12 Practical Tips to Improve WordPress Security

Securing your WordPress Website is critical in growing your online presence. As your Website becomes more popular it becomes more attractive for Crackers. Keeping WordPress Website secure is not something many administrators take seriously.

WordPress security starts by using a reputable hosting company. If by default, your server´s setup is not secure, then no added security measures is going to keep Crackers, Spammers, Black hat Hackers, and Script Kiddies out.

Why should I care about WordPress security? Many administrators think the chance of their Website being cracked is slim. But it happens more than you think. Your insecure Website has the potential to damage your online reputation, loss of revenues, and may even lead to your Website being dropped from Search Engines.

How can you make WordPress more Secure? If you implement some of the practical tips outlined below, you will harden your WordPress Website and keep the bad guys out. Here are the tips.

Tip1. Keep WordPress Up to Date

You should always have the latest stable version of WordPress as soon as time permits. Upgrading to the latest version is necessary because upgrades usually include security enhancements. Go and upgrade to the latest version. This is the easiest step you can take to harden the security of your WordPress Website. This is a first good step but it is not the only step, you need to take.

Tip2. Become a Plugin Minimalist & Upgrade Current Ones

Plugins add a lot of functionality to your Website. However, I want to caution you that there is almost no quality check when it comes to plugin coding. Each plugin you add, increases the risk that your Website might be compromised. Many plugins are like security holes to your Website. Badly coded plugins can be a backdoor for crackers.

Reducing the Number of plugins reduces the security risk on your Website. Ask yourself whether a plugin adds value to your Website. If it does keep it, otherwise delete (not just deactivate) it. Also when evaluating a plugin check its ratings, statistics, popularity, and its update frequency. For the plugins you decide to keep, make sure that they are updated to the latest version.

Did you know! You can just replace the functionality of many plugins by directly adding the code to your theme.
How to do that? Just Google what you are trying to do. The result will often lie in a few lines of code. Your Website will be faster and more secure with fewer plugins.

Same thing applies to your WordPress themes. Do you have any unused themes installed but not activated? Delete them.

Tip3: Complete Backup of Your Website and Database

In the event your Website is compromised, don´t you want to recover fast? You need to be prepared for the worst case scenario, by creating database and file backups on a regular basis. There are 2 essential steps to fully backup your WordPress Website: backup content and backup structure.

  1. Backup Content: you can backup the database through either a Plugin, phpMyAdmin, or your Webhost´s control panel. This method backups the full content of your database, but it does not include the structure or media files of your Website.
  2. Backup Structure: Backup all WordPress structure through an FTP client to your local drive. The point here is that you need to create a duplicate copy of all files located on the remote server into your local drive.

References:

WordPress has the built-in Export function that you can use from your WordPress dashboard (Tools -> Export). While this method is built into WordPress, it is not a complete backup. It will ONLY export your posts, pages, comments, categories, and tags. This method is not a substitute to the database backup mentioned above. But it does not hurt to add this to your backup strategy as an additional step.

In my next tutorial, I will go into more details how to perform this tip.

There are also plugins that do Backups, especially for your database. But I will not recommend any because I don´t use any.

Tip4. Pick a Strong Password

The most common sense to secure your Website is to have a strong, hard to guess password for your WordPress login screen. The password should be at least eight characters long and include a mix of lower and upper case letters, numbers and other characters. Also don´t use the same password for your WordPress Admin panel, your FTP account, and your phpMyAdmin account.

By default WordPress allows unlimited login attempts to your Admin panel. Obviously, this is not good for security. Limit Login Attempts plugin, listed in Tip12, limits the number of failed login attempts and thus making password cracking impossible.

References:

Tip5. Set Unique Keys and Salts

These are a set of random variables that improve encryption of information stored in the user’s cookies. There are 8 security keys which are set in your wp-config.php file and are used to create and generate hard to guess and unique random number when calculating hash value for WordPress to encrypt the password, especially on cookie authentication. To increase the security of passwords stored in your WordPress database, make sure that your wp-config.php file has unique Keys and Salts values.

Self-hosted WordPress Websites don´t have these security keys defined. You need to add them yourself. After adding these unique keys, all login session will be invalidated, and users will have to login again, that´s all. Here is what this section, taken from wp-config-sample.php file, looks like:

/**#@+
 * Authentication Unique Keys and Salts.
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 * @since version 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

/**#@-*/

Now, if this is what you still have in your wp-config.php file, you need to get your own secret keys. WordPress has a tool that randomly generates secret keys.

