In line with our serious approach to security, our products are carefully optimized to be as secure as possible. There are, however, still a handful of potential security risks, when running a website, that we have no control over. You, the website owner, need to pay attention to these potential security risks, in order to keep your website safe.
With that in mind, here are 10 things you can do to improve your WordPress security.
1. Change the Database Prefix
A lot of the basic setup stuff for WordPress is the same across lots of sites… especially if you use a one-step install wizard through your webhost. This is super convenient, but lots of common setup values like, your database prefix(es), are known to hackers as a result. If you don’t change the database prefix, the table names of your site’s database are easily known to the person who trying to hack your site.
2. Protect Your wp-config.php / .htaccess File
As mentioned earlier, the wp-config.php file contains all the confidential details of your site. So it’s pretty important that you protect it at all costs. An easy way to protect this file is to simply place the following code in your .htaccess file on your server.
|
1
2
|
order allow,deny
deny from all
|
We can protect our wp-config.php file as mentioned above, but what about protecting the .htaccess file itself? Don’t worry, we can use the same .htaccess file to protect itself from being preyed upon. You just need to place below code in your .htaccess file.
|
1
2
|
order allow,deny
deny from all
|
3. Strengthen up those passwords
According to this infographic, around 8% of hacked WordPress websites are down to weak passwords.
If your WordPress administrator password is anything like ‘letmein’, ‘abc123’, or ‘password’ (all way more common than you might think!), you need to change it to something secure as soon as possible.
For a password that’s easy to remember but very hard to crack, I recommend coming up with a good password recipe.
If you’re feeling lazy, you can also use a password manager like LastPass to remember all your passwords for you. If you use this method, make sure your master password is nice and strong.
4. Never use “admin” as your username
Earlier this year, there was a spate of brute-force attacks launched at WordPress websites across the web, consisting of repeated login attempts using the username ‘admin’, combined with a bunch of common passwords.
If you use “admin” as your username, and your password isn’t strong enough (see #3), then your site is very vulnerable to a malicious attack. It’s strongly recommended that you change your username to something less obvious.
Until version 3.0, installing WordPress automatically created a user with “admin” as the username. This was updated in version 3.0 so you can now choose your own username. Many people still use “admin” as it’s become the standard, and it’s easy to remember. Some web hosts also use auto-install scripts that still set up an ‘admin’ username by default.
Fixing this is simply a case of creating a new administrator account for yourself using a different username, logging in as that new user and deleting the original “admin” account.
If you have posts published by the “admin” account, when you delete it, you can assign all the existing posts to your new user account.
5. Hide your username from the author archive URL
Another way an attacker can potentially gain access to your username is via the author archive pages on your site.
By default WordPress displays your username in the URL of your author archive page. e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs
This is less than ideal, for the same reasons explained above for the “admin” username, so it’s a good idea to hide this by changing the user_nicename entry in your database, as described here.
6. Limit Login Attempts
In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.
Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.
There are ways around this, as some attackers will use a large number of different IP addresses, but it’s still worth doing as an additional precaution.
7. Hide Your WordPress Version
Another good idea is to remove the generator meta for the WordPress. This meta shows the version of your WordPress site. If you have enabled the WordPress version, then hackers will know the security lacking of your website. If you absolutely can not update your WordPress version (tip #1), this is a good failsafe to at least hide the fact that you’re not on the most current version.
To do this you need to place below code in function.php of your active theme.
|
1
|
remove_action(‘wp_head’, ‘wp_generator’);
|
You can go one step further and additionally remove it from RSS feeds using this:
|
1
2
3
4
|
function wpt_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpt_remove_version’);
|
The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.
So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:
|
1
|
define( ‘DISALLOW_FILE_EDIT’, true );
|
8. Try to avoid free themes
We’re confident in the quality and security of our free themes. As a general rule though, it’s better to avoid using free themes, if possible, especially if they aren’t built by a reputable developer.
The main reason for this is that free themes can often contain things like base64 encoding, which may be used to sneakily insert spam links into your site, or other malicious code that can cause all sorts of problems, as shown in this experiment, where 8 out of 10 sites reviewed offered free themes containing base64 code.
If you really need to use a free theme, you should only use those developed by trusted theme companies, or those available on the official WordPress.org theme repository.
Note: The same logic applies to plugins. Only use plugins that are listed on WordPress.org, or built by a well-established developer.
9. Keep a backup
I can’t overemphasize the importance of making regular backups of your website. This is something that many people put off until it’s too late.
Even with the best security measures at your disposal, you never know when something unexpected could happen that might leave your site open to an attack.
If that happens you want to make sure all of your content is safely backed up, so that you can easily restore your site to its former glory.
The WordPress Codex tells you exactly how to backup your site, and if that seems like too much hard work, you can use a plugin such as WordPress Backup to Dropbox to schedule regular automatic backups.
10. Create Custom Secret Keys for Your wp-config.php File
All of the confidential details for your WordPress site are stored in the in your WordPress root directory. Secret keys are one of the bits of information stored in that file… so make sure you change the default secret keys to something else.
If you are not sure for what to place in the default values, go to this link, and it will generate the random keys for you.
Further Resources
To learn more about hardening your website’s security, please check out these two resources:
http://codex.wordpress.org/Hardening_WordPress
http://wp.tutsplus.com/tutorials/11-quick-tips-securing-your-wordpress-site
We also recommend Sucuri.net if you are unsure about this topic. Sucuri can help monitor your site, alert you of suspicious activity and even help clean up your site in the case of a malware attack.