Wordpress is by far the most popular content management system on the Web – but it is far from the most secure. While the most recent attack has forced many administrators of Wordpress sites to seriously consider their use of the software, taking even a few basic steps can reduce vulnerabilities and make sure your Wordpress-powered website keeps humming along.
If you’ve simply had it with Wordpress and no longer wish to use it, there are plenty of other open-source fish in the sea. Joomla and Drupal specifically are two of the more robust (and popular) solutions, but many others exist – some of which may be accessible directly from your web hosting provider.
Many of the suggestions you'll find below for securing your Wordpress installation focus on obscuring the files names as to make them unrecognizable to hackers. Keep in mind that changing database file names and folders (as well as usernames and ID's) can cause some problems (like being unable to access links or sections of it) so make sure to always backup the WP site before making any of these security related changes so you can restore if necessary.
The suggestions below should also act as encouragement to make decisions based on common sense when it comes to security. For example, it doesn’t make sense to let users edit themes and plugins from within the Wordpress backend, but many sites are vulnerable in this way. Whenever there is an opportunity to prevent users from reading, writing or executing a file – do it (but carefully).
Here are several other Wordpress Security Tips to reduce vulnerabilities and protect your business and its users.
- Start by changing the Administrator username. By default, WP uses 'admin' as the username which reduces the complexity, from the get go, by 50 percent. Another suggestion is to change the admin User ID from '1' (the typical user ID for an admin) to something else.
- Consider the use of a bot blacklist which ban hosts and user agents from a site using groups of IP addresses and user agents. Better WP Security (one of the security plugins linked to below) suggested using the blacklist developed by Jim Walker of HackRepair.com.
- What WP admins quickly find out is that having a "soup-to-nuts' backup of your installation proves immensely helpful in securing a website. While it's not a foolproof method, by reinstalling/restoring the database replaces the files with ones that have not been corrupted. Create backups regularly (consider the use of scheduled backups if necessary) at an interval that won't cause too much loss. Also, make sure to store backups in email in addition to the server.
- Change database prefixes (carefully) and start obscuring the fact that you're using Wordpress at all. Wordpress use the prefix “wp_” to tables in databases for content, users and objects (like plugins and their image folders). Making these changes further reduces the chance your WP site is the subject of an attack. Take it a step further and hide the URLs that reveal the backend at all (e.g. login, register, admin.
- Setting up file change detection enables a WP installation to report changes on files and directories to administrators - useful in understanding quickly if the system has been compromised. Consider adding excludes for folders that will (and should) always change like the cache. Another method of detection is 404 detection. An alert of this nature can show if users are encountering non-existent pages in a specific period of time which suggests that a user may be scanning for vulnerabilities.
- Consider limiting the number of login attempts per host an in a specific time period. Excessive login attempts can be a sign that a WP site is under attack. Plugins like WP Better Security even enable WP admins to add repeat offenders to a blacklist.
- Numerous other adjustments can also be made to protect a Wordpress installation including preventing public access to files such as wp-config or htaccess. Removing the write permissions from these files prevents bots, scripts and malicious users from being able to make modifications to those files.
Most of the suggested changes and security modifications included herein could be instituted rather quickly by a qualified IT person, but numerous plugins exist which make quick work of at least the most glaring vulnerabilities. Below find a list of the most popular Wordpress Security plugins.
Last Update: 4-2-13
Last Update: 3-21-13
Last Update: 4-15-13