[…] How To improve basic security on a fresh WordPress install […]
[…] How To improve basic security on a fresh WordPress install […]
[…] my first article on WordPress security I mentioned Open Source Tripwire as an option for monitoring your WordPress install for unexpected […]
[…] is a great article on basic security when setting up your blog from Weblog Tools Collection that I recommend everyone […]
[…] How To improve basic security on a fresh WordPress install […]
I find that two best things to do is to rename admin user of course as you mentioned, and remove any “powered by” be it wordpress or theme name. Most script kiddies just google “powered by wordpress” and then brute force admin user or try some kind of injection. Usually those two things take care of the 80% of all shenanigans.
Right on Goon. Those are the first two things I do as well out of about 10. I have a checklist for every new WordPress site I create.
One question about changing table prefix.
Can this be done with a WP site that’s already installed and run ?
And if so, what’s the consequence of changing table prefix ?
Thanks for the article.
You can rename the prefixes on your tables.
Don’t forget to change the use of the prefix in the usermeta records for capabilities meta_key entries. There are a few other places too. I think the prefix is also used in the postmeta table aswell for attachments and a couple places in options table field called ‘option_name’.
Easiest way to replace in fields supposedly is:
http://wordpress.org/extend/pl.....d-replace/
but I’ve never used it.
But that doesn’t necessarily correct the string length in serialised data so try to keep the new prefix the same length (3 chars).
Hope this helps.
You can also use the Secure WordPress plugin mentioned above to rename the tables. It’s very easy, but BACKUP BACKUP BACKUP before you try it.
@Mike
Thanks for the info on Search and Replace plugin.
I bookmarked that, might come in handy.
@Klint
Thanks for pointing out the ability of Secure WordPress Plugin.
Thanks for the great post.
Security is the most important thing that people overlooked when
managing websites, most of the time, they wait until it’s too late.( I’m one of them actually – but I do backup that’s ready to be re-installed at anytime.)
Password security should go without saying, but people still need to be reminded. Just look at clickbank. You have to use uppercase, lowercase, numbers, and symbols. My password is the longest most confusing thing ever haha…
Use the WordPress antivirus plugin for more advanced wp security http://wordpress.org/extend/plugins/antivirus/
@Sergej What exactly does your AntiVirus plugin do? Yes, I’ve read all the info at its Codex URL and the one on your site.
The plugin scan manually or/and automatically the database, theme templates and permalink structure for suspicious (php) code.
Good tips, I’ve been using that plugin myself, it’s pretty convenient. I also like the “User Locker” plugin which locks down the admin account after a specified number of failed login attempts.
Backups are probably the single most important step, and seem the most often overlooked. A good backup system can save your site from anything.
Did not know about the open source tripwire. Looks like a fun new toy
Security of your wordpress should be the top priority because hackers are always roaming around looking for someone to victimize. Without security, your posts and everything in your blog is exposed thus when attacked will be useless.
Specifying some .hatcess hacks will be also good.And using Askimit is a great way to reduce the comment spam.And WordPress Security Scan a beautiful plugin to checkout the file permissions.
This is a totally helpful site. I’m pretty new at WP and the official help and tutorial section of WP pre-supposes too much pre-existing knowledge (that I don’t have YET) I really appreciate the tip by “Goon” above about removing “Powered by WordPress”
Also applaud Sergej Müller for pointing me to the A/V plug-in. Thanks mate!
Thanks for this article. I have been plan to start secure my wordpress blog and this article surely will help a lot. I hope the advance part will be coming soon.
I have never heard about “Secure WordPress” pluggin. I think I will try it to secure my website. Thanks for the good article.
Exploit Scanner (http://wordpress.org/extend/pl.....t-scanner/) has also come in handy for me.
Very good article, but bad advice on Tripwire. It is not being updated anymore… A better open source HIDS would be OSSEC ( http://www.ossec.net ) or samhain.
Thanks for the tip, I’ll check those out.
I just updated the post with a link to WordPress File Monitor – a plugin just for monitoring WP files. http://wordpress.org/extend/pl.....e-monitor/
Sweet thanks!
Thanks, Sergej, for the recommendation. I hadn’t seen AntiVirus for WordPress before. I’m giving it a try.
Some of the other plugins mentioned will be in my upcoming tutorial that will focus on existing WordPress sites instead of fresh installs.
Thanks for all the comments everyone!
Question on the installation screenshots: I’ve never seen those forms before. Where are they?
How I install WordPress: I create a MySQL database, fill out missing info in wp-config.php, FTP it to site, then go to http://www.site.com/wp-admin/install.php
Good question! If you fill out the wp-config file, you won’t see those fields. Those fields are an automated way of filling out the wp-config file. I forget when they were introduced… version 2.5ish?
I think it was version 2.5.3.
I have the same question..
Oh, and here are some other good links:
http://wordpress.org/developme.....rmissions/
http://www.pearsonified.com/20.....a-hack.php
The first one emphasizes the importance of being on a secure host, which I didn’t go into in this article. I definitely recommend checking around before you sign-up with a host.
There was a comment above re htaccess hacks. I had 2 vBulletin forums hacked and since protected the admincp via .htaccess stuff (that I do not really understand as its a bit beyond me) to protect me in the future – I was good at following the instructions. Is it possible to do something like this in wordpress? I did a google search but found nothing that looked like what I followed for the vBulletin set up.
There are some hardening techniques using .htaccess in WordPress (here’s an example: http://blogsecurity.net/wordpress/article-210607).
You could also use the AskApache plugin.
Very confusing. I just had to search for what a htaccess file even is, but now I get it.
“password” is _NO_ password + .htaccess deny from .evil_countrys/provider + .htaccess password + latest wordpress with a renamed admin account and no open reg = I feel pretty safe right now
Great post. Made it simple to understand for us non-computer literate types. I have been neglecting backing up my blogs but I checked out your back up suggestion and this should make it simple. I will be sure to back up more often
Mommy D
Mommy D I’m with you! Backing up is such a pain, but this post makes it much more feasible.
Keeping a wordpress plugin up to date is good but sometimes, the compability with the wordpress version makes me wait a bit longer before updating the plugin
A good way to stop hackers is to use the security keys in your WP config.php file. Basically, you add a really long, complicated, random string of characters in the appropriate place in your config.php file. See codex.wordpress.org/Editing_wp-config.php section 1.6 for the basic instructions on how to do this. You can get to the config.php file from your hosting account control panel file manager.