WordPress is rapidly gaining popularity… even more than before.
Fact 1: 14.7 percent of the top million websites in the world use WordPress. (source: http://goo.gl/e1MRU)
Fact 2: 22 of every 100 active domains created in the U.S. are running WordPress. (source: http://goo.gl/XIZ7F)
Good and bad news…
So what does this mean? While more and more websites are powered by WordPress, more and more developers are contributing in one way or another to make WordPress secure and better. The bad news is that it makes a very attractive target for hackers.
Power to the people
Fortunately, there is a great community, we only need to look at the way the recent timthumb script vulnerability was handled.
That being said, if you haven’t yet checked your website for the timthumb vulnerability, I suggest you go grab the Timthumb vulnerability scanner plugin and run a scan.
More info here: http://wptheming.com/2011/08/cleaning-up-the-timthumb-hack/
Security good practices
There are several best practices that you should keep in mind in order to make your website less prone to vulnerability:
Themes and plugins downloads – only download themes from trusted sources, the official WordPress.org theme repository is the best place to go for free themes. Themes undergo a rigorous quality check before being released for download.
Unfortunately, the same cannot be said of plugins. Plugin code quality is overall very poor.
What to look out for when deciding about a plugin:
Plugin author: Is the plugin author a well respected contributor to WordPress? Big names in the WordPress community are usually a guarantee of coding best practices.
Is the plugin being actively developed? – check the Last Updated date, and Compatible up to version number. They should be recent. WordPress has recently instaured a new rule to delete all plugins that havent been updated in two years.
Average rating to download ratio: if the plugin has many downloads and still has a 4 or 5 star rating, it’s a good indicator of its reliabilty.
Forum discussions: all plugin pages link to related forum discussions. I suggest browsing these threads before installing the plugin.
Keep your local computer clean of viruses. Seriously, use a good antivirus and firewall, and you won’t be uploading malicious files to your website server unknowingly.
Use SFTP – SFTP is SSH over FTP. If you’re using filezilla, you can select SFTP instead of FTP in the connection settings. On hostgator, you’ll need to set the port to 2222 and set the server to Unix. This will encrypt your username and password, which will stop hackers from intercepting them.
Don’t use default admin user – you’ve heard this one before, but I still have to educate people about this. Just create a new user with administrator rights and either delete admin or change its rights to subscriber. If you’re afraid of forgetting what your username and password were, I suggest using a browser extension such as LastPass to manage your passwords.
Use a secure password. I mentioned LastPass, this extension also allows you to generate secure passwords which you wont have to remember. Change your password from time to time.
Check folder and file permissions best practice is 755 for folders and 644 for files. You can use the ServerBuddy plugin, BackupBuddy or Ultimate Security Checker for that.
Database prefix: you should not use the default “wp_” database prefix. This can be set during the installation process. It can also be changed on existing WordPress sites, but is a little trickier because it may involve replacing strings in serialized data. (plugin options and such).
Remove install.php from the wp-admin folder.
Remove readme file from the root folder.
If possible, move your wp-config up one level. For example, you can install WordPress in a subfolder of your public_html folder, and put the wp-config.php file directly under public_html.
change the secret keys: https://api.wordpress.org/secret-key/1.1/salt/, you can regenerate these periodically. This will have the effect of forcing all users to log in again.
disable admin plugin and theme editors:
Hide login errors: add this to your functions.php file:
add_filter('login_errors', create_function('\$a','return null;'));
Advanced security measures:
robots.txt: disallow sensitive folders to be crawled by robots: http://perishablepress.com/wordpress-robots-rules/
.htaccess file: you can use the htaccess file to control access to files and folders on your server. For example, you’ll want to protect the wp-config.php file, and you can even restrict access to the WordPress admin to IP addresses or ranges.
Use a dedicated server: on a dedicated server, you have total control over server configuration, which allows you to set much tighter security configurations than on a shared hosting solution.
Use an SSL certificate. You will have to purchase and install an SSL certificate.
WordPress security toolbox
Ultimate Security Checker: this plugin provides a quick way to assess your overall security and helps you quickly fix problems. I run it on all my installations until I get the highest score possible. One aspect that you may not have control over is the server configuration on shared hosting plans.
ServerBuddy: you can determine how well configured your hosting provider’s server is thanks to this plugin. It will scan for unsafe configurations so that you may either change them or contact your hosting provider. Another useful tool it provides is a directory size listing. This will allow you to quickly identify which files are taking up too much space.
WordPress File Monitor: if a hacker gains access to your website’s file system, he can do all sorts of bad things. Use this plugin to be alerted as soon as any changes are made to your WordPress files. A nice side effect is that if you install this on your clients’ sites, you can effectivley be warned if they are messing with files they shouldn’t, and if they break something the log files will give you a clue to what has been done. Which leads to the next plugin.
Backupbuddy: this plugin will cost you $75 for a 2 site license. But if you’re looking for a set it and forget it backup solution, this may be your ticket. That being said, I do have some reservations, as it has not been working that well for me on a couple of larger websites, so I can’t fully endorse it. I present another backup solution in the next section.
Secure WordPress: provides miscellaneous tweaks to make your WordPress installation more secure. If you install it, you won’t need the BBQ plugin. One thing it does is remove the update notifications for non-admin users.
Bad behavior: a plugin by core WordPress developers which helps protect your site against malicious activity such as denial of service, and it is also effective against spam.
Hotfix: provides fixes for WordPress bugs.
Bulletproof Security: The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website.
ManageWP: a recently new service by well respected developer Vladimir Prelovac, ManageWP provides you with an efficient way to manage multiple WordPress installations in one place. You can update WordPress and plugins across all your sites with one click of a button. You can also set up backup routines to Dropbox and Amazon S3 and migrate sites across servers. So if Backupbuddy isn’t for you, I suggest trying ManageWP.
Sucuri sitecheck: offers a free scanner that will check your WordPress site for malware.
Cloudflare: this service is like an extra security layer for your website. It integrates nicely with WordPress via a plugin and also with the W3 Total Cache plugin. It is not only a caching solution, but it also protects your website against attacks. It isn’t too difficult to setup, but I recommend asking a professional if you are not familiar with DNS, nameservers and domain management. I also advise against using the Hostgator Cpanel cloudflare tool, as it will break your site. Install it directly through the Cloudflare website. A nice feature is that it will filter bots from your analytics.
VaultPress: created by the founders of WordPress, VaultPress is an extensive backup and security solution for serious WordPress users. It starts at $15 per month.
WordPress security resources
WordPress official documentation
WordPress security news
WordPress security presentations
Even implementing a few of these tips will help keep hackers at bay. It can be very expensive and detrimental to your website to get hacked, so if you haven’t yet, I suggest at least installing the plugins.
Did I miss anything or get something wrong? Have an awesome tip to secure WordPress? share in the comments!