WordPress Security: How to Protect Your Site

by on November 25th, 2010 3 comments

To finish up WordPress week I thought I would go over how to secure your WordPress site to prevent those with malicious intent from hacking you. People put a lot of time building their site and don’t bother with any type of security. This is the equivalent of building a house and not putting doors on it. While some of you may enjoy this lifestyle those of you who don’t will definitely benefit from this guide.

It is now time to get your WordPress site locked down.

Avoid Using “Admin” as the Admin Username

If someone with malicious intent knows your username it makes it that much easier for them to use a brute force attack to crack your password. Prior to WordPress 3.0 the admin username defaulted to “Admin”.

With WordPress 3.0 the default admin username has been removed and you can now choose any name you like when installing WordPress. Doing so will make it much harder to guess your login information as the hacker will now need to crack both your username and password.

If by chance you have not updated to WordPress 3.0 you can run the following SQL command to change the default username:

UPDATE wp_users SET user_login = ‘Your New Username’ WHERE user_login = ‘Admin’;

Now let’s talk about passwords.

Use Hard to Guess Passwords

Many people select one or two passwords and use them over and over again. This is okay for sites you trust like Amazon or eBay but not for those sites you sign up to and login one time and forget about it. You have no idea who is seeing your password or what they may try to do with it. To make it easier to manage your strong passwords I recommend using a great utility called LastPass (this application was also recommend by security expert Steve Gibson of grc.com).

Here are some things to remember when choosing a password:

• Use a random mix of special characters, numbers, upper, and lowercase letters
• Do not use dictionary words, names, or birthdates
• Use a minimum of eight characters.

Just to expand on this a bit, I want to stress that you need to make sure your password is as random as possible. Resist the urge to use “leet speak”such as c0mput3r or rac3car. While these are a mix of letters and numbers they are common enough hackers have added them to their dictionary file so it is like using a regular word.

Personally I prefer to use a 10 character password with a mix of numbers, uppercase, and lowercase letters without special characters. The reason I do this is I haven’t found a website that did not accept this where you could run into issues with special characters or a longer password on some sites.

Keep WordPress Updated

Every couple of months WordPress gets updated as features are added, bugs are found and fixed and security holes are patched. It is important to keep your WordPress installation up to date to ensure that any known security issues are fixed.

WordPress is very easy to update. All you have to do is login to your admin panel, click on “Updates” under “Dashboard” in the right hand menu and click the “Upgrade Automatically” button. You should see “WordPressu pdated successfully” when it is finished.

Avoid Displaying Unnecessary Information

When you try to login to the WordPress admin area but fail a helpful error message is displayed telling you what went wrong.

This is nice for you but it is also nice for someone who may want to hack into your site. To prevent these message from being displayed you will need to add a line of code to your theme’s fuctions.php file. Remember to back-up the file you are going to update before you make any modifications.
Add the following line of code to your theme’s functions.php file which can be found in /wp-content/themes/your theme

add_filter(‘login_errors’,create_function(‘$a’, “return null;”));

Remember that if you change your theme you will have to add this line to the new theme’s functions.php file.

Remove Your WordPress Version Number

We have established that you need to keep WordPress updated to make sure any known security flaws are patched. In addition to that it is also a great idea to hide the version number that WordPress likes to insert in the header of the site. To do this we will need to update the theme’s functions.php. So backup the file and add the following line of code to it:

remove_action(‘wp_head’, ‘wp_generator’);

You can now check your site’s page source to make sure the version number has been removed.

Force SSL Usage

If you are concerned about someone viewing your data when you login to WordPress then you should definitely force SSL. SSL stands for Secure Socket Layer and is a cryptographic protocol that provides security for communications over a network.

The first thing you should do is contact your webhost to confirm that you will be able to do this with your hosting account. To make this change you will need to update the wp-config.php file located in the root directory of your WordPress installation. Back-up wp-config.php and add the following line to it:

(‘FORCE_SSL_ADMIN’, true);

You can how go to https://yoursite.com/wp-admin to securely login to your WordPress admin panel.

Use .htaccess To Protect The wp-config.php File

The wp-config.php file is a very important file as it contains information like the username and password for your WordPress database. We will secure this file with the .htaccess file found in your WordPress root directory. As always, backup your .htaccess file and add the following to it:

<files wp-config.php>
order allow,deny
deny from all
</files>

The ever important wp-config.php file should now be protected.

Blacklist Undesired Users and Bots

You will be surprised to see how easy it is to block annoying spammers and bots from visiting your site. We will use the IP blacklist from Perishable Press to do this. Once again, back-up your .htaccess file and add the following to it:

<Limit GET POST PUT>
order allow,deny
allow from all
deny from 123.456.789
</LIMIT>

Replace 123.456.789 with the list found here.

Guard Against Script Injections

We can protect against script injections by doing a check to see if the request contains a <script> and if it has tried to modify PHP GLOBALS or _REQUEST variables. This can be accomplished by following these steps through the .htaccess file. Back-up your .htaccess file and add the following:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Stop Image Hotlinking

Prevent people from using your content without your consent and stealing your bandwidth by stopping image hotlinking. What the code for this does is check and see if the referrer matches your blog title, if it doesn’t and the file being linked is an image it will display your “no hotlinking” image instead.
All you have to do is add the following to your .htaccess file:
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your “stop hotlinking” image URL
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
Technically it is still possible to hotlink images but it makes it a major pain to do so and isn’t worth the hassle.

Prevent Directory Browsing

You don’t want everybody browsing your directories and possibly using an exploit to hack your site. To prevent this all you have to do is add the following line to your (backed-up) .htaccess file:
Options -Indexes

Backup Your WordPress Database Regularly

With all the new exploits and possible security holes being found you can never guarantee you won’t get hacked. In the unfortunate chance that your site is compromised you want to make sure your WordPress database has a back-up.

There are several WordPress plug-ins that can help you do this.  The one I recommend is WP-DBManager. You can use this plugin to automatically back-up your database as well as optimize, repair, restore your database.

The plugin I am recommending here will only back-up the WordPress database. There are some plugins that will let you back-up everything including the themes and plugins directory but I have never used one because I prefer to back these up manually.

This guide went into detail the steps you can take to secure your WordPress site. As I mentioned in the beginning you work way too hard on your site to have someone come along and destroy your hard work. Protect against this by following the steps in this guide and don’t forget to back-up your WordPress database regularly. Please share your WordPress tips with us in the comments.