WordPress is becoming one of the most popular CMS for new websites. In fact, WordPress is used by over 14.7% of Alexa Internet’s “top 1 million” websites, and it is reported that 22% of all new websites are built with WordPress. Not only is it easy to use, it also comes with many plugins and themes for you to choose from, making it extremely customizable.
However, like all other popular platforms, it is a prime target for hackers who try to exploit vulnerabilities on a daily basis.
What’s crazy is that as I was writing this tutorial, one of my clients sites was hacked. And the type of hack that happened to them could have been completely avoided if they would have followed the tips that are outlined in this tutorial.
The best approach to security is to start with prevention. It’s much faster and cheaper than having to deal with a hacked website. While you can never secure your site completely, you can prevent the majority of attacks with a relatively small amount of effort.
For those who are not sure how to beef up your WordPress security, here is a checklist for you to follow to keep your site safe.
Remove WordPress Version
By default WordPress displays what version of the software it is running in the source code.
The biggest problem with this is when vulnerabilities are found for a particular version of WordPress, it can be very easy to find sites that are running the vulnerable version to attack.
Most other tutorials will tell you to remove the ‘wp_generator’ action from ‘wp_head’. The problem with that method is that it still leaves the version in your RSS feed. Most hackers will know to look at your RSS feed to get the version number of WordPress running on your site.
To completely remove the version number from your site and from your RSS feed, you need to add the following line of code to your themes functions.php file.
add_filter( 'the_generator', '__return_null' );
You can easily edit your themes functions.php file by logging in as admin and going to Appearance > Editor and selecting “Theme Functions” functions.php from the right hand side.
Just make sure that you add the code somewhere before the closing ?> php tag.
This goes hand-in-hand with the previous tip. Delete the readme.html file from your WordPress installation directory as it also advertises your WordPress version to the world.
Update the Authentication Unique Keys and Salts
These random keys and salts make your stored WordPress passwords more secure and the other advantage is that if someone is logged into WordPress without your knowledge, they will get logged out immediately as their cookies will become invalid now.
Go here to generate six security keys for your site. Open the wp-config.php file inside the WordPress directory and overwrite the default keys with the new ones.
Don’t Use Your Administrator Account to Post Content
Your goal should be to disguise your WordPress installation as much as possible. Removing the version of WordPress is the first step, but there are lots of ways that hackers can hack your site based on the predictable nature of humans.
Predictability is not your friend and posting content under an administrator account is predictable. Guessing your username isn’t too hard if it’s displayed on your post. This makes half of the work in a brute force attack already done and handed to them on a silver platter.
Instead reserve your administrator level account for backend work ONLY.
Create a new user account just for posting. Set the access level for that account to Contributor.
You can still make posts while logged in as your administrator account, just make sure that you set the author to your contributor account before you make it live.
If you’ve already created a bunch of content under the admin account, use the bulk editor to change the author for every post/page to your contributor account.
- Select all of the posts you want to edit
- Select “edit” from the bulk actions dropdown.
- Finally, choose the author that you want to use for the posts and click on the update button
NEVER Use “admin” as Your Administrator Account Username
By default WordPress creates the “admin” username and assigns it the administrator level. This is obviously predictable and one way of making it easier for a hacker to get into your site.
If you are creating a new site with WordPress, you can set the administrator username at the time of install.
If you already have a site setup and the administrator username is “admin”, what you should do is create a new administrator account and then delete the “admin” account.
Block Directory Browsing
Usually if you browse to a specific directory you can view all of the files in that folder, just like when your browsing through files and folders on your computer.
To prevent the server from listing the files in a directory you need to add one line to your .htaccess file.
Open up the .htaccess file in the root of your site (where the wp-config.php file is) and add the following line:
Change the Database Tables Prefix
The majority of reported WordPress database security attacks are performed by exploiting SQL Injection vulnerabilities. By renaming the WordPress database table prefixes you are taking another step towards securing your WordPress blog and website from SQL injection attacks.
By default, all WordPress database table names start with the prefix “wp_”.
If a hacker discovers a SQL injection vulnerability in WordPress (which does happen from time to time), unless you rename the WordPress database table prefixes to something else, the hacker can easily predict the WordPress database table names and exploit the vulnerability against your site.
By simply renaming the WordPress database table prefixes, you are automatically enforcing your WordPress database security against such dangerous attacks because the attacker would not be able to guess the table names.
New WordPress Install
If you are doing a new WordPress installation this is easily done when you set up the wp-config.php file with your database connection info. See the Change Table Prefix in wp-config.php section below for more details on how to do this.
Updating Existing WordPress Sites
If your existing site is using the default ‘wp_’ database table prefix, you can change that by following these steps.
For the love of all things holy, make sure that you backup your site before you perform anything suggested in this tutorial.
