Just last week one of my friend’s wordpress site got hacked.
With wordpress running on 8.5% of the entire internet, it’s no surprise that wordpress is a favorite target among hackers.
That got me wondering what wordpress users can do to secure their site, to minimize the risk of being hacked.
After doing quite a bit of research, I’ve come up with 7 security tune up tips and 4 recommended wordpress plugins that every wordpress user should do.
[Off topic: Did you know that the Google Custom Search WordPress Plugin provides better search results than the standard wordpress search? It’s free and available here.]
Tune up Tips
1) Secure wp-config.php file
Why is this important?
This is probably the most important file in your wordpress site. It contains the username and password along with other crucial information to access the database where all your wordpress contents and settings are stored.
Tune up instructions
Modify the .htaccess file in your wordpress directory and add the following lines
<files wp-config.php>
order allow,deny
deny from all
</files>
2) Hide login error information
Why is this important?
When you fail to log into wordpress, it tells you what went wrong. Whether the username does not exist or the password was incorrect. This is good information for hackers wanting to determine your username.
Tune up instructions
Add the following line in the functions.php file.
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
3) Change your wordpress login location
Why is this important?
Everyone knows where the default login page for wordpress is. This makes it easy for hackers to identify whether your website is using wordpress. If the login page is somewhere different, it makes it harder for hackers as they won’t know where to go to access your site’s administration page.
Tune up instructions
There is a really good plugin which does this, called Stealth Login (http://wordpress.org/extend/plugins/stealth-login/)
4) Pick a good password
Why is this important?
A good password is harder to crack.
Tune up instructions
Select a password which isn’t a name from the dictionary. It should contain a combination of upper and lower cases, numbers, symbols and should be long enough. Also is it best practice to change your password regularly.
5) Change your admin username
Why is this important?
The default admin username for wordpress will be what hackers will first try using to access your website. Changing this will make it harder for them to determine what the admin username for your site is.
Tune up instructions
Create a new user and then delete the admin user. Don’t worry, you will be given the option to migrate the post to the new user.
6) Hide your wordpress version
Why is this important?
Newer wordpress versions contains security updates. If hackers are able to determine your wordpress version, they can exploit the known security flaws for that wordpress version.
Tune up instructions
Add the following line to the functions.php file
remove_action(‘wp_head’, ‘wp_generator’);
7) Update wordpress
Why is this important?
For the same reason as the previous tune-up tip, newer wordpress version addresses discovered security flaws in the older versions. Staying up to date means you’ll be using the most secure wordpress version available.
Tune up instructions
This is super easy, when you log into the wordpress dashboard as an administration, you will be informed if there is a newer version of wordpress available and you can simply click a button to update it.
Recommended WordPress Security Plugins
There are lots of wordpress security plugins out there. Below are the four which I find to be very useful.
Login Lockdown
http://www.bad-neighborhood.com/login-lockdown.html
Helps protect against brute force password discovery by locking down the login functionality after a certain number of failed attempts. It doesn’t lock down the user account, but instead login access for the computer which performed the failed login attempt.
Stealth Login
http://wordpress.org/extend/plugins/stealth-login
Allows creation of custom URLs for logging in, logging out, administration and registering for your wordpress site. This allows you to hide where the login page is for wordpress, instead of the well known default wp-login.php location.
Admin SSL
http://www.kerrins.co.uk/blog/admin-ssl
Forces secure http connections using Secure Sockets Layer (SSL) when logging into the administrative area of the website.
WP Security Scan
http://wordpress.org/extend/plugins/wp-security-scan
Scans your WordPress installation for security vulnerabilities and suggests
corrective actions.
Do you have a wordpress security tune up tips or plugin to share? Tell everyone about it in the comments!
Nice post.
One thing also worth looking into is securing your site’s text input fields from injection attacks (javascript and/or SQL).
Also, it always pays to have a regular backup strategy.