17 Tips on How to Secure WordPress Like Fort Knox

How to Secure WordPress1. Use a Secure Well Known Host for WordPress

If you’re using a web host that no one has ever heard about and offers unlimited band width for $1.99 a year you many want to start looking else where. I know of some well known companies that do offer “unlimited bandwidth” for $6.99 a year but the fact of the matter is that if you read the fine print it is only unlimited so long as your website does not use up more than 10% of the CPU of that particular server. As far as I am concerned it is false advertising. If your website is making you money you want to look for a quality, reliable secure host. Research the company by doing a Google search such as “company name hacked” and see what turns up. Ask them about their server uptime percentage, that is, if their servers have ever gone done and what contingencies they have in place should power go out (my hosting company has back up generators that will last them up to 30 days) You may also want to ask about building security such as who has access to the server room and how often passwords are changed, etc. I would also ask about firewall security for their servers. If you can, get a VPS serving environment over a shared host. Not only will your site be more secure but it will faster as well as you won’t be sharing resources with other website owners. I personally use www.stormondemand.com and am in the midst of building a Turn Key WordPress Hosting Solution.  Follow me on twitter to keep updated as to the launch.

2. Don’t Use the Default Admin Username

I think this goes without saying, but it’s worth saying anyway. Use a unique username and password.

For instance for your admin username, use something like this:

ASvfrb.S8_nCD-ZU9nV@3TSs-UM4UohD

WordPress does not allow any special characters in your username with the exception of a period, underscore and hyphen.

So use your favorite password management software such as www.roboform.com or www.keypass.com or www.lastpassword.com to generate and keep track of not only your passwords but also your usernames.

If you can remember it, someone can hack it.

Give this account admin privileges and set up a separate account with publisher rights and a more user friendly and keyword rich username.

Also, if you have an admin account, with the username “admin” change its permissions level to subscriber, this way if this account ever is hacked, hackers will be disappointed to discover that they wasted a lot of time to get the privilege to do nothing on your site and will probably move on.

One final note on this matter.  Use this account for admin functionality only.  Do not use it to publish content as, even though you can publicly display the hyper link as something such as your name, it will still be revealed when someone clicks on the author’s archives and then your username will be revealed for all the world to see.

Instead, create a second account using your real name and then grant publisher rights to that account for doing  all of your content publishing.

You can then use the other account for all of your admin functions such as WordPress updates, plugin updates etc.

3. Use a Difficult Password

This should go without saying but you’d be surprised at how many people use simple passwords thinking that it is only fellow human beings that they have to out smart.  This is not the case, as hackers use software to do brute force attacks on your blog in which they cycle through the alphabet to try to guess your password.  Therefore, you should use an alpha numeric special character password such as:

o&WjR8$fcFr5jX3HDBWVtta*H!!

I would use a minimum of 24 characters, however I do use more. And this length of password takes a lot longer for a hacker attempting a brute force attack to crack.

Just how long you ask?

A password like this, according to the Brute Force Calculator, would take 129 nonillion years to crack. That is much, much, much, much longer than the average person is alive. (The average person is alive for about 27, 375 days so I’ll let you do the math) but basically just having a password like this is going to make your site more secure. Again, use something like Keypass or Roboform to keep track of passwords. If you can remember it, it can be cracked/hacked more easily.

4. Install the Limit Login Attempts Plugin

The Limit Login Attempts plugin will limit the amount of failed login attempts, practically eliminating any possibility whatsoever of a brute force attack as you can set the number of failed attempts to whatever you want or leave it at the default of 5.  With this functionality you may be wondering why I mentioned using such complex passwords, well WordPress security is like creating a fortress with many different deter-ants to gain access.  Think of Limit Login Attempts as your draw bridge. Keep in mind that WordPress security is about a wholistic approach rather than just doing one thing.

