WordPress installations the world over are under constant risk of being compromised by malicious script kiddies, would-be website thieves, insidious spammers, and bored (but technically proficient) douchebags. This succinct guide to securing WordPress will help you to reduce the potential of hacked-site heartache.
For the sake of brevity, in this guide, we’ve decided against listing every available security plugin and service known to man. The WordPress commercial market (and open source community) is thriving, and one could spend days humming and hawing over the pros and cons of competing security products. Rest assured, our recommendations are sound, and this guide is less interested in providing an exhaustive list of options to fuss over than it is in getting the job done.
If you’re a beginner, remember to back up your site before making any changes. We don’t want anyone to end up locked out. It happens.
1. Prevent break-ins and discourage hijackers with strong passwords, two-step authentication, and good ol’ common sense
Brute force attacks are the most common attack you’ll face. On a daily basis, any WordPress site with a bit of presence will have at least one script hammering away at wp-login.php, trying to gain access to your site.
Choosing a strong password is the single most important thing you can do. And when we say strong, we don’t mean the name of your favorite movie with your year of birth tacked to the end. We’re talking a mixture of numbers and letters, a combination of uppercase and lowercase, and maybe some special characters thrown in for good measure. You can’t go wrong using strongpasswordgenerator.com. Yes, it will spit out a string that’s difficult to remember. Write it down on paper and hide it if you have to, but try to memorize it. If you really want to be safe, you should even consider changing the password periodically. Don’t use the same password you use for all of your unimportant banking, credit card, and PayPal accounts.
If you’re the proud owner of a smartphone, our next recommendation is to implement two-step authentication, using Google Authenticator and its associated WordPress plugin. How does this work? It’s pretty nifty: you install the Google Authenticator app on your Android device or iPhone. You install the Google Authenticator WordPress plugin, which adds a third field to the user login form. The smart phone authenticator app will generate a temporary password that’s updated every sixty seconds or so. Now when you login to your site, you’ll need to enter this temporary password along with your usual login credentials.
It’s also important that you don’t make things too easy for malevolent internet forces. If your username for the administrator account is the ubiquitous ‘admin’, this will give hackers an advantage and head start. You can change the name using a plugin like Admin Renamer Extended. Alternatively, you can create a new user account, with a difficult name to guess, grant it administrator privileges, and then delete the old one.
Using one of the many fabulous WordPress security plugins available, you can also limit login attempts, blacklist repeat offenders, and block users trying to log in with usernames that don’t exist. More on that in a minute.
2. Update WordPress, update plugins, and update themes
It doesn’t matter if your password is a 150 characters long and consists of nothing but dollar signs, ampersands and exclamation points: out of date WordPress installations, plugins, and themes leave you open to unimaginable security horrors.
A recent example: over the 2014 holidays, a vulnerability in the popular Slider Revolution plugin, bundled with many premium ThemeForest products, left thousands of websites compromised and thousands more open to attack. The exploit gave hackers access to wp-config.php and, subsequently, the ability to inject malware directly into the vulnerable sites. The infection spread like wildfire: even our own logs revealed scripts searching for the problem plugin.
But guess what? The developers had identified the hole in the plugin’s security and closed it up months earlier. All of it could have been prevented simply by site owners updating the plugin. Attacks like this happen all the time, and developers find and fix security holes in their plugins and themes all the time. Check for updates regularly, and try not to put them off.
3. Secure and protect wp-config.php and /wp-includes/
Prevent the world from being able to reach wp-config.php by adding the following bit to you .htaccess file:
deny from all
Include this outside of the # BEGIN WordPress and # END tags. Otherwise you risk having it overwritten during future WordPress updates (and by plugins like W3 Total Cache). If you can’t find .htaccess, make sure that your FTP client or file manager allows you to view invisible files.
Some users like to move wp-config.php outside of the root directory entirely. There’s debate about the effectiveness of this technique. Our opinion: not essential, but couldn’t hurt. You can find more information about it here.
There’s also no reason to give the public access to your /wp-includes/ directory. To control access and prevent unwanted tampering, add the following to htaccess:
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
4. Set the correct file permissions
You don’t want to give the public write permissions on your server. Setting every file to 777 and making everything writable to everybody might prove convenient sometimes, but it’s an insane thing to do, so don’t do it. Instead, follow these guidelines instead:
Set all directories to 755
Set all files to 644
Set /wp-content/themes/ to 766 if you want to be able to edit the theme via the provided Dashboard editor (not really recommended, if you can live without it)
Set wp-config.php to 600 because we say so
5. Disable XML-RPC (Pingbacks)
WordPress’s XML-RPC functionality exists for trackbacks and pingbacks (when enabled, it’s the reason you’re alerted if someone links to one of your posts).
