website is compromised, don´t you want to recover fast? You need to be prepared for the worst case scenario, by creating database and file backups on a regular basis. There are 2 essential steps to fully backup your WordPress Website: backup content and backup structure.
- Backup Content: you can backup the database through either a Plugin, phpMyAdmin, or your Webhost´s control panel. This method backups the full content of your database, but it does not include the structure or media files of your Website.
- Backup Structure: Backup all WordPress structure through an FTP client to your local drive. The point here is that you need to create a duplicate copy of all files located on the remote server into your local drive.
- Complete Backup of Your WordPress Website in 2 Simple Steps
- WordPress Export Function
- Backing Up Your Database
WordPress has the built-in Export function that you can use from your WordPress dashboard (Tools -> Export). While this method is built into WordPress, it is not a complete backup. It will ONLY export your posts, pages, comments, categories, and tags. This method is not a substitute to the database backup mentioned above. But it does not hurt to add this to your backup strategy as an additional step.
In my next tutorial, I will go into more details how to perform this tip.
There are also plugins that do Backups, especially for your database. But I will not recommend any because I don´t use any.
Tip4. Pick a Strong Password
The most common sense to secure your Website is to have a strong, hard to guess password for your WordPress login screen. The password should be at least eight characters long and include a mix of lower and upper case letters, numbers and other characters. Also don´t use the same password for your WordPress Admin panel, your FTP account, and your phpMyAdmin account.
By default WordPress allows unlimited login attempts to your Admin panel. Obviously, this is not good for security. Limit Login Attempts plugin, listed in Tip12, limits the number of failed login attempts and thus making password cracking impossible.
Tip5. Set Unique Keys and Salts
These are a set of random variables that improve encryption of information stored in the user’s cookies. There are 8 security keys which are set in your wp-config.php file and are used to create and generate hard to guess and unique random number when calculating hash value for WordPress to encrypt the password, especially on cookie authentication. To increase the security of passwords stored in your WordPress database, make sure that your wp-config.php file has unique Keys and Salts values.
Self-hosted WordPress Websites don´t have these security keys defined. You need to add them yourself. After adding these unique keys, all login session will be invalidated, and users will have to login again, that´s all. Here is what this section, taken from wp-config-sample.php file, looks like:
Now, if this is what you still have in your wp-config.php file, you need to get your own secret keys. WordPress has a tool that randomly generates secret keys.
Here is what this section will look like after replacing the default text above with unique keys and salts obtained from WordPress Random Secret Key Generator.
Tip6. Move Your wp-config.php File
This is just “security through obscurity” tip. Since WordPress 2.6 you can move your wp-config.php file ONE level higher than where it resides by default. WordPress will automatically checks in the alternate directory if the file is not found in its default directory. If you installed WordPress in the root of your domain, then moving the wp-config.php file one level up will end up outside of the root.
For an Apache server You can also block access to the wp-config.php file by adding the following directive to your .htaccess file. I am not sure what needs to be done for Windows Web servers.
Tip7. Remove WordPress Version
This is another “security through obscurity” tip. Your WordPress Website will be a little more secure if you don´t advertise what version of WordPress you are using. Why remove this? Because there are security vulnerabilities related to specific versions of WordPress. By hiding your WordPress version, it will become a bit harder for a cracker to know which vulnerabilities to use. By default WordPress version can be found in these two places:
In the header of your page. Something like that:
In your feed. Something like that:
To hide WordPress version, just add the following code to the functions.php file located in your theme´s directory:
To my surprise, I discovered that some plugins append the WordPress version to some of their external files.
Tip8. Change WordPress Default Table Prefix
This is yet another “security by obscurity” measure added to your installation. By default, WordPress table prefix is wp_, which will be the staring point of all WordPress table names stored in the MySQL database. Upon installing WordPress you can easily change this by changing the $table_prefix value in your wp-config.php file.
Many published WordPress specific SQL injection attacks make the assumption that the table prefix is still the default wp_. Changing this will block some SQL injection attacks, by making it much harder to guess your table names. If you want to change the table prefix after you have installed WordPress you can either use a plugin, or you can do that manually.
This is what this section, taken from wp-config-sample.php file, looks like:
Tip9. Change WordPress Default admin Username
By default WordPress calls the administrator´s user account "admin". The problem that if someone wants to crack your Website, they can start with the default Username, and if they are right that cuts their work in half. When installing WordPress, and if you have the option, remember to use a different Username. If you already have WordPress installed, the fix is quite simple.
There are 2 ways to change the Username: in WordPress dashboard or in phpMyAdmin. To change the admin Username After WordPress is already installed, you can manually edit the value using phpMyAdmin Web interface. Here is what you need to do:
- Log into your phpMyAdmin, select your WordPress database.
- From your WordPress database, select the wp_users table.
- At the top left of the table, click “Browse” select the admin user row, then select “Edit”.
- Under the user_login column, modify the username to any other name you like and then click "Go" to save.
See the picture below:
I am assuming that you still have the table prefix as wp_. If you changed it to lets say wpAB1_, then the table that you will be looking for is wpAB1_users.
One more important step that you need to take: By default, WordPress displays the author name in your posts as your Username. To change that, login to your WordPress Admin panel, under Users -> Your Profile, in the Name section, and for the field "Display name publicly as" select the option that is NOT your Username (Make sure your Nickname is different than your Username). Be sure to click the Update Profile button to save the change. See the picture below:
ALWAYS backup your database before executing any SQL commands. You can create a backup copy of your database from phpMyAdmin with the Export function.
For completeness, I mentioned above that you can also change the admin Username in WordPress Dashboard. This is how it is done:
- Go to Users -> Add New, fill out the information needed and make sure to set the Role as Administrator.
- Log out and then log back into WordPress with the new user you just created.
- Go to Users -> Users, select and delete the admin user account and click Apply.
- When asked what to do with the admin user posts, make sure you assign them to the new user you just created.
- Click on "Confirm Deletion" and that´s it.
If you get stuck here, and don´t know what to do, this additional reference might help.
Tip10. Prevent Directory Browsing
By default, a Web server allows browsing of directories, which means that you can use your Web browser as a file browser to reveal the content of any directory that contains no index.html (or index.php). For an Apache server, modify this behavior by adding the following code to your .htaccess file in the root directory. I am not sure how it is done for Windows Web server.
The latest versions of WordPress (I think version 2.8 and above), already add an blank index.php file to the plugin and theme directories. The reason is to keep bad guys from browsing your plugin and theme directories and know what plugins and themes you have installed. This is something that you should not worry about anymore.
Tip11. Use SFTP Instead of FTP
The problem is that FTP is not secure and is an old standard. By using FTP to connect to your server, you are sending your username and password in plain text. This is unsafe and poses a security risk, as crackers can intercept this information, and gain access to your Website´s files on your server where they can change your files and add spam.
If your Web host offers SFTP as part of your plan, then start using it. If not, consider changing plans.
Tip12. Check Regularly For Exploits
Here are some WordPress security plugins that monitors your Website for any security exploits. I suggest that you choose and use one that fits your needs from the list below.
If you implement few of the tips I discussed above, your WordPress Website will be more secure from exploits than the vast majority of WordPress Websites. However, new exploits are discovered often and when a fix is not yet available, everyone is at risk. Do you have any more security tips? If so, please share in the comments section.