Here is what this section will look like after replacing the default text above with unique keys and salts obtained from WordPress Random Secret Key Generator.

define('AUTH_KEY',         '6r@06GVf[1x-X*Ic|XCqX|Me(y_~X*bF`w5z)kS6tEk_|(9SC/w~-}G|{QS6h');
define('SECURE_AUTH_KEY',  'HwhIV-R}^:j)^+ie4h++e-)?vuecgRas~|*fsn=e0e`_Hw}*8j@P14Bs#Y.M:');
define('LOGGED_IN_KEY',    'rL=~VmbTg?X%]:kp du(cX$VEFTxX8vCn|$0-2|O@bN-wWn-0Q6NY.Q_W1-E#');
define('NONCE_KEY',        '*`r+{|/IFWEp0tC7xN ?$OGTPzgG%3pb-I^lJ9+iaviy)W__BC?VUU~}}s?iz');
define('AUTH_SALT',        ':XoDSEUSl3w^~0`C%pWpk{^WbNr|Jp xZ*Bk+Q2piQyH=Q*|_r_{e=mM7oK0%');
define('SECURE_AUTH_SALT', 'sm35O.Gp*|teE4kn%5$,Qos@iWO!:xk0-nL7?oO2`|7Jg3-Ya-;Gt6uBa)I`l');
define('LOGGED_IN_SALT',   '|F#N(wqV@oRRdjZI~T3LY!Uh/fiW3 3U|z`X:}gt_9KmkI=^o8]ji:55(+Q|v');
define('NONCE_SALT',       '3icDRQEY^d[Mh,Ien|-+ K[V|{Wzg{q*JilbmYBaRC@]ebu(=CwJ0-ee%{1n5');

References:

Tip6. Move Your wp-config.php File

This is just “security through obscurity” tip. Since WordPress 2.6 you can move your wp-config.php file ONE level higher than where it resides by default. WordPress will automatically checks in the alternate directory if the file is not found in its default directory. If you installed WordPress in the root of your domain, then moving the wp-config.php file one level up will end up outside of the root.

For an Apache server You can also block access to the wp-config.php file by adding the following directive to your .htaccess file. I am not sure what needs to be done for Windows Web servers.

<files wp-config.php>
order allow,deny
deny from all
</files>

References:

Tip7. Remove WordPress Version

This is another “security through obscurity” tip. Your WordPress Website will be a little more secure if you don´t advertise what version of WordPress you are using. Why remove this? Because there are security vulnerabilities related to specific versions of WordPress. By hiding your WordPress version, it will become a bit harder for a cracker to know which vulnerabilities to use. By default WordPress version can be found in these two places:

In the header of your page. Something like that:

<meta name="generator"; content="WordPress 3.0.4" />;

In your feed. Something like that:

<generator>http://wordpress.org/?v=3.0.4</generator>

To hide WordPress version, just add the following code to the functions.php file located in your theme´s directory:

<?php
//Remove WordPress Version from the theme header and from the feed
function remove_wp_version() {
return ''; //returns nothing, exactly the point.
}
add_filter('the_generator', 'remove_wp_version');
?>

To my surprise, I discovered that some plugins append the WordPress version to some of their external files.

Tip8. Change WordPress Default Table Prefix

This is yet another “security by obscurity” measure added to your installation. By default, WordPress table prefix is wp_, which will be the staring point of all WordPress table names stored in the MySQL database. Upon installing WordPress you can easily change this by changing the $table_prefix value in your wp-config.php file.

Many published WordPress specific SQL injection attacks make the assumption that the table prefix is still the default wp_. Changing this will block some SQL injection attacks, by making it much harder to guess your table names. If you want to change the table prefix after you have installed WordPress you can either use a plugin, or you can do that manually.

This is what this section, taken from wp-config-sample.php file, looks like:

/**
 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

Reference:

  1. In my next tutorial I show you in more details how to do this tip when your WordPress Website is already online.
  2. There are also plugins that change the table prefix, like WP Security Scan. But I haven´t tried it myself.
  3. Make sure that you Backup your database before doing this, just in case.

Tip9. Change WordPress Default admin Username

By default WordPress calls the administrator´s user account "admin". The problem that if someone wants to crack your Website, they can start with the default Username, and if they are right that cuts their work in half. When installing WordPress, and if you have the option, remember to use a different Username. If you already have WordPress installed, the fix is quite simple.

Default Username as shown in the WordPress login screen.

There are 2 ways to change the Username: in WordPress dashboard or in phpMyAdmin. To change the admin Username After WordPress is already installed, you can manually edit the value using phpMyAdmin Web interface. Here is what you need to do:

  1. Log into your phpMyAdmin, select your WordPress database.
  2. From your WordPress database, select the wp_users table.
  3. At the top left of the table, click “Browse” select the admin user row, then select “Edit”.
  4. Under the user_login column, modify the username to any other name you like and then click "Go" to save.

See the picture below:

Editing the default WordPress Username in the database using phpMyAdmin.

I am assuming that you still have the table prefix as wp_. If you changed it to lets say wpAB1_, then the table that you will be looking for is wpAB1_users.

