Want to make WordPress secure? Then let’s harden it now! OK this is going to be a long article that I’ll add to as “best practice” changes with new releases. For starters, let’s clear up what I’m trying to teach. What we are doing here is limiting access by people who are trying to compromise your WordPress installation. And they are out there, believe me.
So first off, the easy stuff….
- Keep your WordPress and Plugins updated. You can lock down WP all you want but if you have a dodgy plugin you could be wide open to the world.
- Keep your server up to date. Vulnerabilities in older versions of php and various scripts mean that an attacker could get in outside of the WordPress installation.
- Shared hosting. I personally don’t use this as it can severely compromise security. Even if you do all the locking down possible, someone else may leave wide-open gaps on the server. If you want reliable VPS hosting I recommend taking a look at Servint dedicated and VPS hosting.
- Use a decent antivirus and antimalware on your own PC. The largest amount of compromised servers come from password attacks and if you have malware on your PC that gets your FTP password then it’s ‘Game Over’. Use Kaspersky and MalwareBytes for a great solution.
- Choose strong passwords. Never underestimate how easy most passwords are to crack with a computer. Passwords such as “Password”, “abc123”, “Letmein” are crackable in minutes. Pets’ names, people’s names, car names are all easily guessable too. Consider putting non-alphabet characters in there too such as $ or !
WordPress file permissions
Now let’s move on to WordPress file permissions. These are most people’s nightmare but it doesn’t have to be difficult. All files should be owned by your account and writable only by you. For directories, if you use SuPHP on your server (and I recommend you do) they should all be 755. If not using SuPHP then follow these rules:
/wp-content/plugins/These are the plugin files. All files should be writable only by your user account.
/wp-includes/WordPress’s ‘logic’ files. All files should be writable only by your user account.
/wp-content/themes/Your theme files. If you want to use the built-in theme editor, all files need to be group writable. If not, all files can be writable just by your user account
/wp-admin/This is the WordPress admin area. All files should be writable only by your user account.
/wp-content/This is for your content which should be writable by everyone (owner/user, group, and public)
For other directories under
/wp-content/ you should read the relevant plugin or theme documentation. Err on the side of caution here though, locking down first and working backwards to release permissions where required.
For novices looking for a quick guide, if you are not using SuPHP then do this:
Set all directories to 755 and all files to 644. If you are on a shared-server, set your wp-config.php to 750 so no other user will be able to read your database username and password!
From WordPress version 2.7, there has been the facility to automatically update the WordPress installation. It is remarkably stable and well tested so I recommend this is used. The great thing is that after the update, all files are set to 644 and all directories to 755 and writable by only the user. They are still readable by everyone else, including the web server.
This now leads us on to ‘security by obscurity’. In other words, making the default stuff different so attackers spend more time at the first hurdle. Here are my top tips for quick and easy fixes.
- Stop showing the WP version you are currently running. Why? Well, if you are running an older WordPress version with a known vulnerability then you effectively display this to the world. There are numerous plugins to do this for you but you can simply add
<?php remove_action('wp_head', 'wp_generator'); ?>to your theme’s function.php file. Note that there are other ways of finding out the version that a WP website uses but this works well to hide the obvious.
- Rename the admin account. I do this on a new install from within Fantastico but you can also create a new Administrative account from WordPress’s back end and delete the default admin account. You will get prompted to pass ownership of all the deleted user’s posts to the new Admin which is recommended.
- Change the WordPress database table prefix. A lot of the WordPress-specific SQL injection attacks assume that the database table prefix is “wp_” , so changing this blocks many (but nit all) SQL-injection attacks.
Finally, 3 words I can’t stress the importance of……Backup, Backup and Backup. Don’t hesitate to make this a priority. For a complete backup AND a brilliant way to clone your entire site check out the excellent WP-Twin WordPress Clone Software. This not only creates a FULL backup of WordPress’s database, but it backs up all other files and folders for you. It will enable you to move your installation across servers too, something most backup software won’t do. Most blogs can be completely cloned and backed up in a few minutes without any technical knowledge.
Good luck and hope this helps you to make WordPress secure.