Matt Cutts has published an article which highlights three different ways to secure your WordPress installation. The first tip involves locking down your Admin directory. Matt configures his .hatccess file so that only his IP address is allowed to access the WP-Admin directory. For the second tip, you should create a blank index.html file to place into your wp-content/plugins directory. Not doing so allows your plugin folder to be wide open, giving nosy people an idea as to what plugins you have installed.
Matt’s third and final tip involves subscribing to the official WordPress development blog – http://wordpress.org/development/feed/ As we should all know by now, this is the best way to stay up to date.
Matt also offers a bonus tip where he suggest removing the line of code within your header.php file that publishes your WordPress version.
All of these are excellent tips. But what do you do to secure your WordPress installation?
Well, first of all I use a secure password on my user. The second thing is allowing acces to wp-login only from my IP address. And the third thing is keeping up to date to wordpress releases.
To sum it up, about all that Matt Cuts said.
I almost forgot. I keep weekly backups of my blog and every two weeks I backup my ftp files, just in case.
ps: I’ve been reading this blog using RSS for a long time now. Keep up the good work.
Besides the above tips, it’s always a good idea on a production server to disallow directory listings.
This can be done in the .htaccess file (for Apache) and when done correctly, you won’t need to put a blank index file in your wp-content/plugins directory to prevent someone from seeing what plugins are there.
I am fond of hiding wp-config information just in case someone can get into it.
Those are good ideas. I think WordPress should put a blank index.html file in wp-content/plugins by default. It has a blank index file in wp-content; why not wp-content/plugins?
The bonus tip (removing the wordpress version metatag) is not needed unless you don’t upgrade, but then you have bigger security issues than what version you use.
The best tip is to upgrade to the newest stable version within 24 hours of when it’s released. If you don’t, it doesn’t really matter what else you do…
How about changing the first username (ID=1) from admin to something else via phpmyadmin?
“But what do you do to secure your WordPress installation?”
I automatically sync my WordPress sites to the latest copy of SVN of trunk each night. I use the development copy of WordPress but it would be just as easy to use the latest stable branch of 2.3.*.
I agree if removing the wp version in header. But i dont understand about .htacces and why to allowed he to access WP-Admin directory..
Yeah, it is possible to use a .htaccess file and only allow your own IP to the admin directory. But you really limit yourself in that case. All of a sudden the only place you can do anything with your WordPress site is when you are at home. It is far from a perfect solution.
I’d say that the most important action you can take is to backup your blog automatically. No matter what goes wrong you can correct it in a matter of minutes.
Second: Keep up to date. I don’t know how many out of date WordPress installs I’ve seen. Many of them would be possible to take over in a matter of minutes.
Since people who use remote-server hosting (which is the primary way folks put up their own domain) generally do not have a dedicated IP, I have been considering ways some of the values IP-locking might be approximated or simulated for remote-host users. Since this arrangement is so prevalent, I have done some searching to see if others have already addressed it, but haven’t found much.
@GaMerZ #6 – Seconded.
With respect to foiling /wp-content/plugins/ access: my inexpert sense would be, many plugins would be unsuitable for malicious activity, and an exploiter would have an idea which specific plugin(s) were susceptible to abuse. Can, indeed, access be effected by *presuming* that a certain plugin title is present in the directory? Assuming this is the case, what might we do to ‘harden’ specific plugin subdirectories (which we suspect may be the vulnerable/attractive titles)?
Thank you – security is a topic that definitely concerns me.
With this line in your .htaccess file, you don’t have to put an index.html in every directory :
Options -Indexes
Matt’s post was a nice roundup. It is funny that I did a post on WordPress security a week before. Strong passwords are essential, but take a look at the login lock down plugin. It locks people out after so many failed login attempts. This will help stop brute force attempts on the admin login. read more about hardening WordPress from the source at http://codex.wordpress.org/Hardening_WordPress
Just a piece of warning: Find out wether you have a dynamic IP before changing .htaccess to keep all others out.
It is pretty widespread in europe to have your IP change every 24 hours, so you might accidentally lock out yourself.
Excellent tips everybody. Thanks to all for contributing to the article at hand. I’ll be implementing most of these security tips on my own blog here in the future.
RE: Blocking wp-admin to a single IP vs. dynamic IPs…
My cable modem tends to be pretty static and hasn’t given me a new IP since I pretty much signed up, despite several power outages. I also allow the gateway IP at work to get through, just in case. But for remote “roaming” access, I also check for a very lengthy, highly randomly generated cookie. The script that sets this cookie will only allow machines in a select list of IPs to access it, so access to setting this cookie is very limited. It kind of works like a poor man’s two-factor authentication. If I suspect that the cookie has been stolen and compromised, I can always SSH into the machine change the random token (after checking everything else, of course) and reset the cookie.
Thus, I can either get in without the cookie by accessing it from set IPs, or I can “brand” a laptop with the cookie and access it from anywhere. All of this occurs at the server level (via Apache mod_rewrite rules) before it even reaches WordPress, attackers never get to WordPress. It’s not perfect, but it’s stronger than the defaults.
Removing the version information from your header.php is security by obscurity.
There are a lot of other ways of determining the precise WordPress version you’re running (Available XML-RPC functions, certain HTML structures, …).
If you look at the exploits for older WordPress security vulnerabilities that are out there, thats exactly what they do.
So the best thing to do, is always keep your blog at the latest version and upgrade as soon as possible when a new release is made. Or for the more technical savy, implement the security patches manualy as soon as they become available in the WordPress code repository.
Bull dogs. And motion activated machine guns. Sadly, with the two security measures in place I start to run short on bull dogs … no idea why. They always like to run around the guns .. hmmm …
.htaccess is always good. Maybe just flat out renaming your admin folder would work, though you’d probably have to go around and do a few fixes in the core. All my directories are locked down so people can’t snoop around.
But I’ll stick with bull dogs.
1. As others have mentioned, disable directory listing. This has many benefits, but ultimately is security-by-obscurity.
2. If possible, set up the administrative interface such that it can only be accessed over a secure (SSL/TSL) connection. For example, people could read your blog at http://blog.example.com/, but you would need to access https://blog.example.com/wp-admin/ to administer it, post, etc. This way, your password is never sent in the clear. This may require coordination with your host.
3. If this is not possible, look into SSH proxying to your host. Many web hosts offer both FTP and SSH access to users, and in most cases you can use SSH to “proxy” your admin connections, so as to keep your admin name/password secure. This is not trivial, but it isn’t terribly difficult to use PuTTY (for establishing the SSH connection on Windows) and QuickProxy (a plugin for Firefox enabling you to quickly switch between direct connections and the SSH-secured proxy connection) to make it work.
4. Keep your WordPress installation up to date. Yes, I know that some updates change some aspects of WP that we like, but keeping your WP installation secure is important.
5. Use a different password for your WordPress account than you do for your email or other services. Make it hard to guess.
6. Make sure you have a random SECRET_KEY in your wp-config file. WordPress provides service to generate a random SECRET_KEY here. This ensure that cookies and other stuff are randomized differently from other WP blogs, making it much more difficult for bad guys to attempt to break in.