Change Table Prefix in wp-config.php
Open your wp-config.php file which is located in your WordPress root directory. Change the table prefix line from wp_ to something else like this anything_ (anything_ being any value or word you would like to use).
So the line would look like this:
$table_prefix = 'anything_';
Note: You can only change the prefix to numbers, letters, and underscores. It’s a good idea to use a mix of uppercase and lowercase letters and numbers.
Change all Database Tables Name
You need to access your database (most likely through phpMyAdmin), and then change the table names to the one we specified in wp-config.php file. You can typically find the phpMyAdmin link in your web hosting cPanel.
- Backup your WordPress database to a sql file. You can do so by using the phpMyAdmin export function.
- Make a copy of the WordPress database backup file (.sql) in case you would need to restore the database.
- Open the WordPress database file (*.sql) using a text editor. ( I like to use Notepad++)
- Find and replace all “wp_” prefixes to “anything_” (what you set the prefix to in the wp_config.php file)
- Drop all database tables of your WordPress database through phpMyAdmin. Make sure that the tables ONLY are dropped and not the whole database.
- Import the modified WordPress database backup file (*.sql) using PHPMyAdmin or MySQL commands.
There is a small chance that your plugins and widgets might be deactivated automatically after following the above procedure. In that case activate them again manually.
Update WordPress and Plugins Regularly
New security vulnerabilities and hacks are being found all the time. That’s why it’s important that you keep your site updated with the latest versions of WordPress itself as well as for all of the plugins that you are using.
If you manage more then a handful of WordPress sites, then keeping up with all of the updates on all of your sites can be quite the chore. That’s why I would recommend using a WordPress management system.
I just started using MainWP and have been really happy with it so far. I’m able to keep all of my sites up to date from one convenient location, and it doesn’t require a monthly subscription fee like some other WordPress Management systems do.
Delete Unused Themes/Plugins
All of your theme and plugin files can be accessed by anyone who knows the URL (or can guess it). If any of them has a security vulnerability, a hacker could access it, even if it’s not activated on your site.
If you have unused plugins or themes on your site, delete them. This will not only help secure your site even more, but it can actually help speed up your site in some cases.
Back Up Your Site Regularly
If you ever become the victim of a hacker, having a backup to restore the site from makes it easy to recover from the hack. As easy as 1-click in most cases.
There are a bunch of paid plugins to backup your WordPress site, but all that you need is a free plugin called BackWPup.
It will backup your entire site, from the database to every file, all in one zip file.
It then automatically uploads the zip file to a FTP server, Dropbox, Amazon S3, and a bunch of other services as well.
I currently upload my backups to my Amazon S3 account, but I used Dropbox before getting my S3 account.
You can even set it up to send the backup zip file to an email address.
What I like to do is setup a free Gmail account that is dedicated just to the backups. This is a great secondary source to store your backups.
When was the last time you backed up your site? If it hasn’t been at least once in the past week, you need to do it immediately.
Like Right Now!
Remember: The most expensive backup is the one you never did!
Use a WordPress Security Plugin
Many of the steps outlined in this tutorial can be easily done with a WordPress security plugin. I personally like to keep my sites as light as possible when it comes to plugins, so I tend to do all of these steps manually. However, I understand that not everyone will feel comfortable making changes to their database, so that’s where plugins can come in handy.
I highly suggest using the Better WP Security plugin if you are going to use a security plugin. Here’s what it does:
- Removes the WordPress version
- Changes the URLs of the login and dashboard pages
- Renames the default admit account
- Changes the WordPress database table prefix
- Removes login error messages
- Protects your sites from hacks
- Scans your site for vulnerabilities
- Automatically bans bots and hackers
- Improves server security
If you decide to go down the plugin route, it’s still a good idea to know how to do these steps yourself. There have been occasions where some of the changes that these security plugins make have made sites unusable. By knowing how to do these steps manually, you will be able to get your site back up and running in no time.
How To Monitor Your Site
There are a few free services that you can use to monitor your site for downtime and for any changes to your site that may have come from hacks.
First up is Pingdom. This service will check to see if your site is up and running every minute from a variety of locations and will alert you if your site goes down.
You can get downtime alerts sent to you via email, sms, Twitter, iOS or Android.
The Change Detection service is very simple, but an awesome tool to use.
All that it does is check your site to see if anything changed and if so, it will send you an email letting you know.
The Securi Sitecheck scanner will check your site for a variety of threats.
It covers everything from malware to seeing if your site is blacklisted anywhere.
What Have You Done to Improve Your WordPress Security?
The security of your blogs is a serious issue and if you don’t treat as such, you are destined to have problems down the road.
It really doesn’t take much effort to beef up the security of your site, and you’ll be thankful when you do. So, what are you waiting for?
Take Action NOW or you will regret it later.
Let me know what you have done to improve the security of your WordPress sites by leaving a comment below. If you think that I’ve left anything out, let me know that as well.