Unfortunately, it’s vulnerable to denial of service (DDoS) attacks, and it’s not unusual to come across bots in your logs that are pounding away at your xmlrpc.php file.
You can disable it entirely, but the better option is to use a plugin like Disable XML-RPC Pingback, to prevent breaking plugins that use the feature (like Jetpack).
6. Install a comprehensive, all-in-one security plugin for WordPress
Let’s keep things simple. If you don’t already have a preference, and can’t decide between the options available, settle on iThemes Security (formerly Better WP Security). It has thousands of satisfied users, it’s incredibly well supported, and it’s got everything you need in the free version. If you want to make things even tighter, there’s Pro version available.
Some highlights include: the ability to limit login attempts. IP addresses that enter an incorrect password too many times can be automatically blocked. Likewise, users trying to login with a username that doesn’t exist (or the username ‘admin’) can be automatically blocked.
The plugin provides a malware scanner, for checking up on your installation, scanning plugins and themes, and making sure there’s no evil code hiding anywhere that’s conducting nefarious business without your knowledge. With iThemes Security, you can schedule database backups, so you can restore your site following a worst-case-scenario situation.
It’s a big plugin – unpacking it all would require an article of its own – so we recommend installing it, digging in, and investigating the various features and settings yourself.
7. Identify and block abusive IP addresses
If your hosting account includes cPanel, you can download and examine the raw access logs (under the Logs section). It won’t take you long to identify which IP addresses are banging away at wp-login.php, trolling for vulnerable plugins, or just generally being a nuisance. Security plugins like iThemes Security can also help you to identify suspicious IPs.
Once you’ve identified an IP you want to block, you’ve got a few options. Commonly, site owners will deny access using htaccess by adding the following (replacing the example IP address with the harassing IP):
allow from 22.214.171.124
deny from all
If you need to add to it later on, which you undoubtedly will, just give each offending IP its own line:
allow from 126.96.36.199
allow from 124.454.75.118
deny from all
This will work pretty well, returning a 403 error, but there’s one problem. Repeated brute force attacks can be taxing, eating up resources and dragging down the performance of your website. It’s even better if they never get the chance to make a request to the server.
We use the firewall features provided by Cloudflare. They’re better known as a CDN, and we’d be using them regardless for the performance boost they provide, but their Threat Control service is icing on the cake. Using Cloudflare, you can block individual IPs, network ranges, or entire countries. It’s especially effective against persistent brute force attacks.
8. Backups, dude
Backups. Do backups. Maybe you don’t need to backup your entire website every day, but you should, at the very least, backup your database often, because there’s all sorts of terrible things that can happen at absolutely anytime. Heed our warning: the universe has a remarkable way of introducing random chaos into the lives of well-meaning, happy people who have done nothing to deserve it.
You can use a free plugin, like BackWPup Free, to schedule complete backups (which can be automatically uploaded to Dropbox, Amazon S3 or plain ol’ FTP). Alternatively, you can use a premium service, like BackupBuddy (by iThemes) or VaultPress, if paying for things helps you to sleep better at night.
Other junk to consider
Tackling the above points will bring you closer to running a secure, safe WordPress site. But there will always be vulnerabilities. Recently, we wrote about having our site cloned in its entirety. That sucked. Fortunately, there are ways to discourage scrubs from scraping your content, like adding this handy list of bad bots to htaccess.
There’s also security issues introduced simply by using your home computer or laptop. Installing antivirus software and regularly scanning your system for backdoors, keyloggers and other malware will reduce the chances of a third-party seeing and stealing your passwords.
And you know what? Connecting willy-nilly to public WiFi can also be compromising, and leaves your online activities open to packet sniffers and eavesdroppers. To add an extra layer of security, you might consider using an encrypted VPN service, like the one provided by PrivateInternetAccess.
We’ll be updating this article regularly to keep the information relevant. Outdated security advice is bad security advice. If you think we’ve forgotten something vital, or got something totally wrong, feel free to let us know in the comments.