WordPress developers take security very seriously, and many security experts evaluate WordPress’s code for flaws. Security updates are made frequently to keep users safe. However, there are some extra steps you can take to make a fresh installation of WordPress more secure and protect against future attacks. Remember, no system can ever be completely secure, but taking preventative measures can be helpful. Much of this guide is based on the advice from the WordPress Codex article on hardening WordPress, but it is aimed at the WordPress beginner. In future articles, I’ll cover advanced security measures, hardening existing WordPress installs, and recovering hacked WordPress sites.
This guide should be relevant for both WordPress 2.92 (the most recent stable release as of this writing) as well as WordPress 3.0.
Overview:
-Preliminary steps for securing your WordPress install
-Changing defaults in WordPress to implement “security by obscurity”
-Choosing strong passwords
-Installing and configuring the Secure WordPress plugin
-Keeping WordPress updated and backed up
-And we’ll take a first look at some advanced security measures
Preliminary steps:
1. Secure your computer
As the WordPress codex says: “None of the following makes the slightest difference if there is a keylogger on your PC.” Make sure you are running anti-virus and anti-spyware software, and make sure said software is up to date. If you’re on Windows and don’t have any antivirus installed, I recommend AVG Free and Windows Defender.
2. Make sure you’re installing the latest stable version from WordPress.org.
3. If you already have another installation or WordPress or other database software on your server, and your host allows it, create completely new database and a brand new database user that only has access to the new database. This is to insulate your other sites in case someone compromises this installation of WordPress.
Installation:
We’ll follow the basic steps of the famed 10 minute install, but we’ll make a few changes to the default settings along the way.
1. First we’ll change the default table prefix (You won’t be able to change this if you’re installing using Fantastico):
If you’re installing manually you’ll see a screen that look like this:
Change the “Table Prefix” field to something else. Be sure to leave the underscore (_). You should have something that looks like this:
2. Next we’ll change administrator’s username. The default is “admin.” Change this to something secret. You’ll have the option later to set a “nickname” – that’s what your readers will see.
Be sure to use a strong password. Notice how WordPress helps let you know whether your password is weak or strong.
Some tips for creating a strong password:
You shouldn’t use any part of your name, username, or the site name in the password.
It should be at least 8 characters long
It should include numbers and symbols in addition to letters
You child’s first name and date of birth may be easy to remember, but is easy for anyone who knows anything about you to guess.
Here’s a strong password generator to help you out.
If you’re using Fantastico you’ll change the administrator username when you setup the new installation. Fantastico doesn’t help you create strong passwords, so you’ll be on your own. Follow the advice above and you should be ok.
3. Finish installing WordPress and login.
4. Next we’ll want to stop WordPress from displaying its verstion number anywhere on the site. I use the plugin Secure WordPress. It also provides some other security features we’ll look at in a moment.
On the dashboard, mouse over Plugins and click the arrow
Click Add New
In the search field, type “Secure WordPress” and click “Search Plugins”
Find Secure WordPress. To make sure you have the write plugin, verify that it is the one by Frank Bültge.”
Click “Install Now” and then click “OK.” On the next screen click “Activate Plugin.”
5. On the next screen, click “Settings” under “Secure WordPress”
You can leave all these settings alone, but if you’re not planning on using Windows Live Writer you should check “Remove Windows Live Writer link in wp_head of the frontend” and then click “Save Changes.”
Congratulations! You’re now ahead of the curve in terms of WordPress security.
Keep WordPress up-to-date, keep plugins up-to-date
The most important thing you can do now is keep WordPress up-to-date. When new versions of WordPress area available you’ll see a notice on the dashboard when you login:
Click the “Please update now” link to see your update choices. The easiest way is to just click “Upgrade Automatically.” If for whatever reason you can’t upgrade automatically, you can download the newest version and follow the included upgrade instructions.
You’ll also want to keep you plugins updated. You should frequently click on the Plugins link on the dashboard and check for notification that look like this:
Again, upgrading automatically is the easiest method. If you can’t upgrade automatically, follow each plugin’s upgrade instructions.
Backup often
Finally, you’ll want to backup your WordPress database frequently in case anything should ever happen to your WordPress install. WordPress Database Backup makes this a snap. We’ll cover database backups in a future article.
Advanced security
If you want to get your hands dirty with advanced security measures, you can lockdown your WP-Admin folder. We’ll look into the specifics of doing this in the future, but if you want to get started now check out the AskApache Password Protect plugin.
And for bonus paranoid points, you can use Open Source Tripwire to monitor your WordPress files for unexpected changes. In the comments, David pointed out that Open Source Tripwire is no longer maintained, and suggested some alternatives. But here’s a plugin specifically designed for monitoring your WordPress files. Works right out of the box!
I find that two best things to do is to rename admin user of course as you mentioned, and remove any “powered by” be it wordpress or theme name. Most script kiddies just google “powered by wordpress” and then brute force admin user or try some kind of injection. Usually those two things take care of the 80% of all shenanigans.
Right on Goon. Those are the first two things I do as well out of about 10. I have a checklist for every new WordPress site I create.
One question about changing table prefix.
Can this be done with a WP site that’s already installed and run ?
And if so, what’s the consequence of changing table prefix ?
Thanks for the article.
You can rename the prefixes on your tables.
Don’t forget to change the use of the prefix in the usermeta records for capabilities meta_key entries. There are a few other places too. I think the prefix is also used in the postmeta table aswell for attachments and a couple places in options table field called ‘option_name’.
