Thanks this is important information. I am new to wordpress and am always cautious about matters like security. This is very helpful thankyou.
Why invest large sums of money on a website when you are going to use photos taken with a $200 camera? 2 days ago — @3PointRoss
There are plenty of good posts and resources online that discuss how to secure Wordpress. However they tend to all mention different things / techniques, so if you really want to lock your installation down you have to sort through 10 - 15 posts to cover all of your bases. There really doesn't seem to be a all inclusive list.
I have had to go the extra mile on a few projects in regards to security and Wordpress, and after a clients website got hacked it made sense to compile all the methods of securing Wordpress into one single document. Since Wordpress is open source, I figure I might as well make the document open source as well.
You can download the PDF version of the document here, or simply read through it below.
By using the Robots.txt file it is always a good idea to block the wp-content, wp-admin, etc... directories. This can be done by adding the following line:
Disallow: /wp-*Many servers by default allow you to browse the listing of files with in a given directory. You may have come across this before when a page is missing or there is no index to a directory. The server outputs a listing of the files in the directory instead. This is particularly important in regards to plug-ins. If someone can see which plugins you have on your site they might be able to see which ones are venerable.
This can be done through your .htaccess be using the code below:
Options All -Indexeswp-admin folderThe wp-admin folder is a critical security point with in Wordpress. Denying access to this folder (as well as the wp-config.php file) goes a long way to ensuring that your Wordpress site is secure.
This can be done in several ways and you may want to do all of them.
wp-admin folder by IP AddressIf you know that you are on an IP Address that doesn’t change you can prevent any intruders by blocking every IP but your own. The drawback here is that if you are traveling, are off site or trying to update the site from a location that is not your typical one you will be denied access as well.
This can be done through your .htaccess by using the example code below:
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.345.67.890
allow from 890.67.345.12
</Limit>
wp-admin folder through password protectionWhile not as secure as the IP Address method, it can be extremely effective to simply password protect your folder on the server level. This can also build upon the security enhancement of 3.1. For example if someone is able to spoof your IP address they still would need to hack your password to break in.
The easiest way to setup password protection is through the Wordpress htaccess Password Protect Plugin.
wp-admin folder by hiding itThere is no reason that your wp-admin folder has to be called wp-admin. Hackers look for this administration folder in this location. One easy way to eliminate hacking of your site and administration area is simply rename the folder to something else. Simple enough?
wp-config.php fileThe password to your database is stored in plain, readable text in your configuration file (wp-config.php). Access to your database gives hackers control over your complete site, so to say you need to protect it is an understatement. The first and most obvious step is to ensure the permissions are set correctly.
Some servers set the wrong permissions by default which allows anyone who wants to the ability to read the contents of that file.
The permission should be set using SSH or through an FTP client to 640
chmod 640 wp-config.phpAdditionally you can actually move the wp-config.php out of the main Wordpress directory and still have everything function properly. This way hackers don’t know where to look for the file. For example if your wp-config.php is located in /public_html/blog/wp-config.php you could move it to /public_html.
A lot of Wordpress installations are hosted on an Apache server. If your site is on an Apache server then you can improve the security (not just Wordpress) by installing the 3G Blacklist. The 3G Blacklist is:
“a concise, lightweight security strategy for Apache-powered websites...the 3G Blacklist serves as an extremely effective security strategy for preventing a vast majority of common exploits. The list consists of four distinct parts, providing multiple layers of protection while synergizing into a comprehensive defense mechanism.”
Find instructions and usage information on the 3G Blacklist here.
META tagsSome hackers target specific versions of Wordpress because of known open venerability's. An easy way to prevent your site from coming up as a target is to simply remove any indicators of the software version.
In older version of wordpress your theme file would hav the following code in the header.php that generates a simple tag that outputs the current version:
<meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />You can prevent this from being an issue by simply deleting that line of code.
Newer versions of Wordpress output the version automatically through the wp_head(); function. You can remove these by installing the Secure Wordpress plugin.
By default Wordpress creates an “admin” account every time you install it. While the passwords are generated randomly it is never a good idea to let people know the login of your most powerful account. Because all Wordpress installations have the same username for the master account you are doing just that.
Simply changing the username from admin to something less obvious will improve the security of your site.
This will have to be done through the database as Wordpress won’t let you change or remove the account through the administration interface. The account is located in the wp_users table, and you can simply change the account name, display name, etc... to that of your choosing.
All installations of Wordpress use the same name for all of the tables on the database. The problem with this is that if a hacker is able to use a SQL injection exploit they know exactly which tables to change data on. If you use an alternative prefix when you install the software this is prevented.
Already have a Wordpress installation? The WP Security Scan plugin can help you switch.
To prevent data being intercepted between your computer and the server hosting your website you can actually force a secure connection to all of the administration panels. This will require that you purchase and implement a SSL certificate from your host first, but once you have done this you can add the following code to your wp-config.php file to activate secure administration:
define('FORCE_SSL_ADMIN', true);
Wordpress doesn’t require that you take advantage of their “security key” tool that better encrypts cookies, there by better protecting your passwords. Using security keys is a simple process where you generate a key and make some simple modifications to the wp-config.php file.
