10 Steps to a Secure WordPress Website

It’s a platform chosen by CNN and NYTimes; it is a platform that powers 22 percent of the new sites born in US; it is a CMS that powers 64 percent of the top 1 million sites on earth. WordPress is not a stranger to the internet users. With the amazing open source nature, anyone is free to do what ever they want with the WordPress code, which has been a significant factor for its rapid development in a short time.

Steps to secure WordPress blog

Having rights to completely control the software sounds pretty amazing however it’s not always the sweetest thing in the world. Being popular and open source it’s bound to attract intruders. You on the other hand, as a publisher, should be vigilant about the security of your website. Following is a guide to help you secure your site from attackers and potential threats.

Use Secure Passwords

Choosing a secure password for your WordPress site is critical for its security. Length, complexity, variation of characters, and using a specific password unique to your WordPress site, matters when selecting a good password. Avoid using words found in dictionaries, since they can be hacked in no-time using Dictionary-attacks. Using words spelled backwards, or with common abbreviations, and using sequential characters in the keyboard such as ‘qwert’ for your passwords is discouraged. A secure password may in fact be a pass-phrase with a mixture of upper case and lower case characters including numbers, symbols and punctuation. This protects your WordPress site from bruteforce attacks on password. WordPress has a password strength meter to measure the strength of your chosen password, so use this feature to select a secure password.

Minimize Vulnerabilities in WordPress, Web server, Network connection

Always insist yourself on updating to the latest stable version of the WordPress. Using older versions of the software is a welcome call for the attackers, because WordPress does not provide older versions with security updates. Once a security hole has been exploited the news breaks through public domains, faster than you’d think, exponentially increasing the chance of your site being attacked. Automatic updates have been enabled in WordPress, since version 2.7, to make it easier for you to stay up to date with latest security updates. If you are managing more than one WordPress installation, using Subversion, a source code Version control system used by WordPress is recommended.

Using shared servers over dedicated ones increase the security vulnerabilities; therefore it’s always best to make sure you keep all the sensitive data, including session data, securely stored in a database, if you are using one. Using a trusted web host too is very important. Network connection you use should be an encrypted, trusted one. You should remember to use updated firewall protection for the network you are using, because passwords and many volatile data can be hacked through security holes in network connections.

Use SFTP encryption when connecting to your server

FTP (File Transfer Protocol) has several security vulnerabilities including user name and passwords being transferred in clear text over the network, data transferred being downloadable and viewable by unauthorized third parties etc. Secure FTP, abbreviated SFTP uses SSH to transfer files, encrypting passwords and sensitive data, before being transferred in the network. Using a SFTP connection is a safe way to transmit data, minimizing the probability of an interception.

Manage the file permissions

WordPress typically allows write access to your files for supporting certain features of it; however this poses a potential threat, especially if you are using a shared host. Locking down your file permissions whenever possible, and creating specific folders with less restrictions for uploading files etc. is a good thing security wise.

/wp-admin/ – files should be write-accessible only by your user account. It’s also best to lock down this directory to provide an additional layer of protection, and we’ll be discussing about it later in the post. /wp-includes/ contains WordPress application logic. Only your user account should have write access to the directory. Blocking scripts which are not typically accessed by a user, using mod_rewrite in the .htaccess file adds a second layer of protection for your files.

Database Security Matters

Once a database has been compromised, all your valuable data will be in the hands of the attacker, therefore it’s very important to take necessary steps to secure a database. If you are managing multiple blogs, keeping them in different servers, rather than storing in one place, reduces the risk of all your data being exploited with a single attack.

Regulating access to information contained in tables, considering role-based authentication when adding access to a database (typically for the administrator, user, programmer and operator) and encrypting data stored in databases, both in storage and in transit, are some general best practices for the security of a database. If you administer MYSQL you can follow some advanced configurations such as disabling the TCP networking, if the database only needs to be accessed locally, not remotely, and disabling the use of symlinks and restrict the number of connections for a single user etc.

