You see the results of sites being hacked all the time. It may have even happened to you before. It’s not fun to deal with and can be really stressful and frustrating. If your site is your main source of income, perhaps you have an online shop, it can be very costly too.
Site hacking can occur in many forms from complete take overs to hidden code being injected via iframe elements. If your site is found to be serving malicious content Google can discourage users from visiting your site with warning messages and even remove your website from their results completely.
There are however, preventative measures that can be taken to help ensure the security of your WordPress website; hopefully you will find them useful.
1) Secure your wp-config file
The wp-config file is the main configuration file for your WordPress blog. It contains key information such as the database access details and table prefixes, tools which can greatly help a malicious user take control of your website.
WordPress allows you to move the wp-config file out of the default directory, up one level in the file hierarchy, that is, out of the public_html folder (depending on the server configuration it may be named differently).
This option depends on the level of access you have to the server as some may not allow you to access the directory above the root.
It is also a good idea to change the file permissions on the wp-config so it only allows the file to be read (Linux servers should use chmod 444 the file) and to also prevent it being served by using a .htaccess file (Linux) or a web.config file (windows), that way the malicious user cannot attempt to force the server to serve the file and show its contents.
2) Keep WordPress core and plugins updated
It is vital that the WordPress installation is kept up to date with the latest version, not only do you get the cool new features, but almost every update comes with some form of security update to prevent attacks on your site and close security vulnerabilities.
This is important because WordPress is an open source platform, which means anyone can sit and view the full code behind the site and find ways to exploit vulnerabilities. WordPress update only take a few minutes (usually it is just a click of an update button) so there is no excuse! Just be sure to keep a back-up of your site and database in case something does go wrong (not all plugins and custom features may be compatible with the new version).
The same applies to plugins so keep them up to date as well to prevent attacks which target their vulnerabilities.
3) Only use plugins from authors you can trust
This may seem pretty obvious but only install plugins provided by an author you can trust. There are literally thousands of websites offering WordPress plugins and all it takes is to download 1 dodgy plugin and you open the door wide open for a hacker to access your site.
Unless you know the plugin author to be a trusted resource then try to stick with plugins that are hosted on the official WordPress plugin repository as these have been vetted before being accepted.
Remember, if your ever unsure of a plugin source, look for a different one; there is very often other plugins that do the same thing.
4) Choose unique usernames
During the installation of WordPress you are prompted to choose an admin username, and it is very tempting to just use admin, or administrator. Don’t!
Using easy to guess usernames is just asking for trouble as its usually the first thing a hacker would try, followed by your site name and email address. Try and keep them unusual and treat them like a password.
If you have already chosen Admin (or something else easy) you should consider changing it. The only way to change a username is to access the database records and update it in there. Simply access your database though PhpMyAdmin (or other database interface) and locate your user id in the user’s table, then update the user_login field to your desired username.
5) Change the default table prefix
Another commonly used (but not recommended default option) is the table prefix; the table prefix is the characters prepended to your WordPress table names, by default it is wp_ which the majority of users would leave it as, making it easier for a malicious user to guess table names via SQL injections and cause havoc.
Changing the table prefix is not as easy as changing the default user login (sadly), and will break your site completely if it is done incorrectly, and your website will be down during the change, if in doubt, skip this one!
To update your database prefix, first take a backup of your site, then update your wp-config file with the new one, it will be located around about line 62 in the file and will read $table_prefix = 'wp_'; simply change it to something different: $table_prefix = 'gji0h3_'; (mashing of the keyboard is optional!). Hold off on uploading this file until the very end.
Next log into your database administration software (PhpMyAdmin or similar) and carry out the following:
- Rename all of the tables, changing the prefix for your new one
- Search the usermeta table for any meta_keys which contain the old prefix and update them to the new one
- Search the options table for any option_names which contain the old prefix and update them with the new one
The SQL query: UPDATE `yourtablename` SET `column` = REPLACE( `column`, ‘findtext’, ‘replacetext); will help greatly in finding and replacing the prefix.