One more important step that you need to take: By default, WordPress displays the author name in your posts as your Username. To change that, login to your WordPress Admin panel, under Users -> Your Profile, in the Name section, and for the field "Display name publicly as" select the option that is NOT your Username (Make sure your Nickname is different than your Username). Be sure to click the Update Profile button to save the change. See the picture below:

WordPress User profile as shown in the dashboard.

ALWAYS backup your database before executing any SQL commands. You can create a backup copy of your database from phpMyAdmin with the Export function.

For completeness, I mentioned above that you can also change the admin Username in WordPress Dashboard. This is how it is done:

  1. Go to Users -> Add New, fill out the information needed and make sure to set the Role as Administrator.
  2. Log out and then log back into WordPress with the new user you just created.
  3. Go to Users -> Users, select and delete the admin user account and click Apply.
  4. When asked what to do with the admin user posts, make sure you assign them to the new user you just created.
  5. Click on "Confirm Deletion" and that´s it.

If you get stuck here, and don´t know what to do, this additional reference might help.

Tip10. Prevent Directory Browsing

By default, a Web server allows browsing of directories, which means that you can use your Web browser as a file browser to reveal the content of any directory that contains no index.html (or index.php). For an Apache server, modify this behavior by adding the following code to your .htaccess file in the root directory. I am not sure how it is done for Windows Web server.

#prevent folder browsing
Options All -Indexes

The latest versions of WordPress (I think version 2.8 and above), already add an blank index.php file to the plugin and theme directories. The reason is to keep bad guys from browsing your plugin and theme directories and know what plugins and themes you have installed. This is something that you should not worry about anymore.

Tip11. Use SFTP Instead of FTP

The problem is that FTP is not secure and is an old standard. By using FTP to connect to your server, you are sending your username and password in plain text. This is unsafe and poses a security risk, as crackers can intercept this information, and gain access to your Website´s files on your server where they can change your files and add spam.

If your Web host offers SFTP as part of your plan, then start using it. If not, consider changing plans.

References:

Tip12. Check Regularly For Exploits

Here are some WordPress security plugins that monitors your Website for any security exploits. I suggest that you choose and use one that fits your needs from the list below.

References:

Conclusion

If you implement few of the tips I discussed above, your WordPress Website will be more secure from exploits than the vast majority of WordPress Websites. However, new exploits are discovered often and when a fix is not yet available, everyone is at risk. Do you have any more security tips? If so, please share in the comments section.

If you enjoyed this post, please consider: linking back to it, subscribing by email to future posts, or subscribing to the RSS feed to have new articles delivered to your feed reader. Thanks!

About the Author |
Boutros is a professional Drupal & WordPress developer, Web developer, Web designer, Software Engineer and Blogger. He strives for pixel perfect design, clean robust code, and user-friendly interface. If you have a project in mind and like his work, feel free to contact him. Connect with Boutros on Twitter, and LinkedIn.
Visit Boutros AbiChedid Website.

11 Responses to “12 Practical Tips to Improve WordPress Security”

  1. Jaipurwebs says:

    Really nice post to improve my wordpress website. Thanks for sharing.

  2. Lorenzo says:

    Some great suggestions here! Minimizing the plugins that are running has the benefit of improving site performance by reducing the amount of resources required.

    I would also recommend that you keep your computer up-to-date as well. WordPress has the browsehappy project that shows the current versions of various browsers.

  3. Chad Agrawal says:

    Hey Boutros,

    I just wanted to say thank you for the helpful hints. I discovered all the failed attempts after installing the a plugin to track user activity. Thanks to this post and the other post on login attempts, I was able to change my admin username and limit login attempts :-)

    It’s crazy that most bloggers (I think) have no idea how much their blog is targeted.

    Thanks for the awesome help. I really appreciate it.

    Chad

  4. I like your article, you mentioned some great pieces of advice. I actually had a guest poster on my site write about the same thing and she mentioned a plugin called “Better WP Security” which enforces a lot of those steps including:

    * table prefix (it will warn and change it)
    * enforces strong passwords
    * enforces admin to be removed
    * htaccess security

    and a ton more. Thought you’d find it useful :)

  5. Arafin Shaon says:

    everything works fine mate but problem i’m having is since i use jetpack plugin its not letting me to hide WordPress version by your given code :(

  6. Improving security of your WordPress blog is important. Even one of my blogs has been targeted and completely wiped out from the web server. You covered some really good ways to improve the security of a WordPress blog.

  7. Thank you so much for your explicit tips – they will help me while I work on optimizing my too slow site. Now I can make it more secure at the same time:)

  8. derek says:

    thanks for this, some good tips, just changed my table prefixes for the first time, blew up one plugin but got it going:)

    • Hi Derek,
      If you have trouble with a plugin you can remove it and then install it back after you have changed your table prefixes (you might loose your old data though).
      Boutros.