Secure the wp-admin Directory

Although wp-admin directory is already password protected, it’s important to add a second layer of server-side password protection to this directory, since that forces an attacker to bring down this additional layer first, before attacking your actual data. Specially crafted HTTP requests sent to your sever, targeting specific vulnerabilities, using outdated plugins etc. and brute force attacks on your passwords are the most common attacks on a typical WordPress blog. It should be noted that many WordPress attacks are carried out by software bots. Preventing Google bots and other bots that follow robots.txt from indexing anything other than your actual content, too reduces the risk of exposure to hackers.

Secure the wp-config.php File

Wp-config.php file contains database details and many configuration parameters for your site. Changing the database prefix, disabling editing of theme, and plugins, changing security keys and moving wp-config.php file to the directory above your WordPress installation, outside the web root folder are some security precautions you can take, before an attack. It should be noted however that moving wp-config.php, may introduce serious threats, if not done correctly.

Changing file permissions to make sure only you and the web server can access this file (typically 400 or 440 permission) is important as well. Permissions can be changed using FTP or cpanel. Modifying the .htacess file too prevents wp-config.php being accessed by unauthorized parties.

Be Careful When Using Plug-ins

A recent study has shown that 8 of the top 10 results for ‘free WordPress themes’ in Google contained malware in the code. It is always best to get your themes and plugins from the official WordPress repository. Keeping your plugins updated, and removing any plug-in, you are not using anymore from the system is staying away from trouble. When you are using plugins that need write access to your WordPress files and directories, carefully read the code to make sure there are no suspicious lines embedded. If you do not know about codes, get someone trustworthy to examine it for you. Better yet, avoid using them if you don’t see they are 100% necessary for your website. Code execution plug-ins allowing arbitrary PHP codes to be executed from database entries magnify the potential damage, if your site has been compromised.

Backup Data Regularly

Backing up data, including MYSQL databases is an essential strategy for safeguarding your WordPress site. Encrypting the backup, saving backups on read-only media reduces the risk of your data being accessed by unauthorized parties. Backing Up can be done using c-Panel X, phpMyAdmin, using straight MYSQL commands and using WordPress Database Backup plug-in. Advanced tutorials on these methodologies can be found online for reference. Keeping your data backed-up regularly, makes it possible for you to restore the functionality of your site, easily, if your site has been brought down by an attacker.

Monitor Your Site’s Behavior

Following security measurements is important, however that’s not enough. Closely monitoring the activities of your site is essential for securing your site. Monitoring your logs to track password-guessing attacks and other web attacks gives you a bigger picture about the security of your site. Using an open source host-based intrusion detection system like OSSEC, you can get real time alerts on intrusions and block them quiet easily. Usually an attack leaves traces in the logs or in the file system. OSSEC checks for file integrity, and notifies you when a change in any file, directory, or registry occurs. Apart from using OSSEC, you can detect changes to your site, including any intrusion of malware etc. using a web based integrity monitor solution.

This guest post is by Tim Edmonds, a freelance technical writer. Tim currently writes for Bosch power tools.

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
10 Steps to a Secure WordPress Website, 10.0 out of 10 based on 1 rating

Tim Edmonds is a software developer and a technical writer with over a decade of successful professional experience. Currently Tim writes for Bosch service center located in Ukraine.

3 Responses to “10 Steps to a Secure WordPress Website”

  1. John

    Dec 19. 2012

    I am really frustrated by those viruses on my wordpress website. It really irritates me. I hope i can fix it from this. :/

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    Reply to this comment
    • Avinash

      Dec 29. 2012

      Hi John, thanks for commenting. Are you sure you have really viruses on your wordpress blog? I think its some javascript doing additional functionality. Just use an online tool to check and analyze your public wordpress website

      VN:F [1.9.22_1171]
      Rating: 0 (from 0 votes)
      Reply to this comment
  2. Scot Famt

    Dec 20. 2012

    good and easy tips for a secure wordpress blog. Thanks for the review

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    Reply to this comment

Leave a Reply