5. Keep the WordPress Core & Plugins Up-to-Date

This is important and I’ll admit I had this bite me in the ass recently. A theme developer, and I won’t say which one, had a security “loophole” in one of the theme files and someone had inserted some code in there and was using my bandwidth. Luckily, my host caught it and locked down the site. I look for an update from the programmer via the membership site and saw that there was an update. I am frustrated that the theme author does not have built in auto updates for the theme and I am actually working towards having my own similar theme developed which will be under my control. But the point of the matter is to keep your plugins and themes up-to-date. Doing so will ensure that the latest security holes filled.

6. Use a Premium Theme

Empowered Blogs for WordPress

I know that there are 1450 Free themes in the WordPress Theme directory. However, I would highly encourage you to use a Premium WordPress theme. Reason being, Free themes don’t have as much support, I mean seriously, would you work for free. I think that some developers develop the free stuff as a lead generator. I know that’s what I would do. And they have other jobs/projects which they are involved with and won’t have the time to support you. Plus, a premium theme developer is more concerned about the little details such as ensuring that security loopholes are filled. That being said, Clifton who is also the owner of this blog, has a kick ass theme called the Empowered Theme that I would recommend to anyone.  I don’t use it myself but that doesn’t mean I don’t think it rocks.

7. Folder Permissions

This is something that you really need to be careful with as I have a friend on Facebook who had her WordPress website hacked because of a plugin file permission setting. The plugin author’s told her to set a folder setting to 777. Setting the file permission means that anyone can write to that folder and someone did as they inserted a script that was sending a virus to users upon visiting. The virus caused her site to be blocked by Google.

At a minimum, all of your files should be set to a permission setting of 644 and all of your folders should be set to 755. You can do this from your Cpanel or from an FTP client such as Filezilla. Contact your hosting provider if you have questions.

However, it also depends on your server environment. For instance, whether or not you are using a share or dedicated host.

That being said, I’m going to give credit where credit is due and suggest you read this blog post on how to configure your WordPress file permission settings.

8. Remove WordPress Version from the Header

Some hackers will look to see what version of WordPress you are using by viewing the source code of your website and looking to see which version of WordPress you are running in the header section of your website code.

I have to admit that this is not a huge issue but it is something that you should implement as hackers may be looking to see which version of WordPress you are on and if there are any security loop holes that they can exploit to get access to your site. This can be done by inserting this code in your functions.php file of your theme:

remove_action(‘wp_head’, ‘wp_generator’);

or you can use the http://wordpress.org/extend/plugins/remove-generator-tag-for-wordpress/ plugin from the WordPress Plugin repository.

You can also download and install the Better WordPress Security Plugin to assist you with this.

9. Use Secret Salt Keys

If you didn’t do this already when you installed WordPress (I highly discourage people from using auto install scripts as they don’t install WordPress securely) you should do this now.

Log in to your cpanel and go to your wp-config.php file and click on the code editor. You’ll want to scroll down to the part of your wp-config file that looks like this:

Then go here:

https://api.wordpress.org/secret-key/1.1/salt/

and copy and paste the keys that come up such as these (if you refresh the browser it will give you a new set of keys should you not like the first ones, although I don’t know why you wouldn’t):

define(‘AUTH_KEY’, ‘,%,K^]YG+YyL:geMq.s# ~ZCB5[=bd.6Z;k,b*0G(&-BdP~u3u cQn?]lZ-PNbAZ’);

define(‘SECURE_AUTH_KEY’, ‘Zw4:%k})BUq]@^X,:E:$PsVOl-9s]Z5F4z&QG&3>kqVuA,HzPhl9)5$%5,/>atQl’);

define(‘LOGGED_IN_KEY’, ‘opp]gT6b#@_-IcV9wj]o^ET:o>jtceAq1 [PZ:L8-R[IxNVF^j910L=Y@o75sb|)’);

define(‘NONCE_KEY’, ‘TX(1xY/C|&:(|c/zl;$#3=n?g9p.Nh~h|jY0ktavx.JtWXQy]cB|#pJ!+DF!M@9J’);

define(‘AUTH_SALT’, ‘j!_FSZTf|,7cSb=V_NGew+h~|rMv:.t~A7PHNwWmB,El`-&[7{K06_p?KQ+57f,i’);

