WordPress Security

Over the course of the past few weeks, I have watched a number of attempted attacks on some of my WordPress sites. Knowing that WordPress powers over 20% of new active websites in the U.S., I thought it appropriate to put together this post on adding some security. As a disclaimer – your mileage will vary. The items mentioned below are not meant to serve as an endorsement of any given approach or product. It is still possible that your site can be hacked even if you employ all these techniques. Think of this as locking your house when you leave it. That doesn’t mean a burglar won’t enter; it just means that you have made it a bit more difficult. Perhaps they will try the lock and decide to go elsewhere. Ok, enough weasel words. Here are my initial thoughts. I would appreciate comments as to other approaches that readers have found helpful in protecting their WordPress sites.

Since most WordPress sites run on the LAMP stack (Linux, Apache, MySQL, PHP), I am customizing my comments for that environment. If you are running on different technologies, adjust these comments accordingly. I recommend reading the hardening WordPress article as a good starting point. Items discussed below come from that article and other similar sites.

Backups – get in the habit of making regular backups of your entire site (databases and all). Copy the files to another server or store them on a local computer. If all else fails, you will still be able to recover if you have a tested backup strategy. Keep in mind the operative word is tested. If you have never restored from a backup, you do not have a backup. Just my two cents. Take one of the backups you create and see if you can restore your site at another spot on your server (on on a localhost environment). If you can’t, modify you backup approach until you have confirmed that you have usable backup files.

Files and folders – protect where possible and only keep the files you actually need. For example, in the default admin folder, include an .htaccess file. Within that file, take advantage of the rewrite engine. If you need details, feel free to contact me. For most files in this section, make certain you have assigned a chmod of 644 (owner can read and write, all others can only read, no one can execute). Also remove files that you don’t need once you have completed the installation (for example install.php). You can replace this with a fake version. In a fake version, you can display a message that there has been a database error. You can also have that file send you an email with specific details (such as IP address) of anyone attempting to run the install.php. Of course, many attackers spoof their IP address, but it doesn’t hurt to track as much information as possible. Keep in mind that every time you update your WordPress site, the install.php file may be recreated (so you have to get in the habit of replacing the new one with the fake one).

Updates – keep your site up to date. Keep your plugins up to date. Keep your themes up to date. I think I see a trend forming here. Backup your site before you update.

Usernames – whatever you do, eliminate the admin username as soon as possible. Do this as soon as you have created another username and assigned that username admin functions. Customize your admin names as much as possible. Since WordPress allows you to have a display name different form the actual username, consider making all usernames unique combinations of uppercase letters, lowercase letters, and numbers. If your environment allows it, include special characters. Make the usernames as long as possible. Make certain your passwords are long and complex – 12 characters minimum.

Plugins – there are a number which I find useful. I placed thm in alphabetical order to make it easier to locate. I suspect I have overlooked a number of good ones. That is where your comments come in to play. As long as your comments are not offensive, I will post them. Obviously I have to approve them first. I am selecting some example plugins as a point of discussion (you may want to include others – I do). Before installing and activating any of these or similar plugins, research them. Make certain they do what you want them to do. Make certain you understand them before you activate them.

• Akismet (or similar) – this helps reduce the amount of weblog spam and related drivel one receives when comments are allowed. Obviously, change your settings so all comments must be approved. I am amazed at the amount of drivel which shows up (yes, I scan the spam from time to time). I realize these are mostly machine generated, but most are a complete waste of bandwidth as no sane individual would ever allow them on their site.
• BackWPUP (there are many others) – back up your files, folders, databases. Do it now, do it frequently. Store the backups elsewhere. Restore a backup form time to time in another environment to verify all is working.
• Login Lock (or similar) – these plugins allow a set number of login attempts and the IP address is blocked for a period of time (say an hour). If you can’t remember your password, keep it in some form of password vault (remember your password should be complex). I have said this many times to students – passwords are like underwear – they should be changed frequently. Likewise, if you can remember your password, it is not secure.
• WordPress File Monitor (or similar) – plugins of this ilk can be set to notify you of any changes to your site. If all defenses fall, you may still get notifications that files are being changed on your site. I know there are issues with this, but I find it helpful to think in terms of layered security. File monitor programs can be thought of as a last line of defense. You should get a few notifications before the site is completely compromised.
• WordPress Firewall (or similar) – yep, they do just what you think they should do. Install one. Research a bit to make certain you know which one is best for your site.
• WP Security (or similar) – these are scanning plugins which will help identify possible configuration vulnerabilities (and correct them). For example, do not use wp_ as your database prefix (that is the default).

No, this list is not inclusive. I don’t want potential hackers to know the exact details they are up against. Again, I want them to rattle the door knob and decide that it is simpler to try the house down the street than stand in plain site trying to get into mine. Think of layers. Have solid backups. Check your site periodically. Ok, this is my short list. I look forward to your comments as to how you would secure your WordPress sites even further.

• Next Using Twitter to Engage Students
• Previous A challenge to students