WordPress Security – Getting WP Hard

WordPress Security – Getting WP Hard

OK so I’m being a bit silly with the title as WordPress security is also described as “hardening WordPress” but really the topic is no joke!

A lot of WordPress users aren’t taking it seriously however. The “my site’s never been hacked” brigade, or that it only happens to big important WP sites not my little blog, despite the recent wide spread talk of XSS attacks. When I first started out with WordPress I might even have been in that camp too, although back then I think a lot less people were hacking it too.

The huge popularity WordPress naturally encourages more malicious attacks on it. The more people use it, the more people will try to hack for financial gain, sending spam email, street cred or should that be web cred. Still dont believe me then check out the scary stats over at WP White Security.

Anyway this post isnt about why people want to hack your site. It’s about facing the fact that its undoubtedly going to happen at some point and what you can do to help prevent it. Lets get to it.

1. Keep it updated!
This may seem really obvious but if you look at the stats on WP White Security you will see that of the sites survey there were 74 WordPress versions found. 74! Now one of the reasons WP is so great is that it’s open source with a lot of people developing it. When these security issues are found (and they normally are fairly quickly) a security release is never far behind. Why aren’t people updating (Mmm sounds like another post)? As my friend Nike says; Just Do It. This applies to themes and plugins too of course, out of date plugins and themes are the cause of the majority of hacks.

As of WP 3.7 minor updates are applied automatically, you can of course apply major or core updates automatically to by adding the following to your wp-config.php file:

2. Server, server on the wall, who’s the best Host of them all
Choose your web host wisely. There are a lot of “specialised” WordPress hosting companies springing up and a lot of existing companies advertising WordPress tailored packages. For the serious WP user where their website is core to business this may well prove to be a good option. I’m not entirely sure how these specialised packages or servers run WordPress any better than other non-specialised hosts but I guess there are som intricacies involved. Here is an interesting article that says that most hosts will offer security but its tiered. Another words don’t think you are getting super duper protection for £1 a month, you most likely are not and should consider purchasing a security add-on.

I think if you are just starting out or your website isn’t core to your survival and budget is tight then any decent host should do the job. Just make sure they support the latest versions of PHP and MySQL, has firewalls and malware scanners (even if they are add-ons). It also helps if their support staff have knowledge of WordPress, they really should since it powers a reported quarter of the websites online.

Remember that if you are on shared hosting that other websites hosted on that server have the potential to affect yours. An infected website on the same server as you could grind it to a halt making your website inaccessible. Ask your host what precautions they have for this and the processes in place if it happens. You could go down the dedicated server route and this would eliminate this risk but if you are budget restricted this probably isn’t an option.

3. Installation Seasoning
Your password is important, dont make it easy to crack, use letters, numbers and special characters. Also make sure and scan your computer regularly as if there is a key logger on there you may as well not have a password. Get salty and add keys to your wp-config.php. These eight keys and salts can be generated here and help to protect your password.

Another good tip is to change the default database prefix. A standard install will always have “wp_” before every table in the DB, change this to something else and make the hackers life a little bit harder. The harder you make it the less likely your site will get hacked. Hackers are always looking for easy access. If you have already installed WP and didn’t do this you still can via a plugin or PhpMyAdmin.

Turn off PHP error reporting in your wp-config.php file:

File permissions 777. Nooooooooo don’t do it! All directories should be 755 or 750, files should be 644 or 640 and wp-config.php should be 600.

4. Themes and Plugins
As already mentioned it is essential to keep these up to date but what about choosing secure themes and plugins. Well that’s pretty difficult to be fair.

Some of the biggest plugins have been found to be vulnerable recently, perhaps this is partly due to their complexity and what they try and achieve but some will just have plain bad coding. So how do you choose. Well I suppose a good barometer is popularity and trusted names, but that link says Jetpack is vulnerable I hear you cry. OK fair point its popular and made by Automattic but because of this its updated regularly to counter these issues and because so many use it there is pressure to keep it secure.

What about themes, well again popularity is your friend because hopefully issues with security, bad coding and functionality are found by other users and corrected.

Themes and plugins on the WordPress repository and other trusted websites like WPMU Dev or ThemeForest should be free of malicious code but be careful where you attain your themes and plugins from. If its from a dodgy website or the website gives you the option to download a plugin from them rather than say the repository, then I’d keep clear.

You can of course use a multitude of plugins to aid your site security. Sucuri is a good start, this free plugin offers some great features and you can also scan your website from theirs: https://sitecheck.sucuri.net/.

There are plenty lists about the best security plugins, here is a pretty good list.

5. Backup, backup, backup
All this talk of plugins brings me to perhaps the most essential bit of kit in your WordPress security arsenal; the backup plugin. Of course you dont really need a plugin to do it, It can all be done manually but if you get a plugin to do the job you can schedule it and can save your entire site to your favourite cloud storage. Personally I use Snapshot by WPMU Dev, it’s great, saves your files and the database and of course it’s backed up by their amazing support (You will hear me bigging WPMU Dev up a lot, I really like them :).

It’s important to have something like Snapshot working away in the background. Even the most security concious WordPress user could still get hacked. If the worst does happen and your website suddenly vanishes in a puff of ones and zeros then your OK as Snapshot has your back(up). If you site hasn’t completely disappeared but something’s wrong then you can use the one click restore function. Sweet.

6. .htNOaccess
The .htaccess file is also useful for hardening your WP install. Don’t know what an htaccess file is then find out. Copy and paste the following code outside the # BEGIN WordPress and # END WordPress tags:

7. What’s in a name
We have already mentioned strong login passwords but your username is important too. Don’t choose “admin”! Make it something else and make sure you display name on the front end is different too. This will hopefully make brute force login attacks harder. If you find you are experiencing a lot of failed login attempt (the Sucuri plugin will tell you this via email) then you should probably install a plugin that limits login attempts like Login Lockdown. I know some hosting has an extra captcha security layer before the login page.

You can of course hide your login page altogether, well from brute force scripts anyway as they will target wp-login.php. A plugin like WPS Hide Login should do the trick.

8. Visualising versions
Well as stated earlier you should be running the latest version but it doesnt do any harm to keep this a secret. A good little tip is to hide your WP version with the following code:

In conclusion
There is a lot of common sense involved in securing your WordPress install. Dont get complacent and look into all your options. Following the steps above is a good start but perhaps you feel like an all in one plugin solution is better for you. Maybe paying a company like us to do it for you is your ideal solution. Whatever it is do a bit of reading on the subject and keep up to date with it. Check these links out for further reading:

Always make sure and checkout the WPMU Blog, they have a great security post series:

  1. WordPress Security Essentials: Say Goodbye to Hackers
  2. WordPress Security Essentials : Four Points Of Vulnerability
  3. WordPress Security Essentials: Password and Username Safety
  4. WordPress Security Essentials : Building A Layered Defense
  5. WordPress Security Essentials: Obscurity Tactics and Backups
Click on a tab to select how you'd like to leave your comment

Leave a Reply

Your email address will not be published. Required fields are marked *