WordPress is very popular platform these days (around 8.5% of all world’s websites are powered by WordPress!). As it is Open Source, everybody has access to its Source Code and can experiment with new cracking/hacking methods easily. Don’t get me wrong, WordPress is secure piece of software.
With little effort you can protect your WordPress site following this few easy steps to harden the security of your WordPress installation.
1. Don’t use ‘admin’ username
As of version 3.0, WordPress have the option to change your admin username into whatever you like. I encourage you to do so. Anybody who tries to get into your WordPress admin section will try with ‘admin’ as a username. If you change it, potential hacker has to hack both username and password.
2. Install Login LockDown Plugin
Potential hacker will try to break your username/password combination using brute force or dictionary attack on your WordPress Login screen. Login LockDown Plugin will prevent that.
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
You can download Login LockDown plugin from here.
3. Install Secure WordPress plugin
There are many places inside your WordPress site that is telling a potential hacker a version of your WordPress installation, as well as other dangerous information.
Secure WordPress beefs up the security of your WordPress installation by removing error information on login pages, adds index.html to plugin directories, hides the WordPress version and much more.
- Removes error-information on login-page
- Adds index.php plugin-directory (virtual)
- Removes the wp-version, except in admin-area
- Removes Really Simple Discovery
- Removes Windows Live Writer
- Removes core update information for non-admins
- Removes plugin-update information for non-admins
- Removes theme-update information for non-admins (only WP 2.8 and higher)
- Hides wp-version in backend-dashboard for non-admins
- Removes version on URLs from scripts and stylesheets only on frontend
- Blocks any bad queries that could be harmful to your WordPress website
You can download this plugin from here.
4. Move your wp-config.php file
In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access. From WordPress 2.6 you can easily move this file from root folder location.
To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.
This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.
5. Change database table prefixes
By default, WordPress table prefix is wp_. As WordPress is Open Source, if you leave your table prefixes intact, everybody know the exact names of the database tables.
You can change your table prefix during installation by entering new prefix in your wp-config.php file. For changing the prefix after install, use WP Secure Scan plugin.
6. Change default secret keys
When you open your wp-config.php file, you will see 4 secret keys:
1 define(‘AUTH_KEY’, ”);
2 define(‘SECURE_AUTH_KEY’, ”);
3 define(‘LOGGED_IN_KEY’, ”);
4 define(‘NONCE_KEY’, ”);
I am amazed how many people, even experienced ones, do not change this keys. A secret key is a hashing salt that is used against your password to make it even stronger.
Simply visit https://api.wordpress.org/secret-key/1.1 and copy the 4 generated keys into your wp-config.php file. It’s that simple.
Always update to the latest version of the WordPress, as it is the most secure one. Don’t forget to update your plugins and themes.
Updating your WordPress installation, plugins and Themes is really easy to do from your admin, so do it as soon as possible. WordPress is terrific piece of software and y updating you will rarely or never brake some site functionality.
8. Protect your wp-admin
AskApache Password Protect Plugin adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. as well.
9. Use strong password
This is the most trivial task to do to protect your WordPress installation. But, many people use weak passwords which are easy to break to modern brute force attack programs used.
There are many tips how to make a strong password, I personally like this Strong Password Generator. Read some tips over there to help you understand what a strong password is.
10. Backup your data regularly
This is not a security tip, but is related. If someone hacks your site and you don’t have a backup, it will be very difficult to return the site back to its previous state.
Regular backup is a must. There is a great list of WordPress Backup Plugins available here.
A few more general tips for securing WordPress installation:
- Remove unused users from WordPress.
- Remove unused WordPress themes.
- Remove all unused WordPress plugins.
If you don’t have time to follow all of the above tips, please follow at least two of them. It will help you to enjoy the effort you invested in your WordPress site.