WordPress Security Tips

As of 2011, WordPress is still the most popular blogging software for websites. Due to the number of users and popularity of WordPress, it is also the most attacked blogging platform. You might hear a lot about “hacked” WordPress websites on the Internet. There are a lot of WordPress security guidelines being released. This article will examine some basic and standard tips that can still be applied today. If you are a WordPress user and a webmaster, then this guide will definitely be helpful to you.

Tip 1: Secure Your Admin Directory

This is an old tip, but it’s surprising how many WordPress blogs — even the popular ones — do not secure their admin directory. Bear in mind that an insecure admin directory is susceptible to any form of public attack. These include brute force and other malicious cross side scripting attacks or vulnerabilities that can be discovered by hackers.

This is very important. If your admin directory is secured, it is protected. A hacker may figure out a MySQL injection vulnerability in WordPress and try to extract your admin username and password, but even then, the hacker will not be able to log in to your admin directory if it is protected.

The following are the important steps you need to take to secure your admin directory.

1. Go to http://www.whatismyip.com/ and take note of your IP address.

2. Open a text editor (e.g. notepad).

3. Copy and paste the code below into the text editor:

Order allow,deny
Allow from xxx.xxx.xxx.xxx

4. Replace xxx.xxx.xxx.xxx with your IP address.

5. Save it as .htaccess

Note: The filename includes a dot sign before it.

6. Upload the .htaccess to wp-admin directory.

7. Try to check if the wp-admin directory returns a 403 forbidden: http://gsitecrawler.com/tools/Server-Status.aspx

Enter your wp-admin URL, example: http://www.example.com/wp-admin
It should return a 403 forbidden error.

If your website has more than one contributor, you will need to ask for their IP addresses and add them to the htaccess line above. For example:

Order allow,deny
Allow from xxx.xxx.xxx.xxx
Allow from yyy.yyy.yyy.yyy
Allow from zzz.zzz.zzz.zzz

Where: yyy.yyy.yyy.yyy and zzz.zzz.zzz.zzz are IP addresses of other admin panel users.

Tip 2: Never Edit the WordPress Core Files!

It is surprising that a lot of tips can still be found on the Internet that suggest tweaking the WordPress core files. This is not recommended; it will only be a security risk in the long run. If you are new to WordPress and still do not know which ones are the core files, the following list will tell you.

  1. All files inside the wp-includes directory.

  2. All files inside the wp-content directory.

  3. All wp- files in the root directory of your website (e.g wp-rss.php, etc).

One of the biggest disadvantages of editing the WordPress core files is that the functionality will not work if you update the WordPress core files. Once you have updated it, those “tweaks” won’t work anymore, and you will need to edit it again.

Therefore, if you need to add some special functionality to your WordPress website, try doing one of three things instead. First, try to see if you can edit your theme files to produce that functionality without resorting to editing the WordPress core files.

Second, if editing the core files to produce that functionality seems impossible, try doing research to find a WordPress plugin that will produce the desired results. There are a lot of released and stable WordPress plugins, so it is a smart idea to search for the appropriate plugin and use it rather than resorting to editing the core files. You can start researching for plugins here: http://wordpress.org/extend/plugins/

Third, if you cannot find the plugins you need, it is time to ask for professional help from the WordPress community. Below you’ll find some good links to places online where you can ask for help:

WordPress support- http://wordpress.org/support/

WordPress ideas- http://wordpress.org/extend/ideas/

Tip 3: Use the SSH protocol for downloading and uploading files

To secure your hosting server username and password, you should consider using SSH. This operates similarly to FTP, but the communication between you and the server will be entirely encrypted. Encryption means that communication cannot be compromised using the eavesdropping techniques used by hackers to extract sensitive information.

Most paid hosting accounts already include SSH as part of the package. So make sure you enable it in your hosting account. If you have problems enabling it, consult your hosting support.

Once you have enabled SSH, you can then use an SSH client to connect to the server that hosts your WordPress website. The most recommended is http://filezilla-project.org/download.php, because it is GUI-based and operates in a way similar to an FTP client.