Easiest way to replace in fields supposedly is:
http://wordpress.org/extend/pl.....d-replace/
but I’ve never used it.
But that doesn’t necessarily correct the string length in serialised data so try to keep the new prefix the same length (3 chars).
Hope this helps.
You can also use the Secure WordPress plugin mentioned above to rename the tables. It’s very easy, but BACKUP BACKUP BACKUP before you try it.
@Mike
Thanks for the info on Search and Replace plugin.
I bookmarked that, might come in handy.
@Klint
Thanks for pointing out the ability of Secure WordPress Plugin.
Thanks for the great post.
Security is the most important thing that people overlooked when
managing websites, most of the time, they wait until it’s too late.( I’m one of them actually – but I do backup that’s ready to be re-installed at anytime.)
Password security should go without saying, but people still need to be reminded. Just look at clickbank. You have to use uppercase, lowercase, numbers, and symbols. My password is the longest most confusing thing ever haha…
Use the WordPress antivirus plugin for more advanced wp security http://wordpress.org/extend/plugins/antivirus/
@Sergej What exactly does your AntiVirus plugin do? Yes, I’ve read all the info at its Codex URL and the one on your site.
The plugin scan manually or/and automatically the database, theme templates and permalink structure for suspicious (php) code.
Good tips, I’ve been using that plugin myself, it’s pretty convenient. I also like the “User Locker” plugin which locks down the admin account after a specified number of failed login attempts.
Backups are probably the single most important step, and seem the most often overlooked. A good backup system can save your site from anything.
Did not know about the open source tripwire. Looks like a fun new toy 🙂
Security of your wordpress should be the top priority because hackers are always roaming around looking for someone to victimize. Without security, your posts and everything in your blog is exposed thus when attacked will be useless.
Specifying some .hatcess hacks will be also good.And using Askimit is a great way to reduce the comment spam.And WordPress Security Scan a beautiful plugin to checkout the file permissions.
This is a totally helpful site. I’m pretty new at WP and the official help and tutorial section of WP pre-supposes too much pre-existing knowledge (that I don’t have YET) I really appreciate the tip by “Goon” above about removing “Powered by WordPress”
Also applaud Sergej Müller for pointing me to the A/V plug-in. Thanks mate!
Thanks for this article. I have been plan to start secure my wordpress blog and this article surely will help a lot. I hope the advance part will be coming soon.
I have never heard about “Secure WordPress” pluggin. I think I will try it to secure my website. Thanks for the good article.
Exploit Scanner (http://wordpress.org/extend/pl.....t-scanner/) has also come in handy for me.
Very good article, but bad advice on Tripwire. It is not being updated anymore… A better open source HIDS would be OSSEC ( http://www.ossec.net ) or samhain.
Thanks for the tip, I’ll check those out.
I just updated the post with a link to WordPress File Monitor – a plugin just for monitoring WP files. http://wordpress.org/extend/pl.....e-monitor/
Sweet thanks!
Thanks, Sergej, for the recommendation. I hadn’t seen AntiVirus for WordPress before. I’m giving it a try.
Some of the other plugins mentioned will be in my upcoming tutorial that will focus on existing WordPress sites instead of fresh installs.
Thanks for all the comments everyone!
Question on the installation screenshots: I’ve never seen those forms before. Where are they?
How I install WordPress: I create a MySQL database, fill out missing info in wp-config.php, FTP it to site, then go to http://www.site.com/wp-admin/install.php
Good question! If you fill out the wp-config file, you won’t see those fields. Those fields are an automated way of filling out the wp-config file. I forget when they were introduced… version 2.5ish?
I think it was version 2.5.3.
I have the same question..
Oh, and here are some other good links:
http://wordpress.org/developme.....rmissions/
http://www.pearsonified.com/20.....a-hack.php
The first one emphasizes the importance of being on a secure host, which I didn’t go into in this article. I definitely recommend checking around before you sign-up with a host.
There was a comment above re htaccess hacks. I had 2 vBulletin forums hacked and since protected the admincp via .htaccess stuff (that I do not really understand as its a bit beyond me) to protect me in the future – I was good at following the instructions. Is it possible to do something like this in wordpress? I did a google search but found nothing that looked like what I followed for the vBulletin set up.
There are some hardening techniques using .htaccess in WordPress (here’s an example: http://blogsecurity.net/wordpress/article-210607).
You could also use the AskApache plugin.
Very confusing. I just had to search for what a htaccess file even is, but now I get it.
“password” is _NO_ password + .htaccess deny from .evil_countrys/provider + .htaccess password + latest wordpress with a renamed admin account and no open reg = I feel pretty safe right now 🙂
Great post. Made it simple to understand for us non-computer literate types. I have been neglecting backing up my blogs but I checked out your back up suggestion and this should make it simple. I will be sure to back up more often 😉
Mommy D
Mommy D I’m with you! Backing up is such a pain, but this post makes it much more feasible.
Keeping a wordpress plugin up to date is good but sometimes, the compability with the wordpress version makes me wait a bit longer before updating the plugin
A good way to stop hackers is to use the security keys in your WP config.php file. Basically, you add a really long, complicated, random string of characters in the appropriate place in your config.php file. See codex.wordpress.org/Editing_wp-config.php section 1.6 for the basic instructions on how to do this. You can get to the config.php file from your hosting account control panel file manager.