You can generate Wordpress security keys on this website.
This simple plugin will record the IP address of every failed login attempt. If there are too many failed attempts from one IP address the login function will be disabled for that IP range. This prevents brute force password break-ins.
You can download the plugin here.
2. Invisible Defender Plugin
This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. The idea behind Invisible Defender is simple: SPAMBOTs either fill every form field they find (generic spambots) or fill WordPress-specific fields only (spambots which will recognise WP or are targeting WP only).
You can download the plugin here.
You can perform and identify a lot of the problems outlined in this document automatically through this full featured and robust plugin. It can identify permission issues and has an intrusion protection system.
You can download the plugin here.
Little help to secure your WordPress installation: Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
You can download the plugin here.
5. Secure Admin
Secures Login and Admin pages using Private or Shared SSL.
You can download the plugin here.
There are plenty of good security practices that you should follow that are not specific to Wordpress.
The first step to being secure is to ensure your passwords are well formed. A strong password contains upper and lowercase letters, numbers, punctuation marks and are not a common dictionary word. This should be tested on every aspect of your website from your SFTP / FTP account, database password and user accounts.
You can test your passwords using this handy website.
Most website owners and developers use FTP connections to access the files on their server. This is all good and fine except that the transmission is not secure and is open to security holes. Instead setup an SFTP account which will encrypt your connection and prevent stolen information.
Any software should be updated as frequently as possible. Updates often fix security holes among other things (performance enhancements, new functionality, etc...) This certainly is the case with Wordpress. Now that the system has automatic upgrades there is no excuse to have out of date software.
This is not limited to the Wordpress core software either, you should also upgrade your plugins as often as possible as well.
While it is not going to directly improve the security of your site, the only thing worse than getting your site hacked is getting it hacked with no way of restoring it. You should not only backup the actual files of the site but the database as well.
With the WP-DB-Backup plugin you can automate this process and even have it e-mail a copy of the backup to you on a regular schedule.
You can download the plugin here.
Have a hard core an intensive Wordpress site? You can even backup the important parts of your Wordpress installation to Amazon S3 servers through the WP S3 Backups.
You can download the plugin here.
Not specific to Wordpress but you can make a lot of strides to improving the security of your MySql database server. I won’t go into the specific details in this document but you can get more than enough information from this detailed website.
Did I miss something? Have any better ways to perform any of the security items I mentioned? Feel free to leave them in the comments and I will update the post!
Have some feedback? Leave a commentThanks this is important information. I am new to wordpress and am always cautious about matters like security. This is very helpful thankyou.
thanks a million for nice
It appears that visual merchandisers also have fun on the brain, as evidenced by the bright wigs, lighthearted prints, and bold accessories they’re putting on display.
Fashion Guide
*************
Christina
I’m only 1 year old to wordpress and have found many security problems in that time but I recently found 3G Blacklist (as recommended above) and I’ve got to say its a great bit of kit.
How about deactivating eval? http://wp.me/pLEEp-f1
This is really nice post which is one in all instead checking all security posts till now…
I applied all others but these are new steps for me
Remove the Wordpress version number from the META tags
Install the 3G Blacklist
Change the Wordpress table prefix
Use Security Keys
I am still check how WP version in meta tags can effect security but 3G is also new for me.
Thanks for this nice security update post
thanks a million for nice article!
Sometimes being a bit over the top with headlines can make an article more alluring… but valid point =)
Bad title.
Security + “Ultimate” = the author doesn’t take IT security seriously…
Apart from that: nice article.
Thank you for this guide, though I think a little care needed to be taken to test that all of these solutions are actually feasible or actually work.
A number of these didn’t see to work. As pointed out, changine wp-admin dir just broke the install, shame that wasn’t checked.
Also if I change permissions of wp-config.php to 640 as described, that then throws an error saying that required file can not be found, so that doesn’t work either.
Sadly the Askapache pluging isn’t compatible with the server I use, I don’t know what needs to be changed to make this work.
I like the idea of changing the wp-content dir name, will give that one a try.
Anything to lock this down and stop the bad people hacking it, is all good! 
Renaming ‘wp-admin’ is not feasable. Will break a lot of stuff like logout / login, internal admin URLs, etc…
Plus, most of the vulnerabilities would come from poor plugins, not core stuff in admin. Much more effective then to move the wp-content directory and define its new location in wp-config.php than renaming wp-admin.
You can also move wp-config.php out of the server document root.
Thank you so much, that is a definite need to know!
waoo nice
I came across this nifty plugin from the guys down under at SitePoint: http://wordpress.org/extend/plugins/wordpress-file-monitor/
It essentially watches your files and notifies you if anyone other than you modified something.
on August 14, 2010
you have provide security tips that you can easily implement on your WordPress blog. Please share one or more life-savers you use permanently to help protect yourself from WordPress security issues.