WordPress is the most popular blogging and CMS system on the Internet which makes it a favorite target for hackers. Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data. Here is a summary of the best practices for securing a WordPress, that will help you do that. It is important to mention that these measures don’t guarantee a 100% protection against hacking attempts, mostly because a 100% secure website doesn’t exist, but they will protect you against the majority of attacks.
Tips for your WordPress security:
- Keep your WordPress site and plugins up-to-date
- Protect your WordPress Admin Area
- Don’t use the “admin” username
- Use strong passwords
- Consider two-factor authentication
- Make sure your site is on a secured WordPress hosting
- Ensure your computer is free of viruses and malware
Keep your WordPress site and plugins up-to-date
It is really important to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.
Protect your WordPress Admin Area
It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get our home IP address (you can use a site like whatismyip.com for that) and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.
<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx
</Files>
In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from xx.xxx.xxx.xxx statement on a new line.
If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or to few IPs can be inconvenient. In such cases we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a nice little plugin called Limit login attempts.
Don’t use the “admin” username
Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process.
How to Change your WordPress Username
If you have an existing WordPress site and you want to change your username(to something different than “admin” for security reasons, for example), you can do this quite easily.
First, go to your cPanel and click on the phpMyAdmin icon in the Database section.
Next, locate your WordPress database from the list on the left.
If you’re not sure which one it is, you can check the wp-config.php file in the root folder of your WordPress installation and in particular the line below:
define(‘DB_NAME’, ‘user_wp448′);
Once you select your WordPress database, you will see a lit of its tables. Choose the _users table from the left menu.
You will see a list of all the registered users in your site. Locate the admin username and click on the Edit button on that line.
Now, you will see all the fields for this username. Locate the user_login field and replace its value from admin to your new preferred WordPress login name and hit the Go button at the bottom of the page.
That’s it, you can now login with your newly selected WordPress username!
Securing wp-includes
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress
Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.
Disable File Editing
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
define('DISALLOW_FILE_EDIT', true);
This will not prevent an attacker from uploading malicious files to your site, but might stop some attacks.
Use strong passwords
You will be surprised to know that there are thousands of people that use phrases like “password” or “123456” for their admin login details. Needles to say, such passwords can be easily guessed and they are on the top of the list of any dictionary attack. A good tip is to use an entire sentence that makes sense to you and you can remember easily. Such passwords are much, much better than single phrase ones.
Consider two-factor authentication
Enabling two-factor authentication for your WordPress website will significantly improve the security of your website. One of the easiest ways to do this is to use Clef to authenticate using your mobile phone. For all SiteGround users, Clef authors have created an ad-free version of their plugin.
Ensure your computer is free of viruses and malware
If your computer is infected with virus or a malware software, a potential attacker can gain access yo your login details and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress site on a high level.
Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities. If you are browsing untrusted sites, we also recommend using tools like no-script (or disabling javascript/flash/java) in your browser.
File Permissions
Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.
It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.
Here is one possible permission scheme.
All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.
/
The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.
/wp-admin/
The WordPress administration area: all files should be writable only by your user account.
/wp-includes/
The bulk of WordPress application logic: all files should be writable only by your user account.
/wp-content/
User-supplied content: intended to be writable by your user account and the web server process.
Within /wp-content/ you will find:
/wp-content/themes/
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
/wp-content/plugins/
Plugin files: all files should be writable only by your user account.
Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.
Changing file permissions
If you have shell access to your server, you can change file permissions recursively with the following command:
For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;
FTP
When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them.
Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.