define(‘SECURE_AUTH_SALT’, ‘dZ0zAh`1(UyEBYATziEnA=Ia%FF&VI;S1sAO~/mw.9my{XruOxq_d?xh,btCW;u7′);

define(‘LOGGED_IN_SALT’, ‘wX h@-R>tUKN&B-xzx$~NLm75K*vd;R~g-cxF?mQjbiR6q~; 9<<fO61 g;+HW9[‘);

define(‘NONCE_SALT’, ‘tr|e$|[Efe<v:RaqqRC2W$xC?8(2M/+Q-)!Kr{Z<=P&0%UlJ(P{ZC&%Yq{5lTv6N’);

The benefits of doing this is that it encrypts your users’ cookies.

This will make your site harder to hack as access to your blog via scripts and malicious people will be made all that more difficult.

10. Change your WordPress Table Prefix

Perhaps you used an auto install script to install WordPress or perhaps you did it manually but left the table prefix of your data base tables as wp_. This makes it very easy for would be hackers to attempt MYSQL injections into your website. So, how can we combat this? Well instead of leaving wp_ as default, instead, use roboform again and generate a 27 character alpha numeric string and then add it to your wp table prefix.

For instance use something like this:

wp_coKuBHck4FHNrXiMsPJcND9WGzL_

Make sure you add an underscore to the end of the string otherwise sorting out your tables later will be confusing.

Doing this will make it that much harder as well as take that much longer for hackers to crack.

11. Use .htaccess files to Lockdown the WordPress Admin Area

Perhaps at this moment you’re asking yourself, what the heck is an .htaccess file? (Seriously, when I first started on the web six years ago I ask the same question) Well according to Wikipedia:

“An .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration.

The original purpose of .htaccess – reflected in its name – was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGIhandlers, etc.

These files are placed inside the web tree, and are able to override a subset of the server’s global configuration for that directory, and all sub-directories.”

In laymans terms, this is a file that talks to your server and can be used to restrict access to certain files.

Now, one of the reasons why I love WordPress is because of the community involvement and support.

And Ed Alexander has developed an awesome WordPress plugin called Bullet Proof Security which automatically creates the .htaccess file and rules to protect your WordPress website.

While the plugin is available for free on the WordPress plugin repository, I highly recommend getting the pro version for $40 as you get lifetime updates and can use it on an unlimited amount of websites (and it helps out Ed, who also gives awesome support and is a great guy). I will tell you though that it takes a bit to figure out how to set it up which is why I included a lesson on it in my course on how to secure WordPress.

12. Restrict IP access to your website

This can be done by adding the following to your .htaccess file.

order deny,allow

#(replace with your IP address)

allow from 202.090.21.1

deny from all

Or you can simply use my Stealth Login Plus Plugin which will enable you to easily do this as well as trick would be hackers as to where the login url is for your site.  The plugin has been approved in the WordPress repository but frankly I’m having trouble figuring out how to set up an SVN (I’m not a total geek you know) so in the mean time you can download it from here. And watch the video below on how to configure it:

13. Move Your wp-config.php File Out of the Root Public HTML Folder of Your Server

This is a neat little trick that not a lot of people know about. But your wp-config file is hosted in your public access html folder on your server. That is that the general public can try to access it, but you can move it out of that folder and into the folder on your website and WordPress will still be able to read it and know that it is there.  However, you may loose functionality with some plugins so you have to weigh the costs of security over functionality.  Either talk to the Plugin Developer about modifying his code to work with this configuration, find a different plugin or leave your wp-config.php file where it is. (Bullet Proof Security properly configured will lock access to it anyways but it doesn’t hurt to move it as its another layer of security)  Check out the video below for detailed instructions on how to do this.

14. Hide Your wp-login.php URL

Now this is a little advanced and can be done by adding some .htaccess code to your .htaccess file but frankly you might as well simply use my Stealth Login Plus plugin.

Watch the Stealth Login video above to see how to configure it.

15. Use Cloudflare

Perhaps you may or may not have heard of Cloudflare.