Some plugins may also store information based on the table prefix, and these would need to be updated too.
Finally upload your wp-config file to complete the changes.
6) Remove the readme and install files
Located in the site root (http://www.yoursite.com/readme.html), the readme file gives away information about what version of WordPress you are using, therefore allowing the hacker to know exactly what version of WordPress they are dealing with, making it easier for them. It’s not needed anymore anyway, so just bin it.
It is important to remember that the readme.htm is restored after every WP update, so you will need to go though and delete it again.
Also, if you are not planning on re-installing your site again, delete the install.php file located in wp-admin/install.php and close off another opportunity.
7) Show less error information on failed login
By default, WordPress tells you what you entered wrong when trying to login; if it’s a wrong username it will say that it doesn’t exist, if it’s a wrong password, it will tell you the password is incorrect. Not good. This method allows the hacker to discover the login usernames used to access the site and can easily begin guessing passwords, instead add the following code to your theme’s function file to show a generic error message for both:
add_filter( 'login_errors','GenericLoginMessage' );
function GenericLoginMessage (){
return '<strong>Login Failed</strong><br />
Incorrect details provided.';
}8) Turn off the admin area file area
By default, WordPress allows theme and plugin files to be edited from within the admin area, so in the event that a malicious user gains access to your administrative area, they can edit all your plugin and theme data and do whatever takes their fancy, which is never a good idea.
You can disable the file editor for the admin area though by adding the following code to your wp-config file around about the debug mode definition: define('DISALLOW_FILE_EDIT', true);
9) Remove the WordPress version from the generator
Following on from the removal of the readme file, some themes (including twentyten and twentyeleven) show an additional meta value in the head tag which details the WordPress version for everybody, and anybody, to see, allowing a malicious user to see exactly what version of WordPress they are trying to hack.
To prevent this simply add the following to your function file:
add_filter( 'the_generator', 'remove_generator' );
function remove_generator() { return ''; }10) Block malicious queries
We didn’t come up with this one, but still it is a good one to note.
One method for users to try or destroy key information is through the use of SQL injection queries on forms, or altering GET variables in the url to manipulate them to do bad things.
The following code looks for specific strings in the url and blocks the page load if they are found!
Simply save the code as “blockbadqueries.php” and upload it to your WordPress plugins directory and activate it on your site:
<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-agains
t-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press
Version: 1.0
*/
if (strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64"))
{
@header("HTTP/1.1 400 Bad Request");
@header("Status: 400 Bad Request");
@header("Connection: Close");
@exit;
}
?>Simply save the code as “blockbadqueries.php” and upload it to your WordPress plugins directory and activate it on your site:
11) Choose your host well
On site security is not the only place that needs be maintained. It is vital to choose a reputable website host who maintains secure servers, as vulnerabilities in the server can carry down and put your website at risk.
Try and avoid hosting on shared servers if your site security is crucial as they pose more of a security threat than virtual private servers, as a hacked server can allow access to all websites that are hosted on it, which can sometimes be 100’s!
Another key thing to remember is with hosting, you get what you pay for, you may end up having more issues with budget hosting on a shared server than you would paying the extra per month and hosting it on a VPS, also try to find other customer reviews before choosing a host and they are not all the same in the level of server quality and security and support that they offer, so shop around before choosing.
12) Backup … Often!
Yeah, it may seem obvious, but the key one is to keep recent backups of your files and database just in case something catastrophic does happen and you need to get your site back on line as soon as possible. There are a range of automatic backup plugins available for use (just make sure you choose a trusted one!) or backups can be carried out manually by downloading your ftp contents and taking an export of your database. That way you are protected in case something does happen.
By implementing these steps, you can significantly reduce the risk of attacks on your site, and the effect they have, allowing you to spend more time on developing your site further and keep traffic flowing to your website.
Do you have any more suggestions on improving WordPress site security?
James Agate
Roger Green
Want to chat about your project or requirements? If you call now you can talk to me directly:
