In this article we will discuss WordPress security and give you 20 tips to enhance the security of your blog.
Tip 1: Consider Htaccess Authentication to Keep Hackers Away from the WordPress Login Page
I won’t get into specifics here because I have covered it before in an article but there is a way to prevent access to the WordPress login page (wp-login.php) with a few commands in the .htaccess file.
This video will go into some of the more advanced htaccess files using a FilesMatch directive
.htaccess is processed before any PHP files on the site, so it can behave as a firewall of sorts. You can simply tell it to authenticate a user any time they attempt to access a specific folder, set of files, or individual file. This offers double authentication when blocking the WordPress login page in this manner.
One of the lines in .htaccess will have a path to a plain text file that contains rows (or even just one row) of usernames and passwords. The passwords are encrypted so a tool must be used to generate them (unless you are a cyborg) from a plain text password. This prevention method can stop a casual hacker in their tracks.
Some WordPress users are hiding the login pages (and all WordPress admin files for that matter) from the public, and only authenticated users can view the files. This can be done in .htaccess as well. It can get tricky, don’t lock yourself out too.
There is one method being employed in the wild as well where a cookie has to be present on a given computer before the WordPress login page becomes accessible. In order to create the cookie, the root of the site has to be visted with a secret code in the querystring. Once .htaccess identifies that secret key as valid, the cookie is planted, and the WordPress login page is no longer hidden.
Tip 2: Avoid Brute Force Attacks, Avoid Auto Installs
WordPress in it’s default nature is prone to brute force attacks. What that means is a script and a collection of computers will attempt to login to a WordPress site by guessing the password against a set of known passwords, etc. until it sees success.
What does someone (or something) need to know, in general, to gain access to a password protected WordPress site? Well, there are 3 things.
1. The WordPress login URL. That’s easy, in general it is website-example.com/wp-login.php. It doesn’t take much poking around to determine that.
2. The username of one of the WordPress accounts. That’s easy too. Most of the time WordPress gets installed with a default “admin” account.
3. The password for the Admin account. This, in most cases, is the only variable missing for someone wanting to gain access to a password protected site. Fortunately for the hacker-to-be people often use weak passwords. Using a dictionary or common names for password guesses can often provide the hacker access. Fortunately (for them) a computer program can do these checks rapidly.
Things To Avoid
Now, my suggestion is to avoid automatic installs of WordPress. There are a few reasons for that. Most often (from my experience with them) they:
Don’t do this:
1. keep the default username as “admin” without prompting to change it
2. keep the default table prefix for the database as “wp_”
3. install an outdated version of WordPress (this one is only a sometimes, in fact it is rare but I have seen it done – the better ones will download the latest version on-the-fly)
Tip 3: Install WordPress Yourself, it is Simple
I can get a WordPress install done in minutes. It’s a very very simple process when you know what you are doing. It’s how I started and how I will always do it. I know I have demonstrated the use of the quick installs in video tutorials in the past but it’s only because some people want to go that route.
But here’s the quick process for installing manually (keeping security in mind along the way).
1. Create a new MySQL database and user, giving the user all priveleges.
2. Download the latest version of WordPress from WordPress.org.
3. Unzip the files onto your computer.
4. Rename wp-config-sample.php to wp-config.php.
5. Modify the wp-config.php file to reflect the database info, use a table prefix other than “wp_” and use random values from the WordPress Secret Key Generator for WordPress salts.
6. Upload the files.
7. Browse to the web site root and go through the install process.
8. Choose an admin user name other that “admin.”
9. Create a strong password. A strong password may consist of 15 or more characters. The characters can be a good mix of upper and lower case letters, number and symbols.
Video Demonstrating How to Secure WordPress During Installation
Tip 4: Use a Password Manager
If Random Strong Passwords are Too Difficult to Use for you, or Get a Good Password Management and Generation Tool
Many people find that it’s too difficult to work with such obscure passwords because they can’t memorize them. I suggest using a browser attachment password manager to memorize passwords for you. There are also password managers that work in the cloud, or on USB drives.
RoboForm is an example that has all three options available which also synchs passwords between all three methods. I have used them all but have recently removed my passwords from the cloud after the recent attacks on many big name web sites. That and RoboForm didn’t address my Tweet when I asked how they can make me feel comfortable holding onto my passwords in the cloud.
At any rate, if you don’t want to use a password manager, then perhaps use complete sentences for passwords. A sentence including spaces and punctuation can be used as a secure password. Make it a sentence that is simple to remember for you, but will still be difficult for a computer program to guess. Here’s an example:
I refuse to use a pa$$word Generation tool, so I am using A sentence INSTEAD so THERE!
For fun I entered “i love you so much!” into a password strength tool to see how long it would take (on average) for a dektop computer to “crack” the password. That particular password (i love you so much!) would take 36238251889588470 years to crack. I’d say that qualifies as secure. The previous example above would take 3.483806002044839e+148 years. Feel me? Sentences are secure.
We discussed ways in which WordPress is arguably insecure as a default install, especially when using the auto installs that many hosts provide. I explained how simple and straightforward it is to install WordPress the manual way, how to protect it with a .htaccess file and shot a video detailing some of the steps for securing during installation.
I closed out discussing strong passwords and how using a sentence with spaces and puctuation, even a short memorable sentence, as a password can be highly secure. Let’s close out with some examples of further security tweaks that can be performed to keep WordPress even more secure.
Best Practices: Miscellaneous Security Options for WordPress
In conclusion I will add several other security tweaks that can be performed to keep WordPress on lock down from unwanted guests.
- 5) Keep regular database backups.
- 6) Keep a backup of important files like .htaccess and wp-config.php.
- 7) Remove WP Generator meta info.
- 8) Change your WordPress nickname and display name to be different from your WordPress username.
- 9) Limit the number of login attempts an IP address can make before being locked out.
- 10) Log and get email alerts for failed login attempts.
- 11) Display non-revealing error messages.
- 12) Force a user to be logged out after a specific period of inactivity.
- 13) Be certain file permissions aren’t too permissable.
- 14) Ban IP addresses from the site for spamming or for hack attempts.
- 15) Keep WordPress up to date.
- 16) Keep themes up to date. Delete themes that aren’t being used (expect the default ones).
- 17) Keep plugins up to date and delete unused ones.
- 18) Ask the WordPress gods to keep your WordPress sites safe and secure before you lay your head down to sleep each night.
- 19) Consider doing research on gotroot and mod_security to make sure hackers cannot use XSS exploits
- 20) Consider doing research on CSF firewall, one of the most enhanced firewall solutions for Linux servers