Well they are an awesome company and branched off as a result of the Project Honey Pot Website Security Iniative (which is still going on I might add)

But the way that Cloudflare works is you host your site on their Content Delivery Network (CDN) by filtering your DNS settings through their servers and then anytime an attack is attempted on the network, Cloudflare blocks it and lets the rest of the network know about it. It’s kind of like neighborhood watch for the web on steroids. And because it is on a Content Delivery Network your site is that much faster as well.

That being said, I think that Cloudflare does a much better job of explaining what they do so head on over to their website to discover more.

16.  Use Internet Security Software for Your PC

Ok, so you’re probably wondering why I’m talking about using Software for your PC and not for WordPress.  (If you’re a mac user, you can skip this, contrary to popular belief Macs aren’t unhackable. It’s just there is not enough business market penetration by Apple to catch the attention of hackers and thieves, although that is changing). Besides the fact that you want to protect your PC you also want to stop keyloggers from getting into your computer and recording your keystrokes, such as your WordPress username and password (however if you use Roboform it automatically fills your username and password fields as well as presses the submit button) but  you still want to keep your PC secure.  Everyday some kid at home, or criminal in the mafia is thinking of ways to penetrate and hack your PC, to steal your identity or harness the power of your computer and for the small investment of what it takes to purchase an internet security suite it is more than worth it.  Don’t for one minute think that you can simply use AVG free and your computer is good to go, no my friend, you need to shell out some cash.  I won’t do an internet security suite review in this post but I personally use Comodo Internet Security Suite as they have a $500 virus guarantee and offer 24/7 remote tech support to boot. However, I also recommend Kaspersky (as maximum PC did a huge test on it and it passed with flying colors)

17. Install and Use Backup Buddy

Ok, so here is the thing. You need to back up your site and you need to do it often. The best way to do that is with Back Up Buddy.  Reason being is that if your site gets hacked, you will have a back up of it.  I know that I’ve mentioned previous things that you can do to protect your site but hey, anything can happen. (If the CIA website can be hacked, we need to think twice about the security of our WordPress websites) Now before you brand me as a complete liar (for implying that you can make WordPress impenetrable), if you implement the strategies that I have previously mentioned you will make it EXTREMELY DIFFICULT for someone to hack your site, and more than likely once they try a few things, they will move on. But there is always that small chance, and if it does happen, you’ll have a regular backup of your site using backup buddy.  Using Backup Buddy you can send the back ups to an Amazon S3 or a Drop Box Account (I would use both as it doesn’t hurt to have multiple instances of your site someone where). And not only that, but there are times when things go wrong such as a WordPress upgrade or the installation of a plugin that whacks out your site and it’s nice to know that you can go back and restore your site if you have to. While there are free backup solutions out there, none of them do what Backup Buddy does and it is well worth the investment.

So with that being said, once you’ve done all of this, how do you know if your WordPress site is secure? Well I’m glad you asked fellow WordPress fanatic as you can install the Ultimate WordPress Security Plugin and it will tell you what security holes are in your WordPress website and how to fix them. It will also score how secure your WordPress website is based on a points system, with 114 points being the highest (most of my WordPress sites get at least 100 points or higher, I don’t get a perfect score because I choose to ignore some of their recommendations)

And if you want to learn even more about WordPress security you can invest in my 4 hour Video Course “WordPress Security Lockdown” which includes 31 videos on how to secure WordPress (teaching you via some of what I have mentioned in this post as well as so much more) or you could also invest in the book WordPress 3.0 Ultimate Security by Olly Connelly from Pack Publishing. It’s a great book and I myself learned a lot (and had a lot confirmed) about what I have learned about WordPress security.  You can also follow me on twitter @mattsfraser

3 comments
Dennis OBrien
Dennis OBrien

Great article Matt and covers everything a person needs to know to protect their site.

Nathan "Spanky" Briggs
Nathan "Spanky" Briggs

Agree with everything except the advice to lock down the wp-admin directory - doing so cripples front-end AJAX for regular visitors (we've asked, but the core team refuse to even consider creating a dedicated front-end AJAX handler, so we're stuck with using wp-admin/admin-ajax.php for now).