There are a couple of things you need to keep in mind when using Filezilla. First, do not set the logon type to “Normal,” as this will save your hosting password in plain text in your computer hard drive. Instead, use “Ask for password.” Second, under “Server Type,” make sure it is set to SFTP-SSH File Transfer Protocol.

{mospagebreak title=Tip 4 Encrypt Your WordPress Login}

A standard way of encrypting the logins is to use secure protocol HTTPS. However, this can be both expensive and technical for beginning webmasters to install. The simplest way you can still encrypt the WordPress login is to use the “Semisecure Login Reimagined” plugin: http://wordpress.org/extend/plugins/semisecure-login-reimagined/

Why do you need to encrypt your WordPress logins? When you log in, your browser sends the data to the server in plain text. This means that your username and password information travels over the Internet in a plain text format that anyone can understand — and anyone can snatch it using network packet sniffing tools. These usernames and passwords can then be used by those with malicious intent to exploit your website.

Below are the steps you need to take to install and configure the “Semisecure Login Reimagined” plugin.

  1. Download the plugin here: http://wordpress.org/extend/plugins/semisecure-login-reimagined/ 

  2. Once downloaded, right click on the package and click “Extract here.”

  3. This will extract the folder named semisecure-login-reimagined.

  4. Upload this folder to the wp-content/plugins directory of your WordPress website.

  5. Log in to your WordPress admin panel and then go to the “Plugins” section.

  6. Activate the Semisecure Login Reimagined plugin.

  7. Under “Settings” click the “Semisecure Login” link.

  8. You need to generate a strong key. Under the “number of bits,” change “2048 bits” to “3072 bits,” and then click “Generate Key.”

  9. Once it’s completed, change your WordPress admin password by going to “Your Profile” under “Users.”

  10. Log out from the WordPress admin panel and clear your browser cache and entire history.

  11. Try logging in with your new WordPress admin password. This time, this password is encrypted on its way to your WordPress website server.

Tip #5: Back Up WordPress and Update Core Files

This is very important. Once you see a warning in your WordPress admin dashboard telling you to update because a new WordPress version has been released, you need to update your core files immediately — provided you have completed backups of your WordPress database and theme files.

Read this important guide pertaining to the technical procedure on how to back up WordPress files and its database: http://codex.wordpress.org/WordPress_Backups

It is advisable to install your WordPress on a local web server, such as XAMPP in your computer. And then you should use your backup database and files. The objective is to test whether you have a fully working WordPress backup.

You can read this important guide on how to back up your WordPress website and database without using a commercial solution. It also lets you test backups in a local server: http://www.devshed.com/c/a/Administration/How-to-Back-Up-WordPress-Files-and-Databases/

Tip #6: Take Care of Your WordPress Admin Logins

Despite your efforts to provide encryption and security to your admin directory, things can still go wrong if you fail to take care of your WordPress admin logins.

Below are some important guidelines on how to protect your WordPress admin logins inside and outside of your computer:

1. Never upload a text file or any document file (such as MS office documents) containing a password online, or in your server, or any place in the Internet.

This is very risky, because search engines like Google are known to index hideous places in your server. And of course, malicious users can mine your password in the Google index. Even in 2011, you can still find a lot of WordPress websites where the administrators are not aware that their passwords are being published online through a document file, etc.

2. Never share admin login credentials with the other members of your team. The best rule of thumb is that only the team leader has the admin logins. This will minimize the occurrence of password leakage on the part of your team.

3. Put your admin password in a safe place. The most recommended safe place is KeePass: http://keepass.info/ , which will store the password in an encrypted database.

4. Change your admin password once every three months. This is a good security practice that is even applied by most online banks.

Tip #7: Read the Final Advice on WordPress Security

WordPress has indeed written a very useful guide on hardening WordPress here: http://codex.wordpress.org/Hardening_WordPress

If you are a beginner or interested in further securing your website beyond those tips, it is highly recommended that you read the guide and implement it on your WordPress website.

There are also great security plugin solutions, such as Bulletproof Security: http://wordpress.org/extend/plugins/bulletproof-security/ but it is recommended that you understand the basic security concepts before diving in and relying on all-plugin-based solutions.

[gp-comments width="770" linklove="off" ]

chat