WordPress is the most popular self-hosting blogging script (and can be used as a CMS) on the internet used by thousands of sites. Because of its popularity, it is also a target for hackers. When a blog gets hacked (through methods like password brute force and SQL Injections), hacked and added content may be malicious, which can even cause a site to be banned and removed from Google and other search engines, which actaully happened to many sites out there.
“A stitch in time saves nine.” Its better to spend some time to secure your blog before tragic strikes. You never know what could happen. The following steps for WordPress blogs could help make your blog secure and discourage hackers, though unfortunately, there is no 100% way to stop them, only greatly discourage them.
1. Upgrade Your WordPress Installation
This is one of the easiest and simplest security steps. Upgrade! Upgrading not only fixes bugs and adds new features, but most importantly, it fixes security issues. To upgrade your installation, go to your Dashboard –> Tools –> Upgrade. You can choose to Upgrade Automatically (which is faster and recommended) or download the latest version and upload through FTP yourself. It only takes a few minutes and can save your whole blog.
2. Hide Your WordPress Version Number
By default, most themes include a line in the <head> section that looks similar to the following:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /> <!-- leave this for stats -->Anyone who wants to view the page source can easily see the WordPress version you are running. Hackers can easily find out if you are running an out of date installation and use old security holes to exploit and hack your blog. For security, remove the PHP Script <?php bloginfo(‘version’); ?> or better yet, remove that whole line completely.
3. Prevent Viewing of Your Plugins Directory
One of WordPress’s excellent features is the ability to upload plugins. However, anyone can find out what plugins you are running as well as figure out if you are running an outdated plugin and can exploit security holes just by going to the /wp-content/plugins directory.
Blank Index file
To prevent this, simply prevent indexing completely, or add a blank index.php or index.html file to it. By default, WordPress includes an index.php file that contains the following text (which essentially doesn’t do anything so displays a blank page):
<?php // Silence is golden. ?>
Disable Indexing
Alternatively, for even greater security, you can disable indexing on your blog completely by adding the following line to your root directory’s .htaccess file (Apache servers): Options All -Indexes If you web host/server uses cPanel, you can disable indexes by going to Index Manager under the Advanced box in the cPanel. Choose Web Root and click on public_html. On the next page, choose No Indexing and click Save. This option simply sets the above line to your root .htaccess file for you.
Indexing Manager for public_html in cPanel. Choose No Indexing to disable all indexes.
To test if this worked, browse to /wp-content/plugins to check if you see an index of your plugin folders. If you get a blank page or a 404 Error, then this worked.
4. Make Regular Database and File Backups
If disaster does strike, whether its a server failure or a hacking incident, its always important to have a database backup as well as a file backup to your blog and site. If you don’t and your database gets destroyed by a hacker, you may have lost your whole blog. Backing up is simple and only takes a few minutes.
Database Backups
The MySQL database literally contains almost your entire blog, including all your posts, comments, and trackbacks. If you lose your database without a backup, you basically lost almost everything. So backing up your database frequently and regularly is extremely important.
Do it Manually
For those of you who like to do everything manually rather than plugins, you can export your SQL database to your computer. The following applies to phpMyAdmin. If your server/host uses a different SQL database management system, the instructions may differ.
- Browse to your WordPress database (or database containing WordPress)
- Click on the Export tab at the top.
- Select the tables you want to backup (preferably all of them). I recommend you leave
- Check Save as File (towards the bottom) and Go. You can choose to compress it first which allows the file size to be significantly smaller.
- It also wouldn’t hurt to backup your posts into the XML file through Tools –> Export in the WP Dashboard.
Plugin Backups
WP-DB-Backup is a simple plugin which allows you to download a copy of your database without having to go into phpMyAdmin (or your SQL Control Panel).
File Backups
Some web hosts may automatically backup your files regularly, however it is important to still have a copy on your own system (or even an external drive or flash drive). Simply download your entire public_html folder through FTP.
5. Change the WordPress Admin Username
By default, the WordPress admin password is ‘admin’. Hackers trying to brute force into the admin account already has the username done. Theres no way to change your username from within the User Profile, however you can change it with plugins or editing the database manually. Learn more about how to do this here.
6. Protect your wp-admin directory
Hackers know where your wp-admin directory is so they often use brute-force style attack to simply guess your admin password until the correct one comes up and logs in. There are several methods available to prevent this.
Limit Access to the directory by IP
If you log into WordPress from only 1-2 locations (and have a static IP), limiting access to the wp-admin by IP Address is an effective security solution. Learn more here.
Add a Secondary Password
You can add a secondary password to your wp-admin folder by password protecting the folder. AskApache can help with this. Of course, if a hacker using brute force was determined enough, even this layer of protection could be cracked, but it sure does discourage them and slow them down. AskApache has numerous other security functions as well.
Login Lockdown
I’ve covered Login Lockdown before. It locks out IP Addresses with a certain number of failed logins over a given amount of time for a certain amount of time, which is very effective for blocking brute force, unless of course they get the password within a few tries. If that’s the case, your password is way too easy to guess.
7. Protect your wp-config.php File
Don’t allow your Database username and password to fall into the wrong hands. Its a php file so regular users shouldn’t be able to view it but you can make use of .htaccess file to prevent any possible vulnerbilities. Simply edit your blog’s root .htaccess file and add the following lines:
# Protect wp-config.php <Files wp-config.php> order allow,deny deny from all </Files>
8. Set proper File Permissions
Files on a server can have various file permissions (Chmod). Setting permissions too high may cause your blog to be vulnerable to attack and setting them to low may cause certain functions such as uploading media and editing themes to not work. A plugin called WP Security Scan can inform you of proper security permissions. File permissions can be set through an FTP client.
9. Change Your Database Prefix from the Default wp_
By default, the WordPress database prefix is wp_ therefore hackers will assume this when trying to hack via SQL Code Injection. By changing it to something else, it helps mitigate these attacks. WP Security Scan can perform this task for you. If you prefer to do this alone, these instructions apply to phpMyAdmin: (Your site will not work during this time and will probably say ‘Welcome to the Famous WordPress 5-Minute Installation’)
- Browse to your WordPress database (or database containing WordPress).
- Click on the Export tab at the top.
- Select the tables you want to backup (preferably all of them). I recommend you leave
- Check Save as File (towards the bottom) and Go. You can choose to compress it first which allows the file size to be significantly smaller.
- Important: Save a second copy of the file under another name as a backup just in case something goes wrong.
- Open the SQL file with a text editor that has Find and Replace (not a word processor) like Notepad++.
- Find and Replace (Ctrl+F) and find your current database prefix (wp_ by default) and replace all with a combination of alphanumerical characters and _.
- Return to phpMyAdmin and the WordPress database.
- Select all the tables and click X to drop the tables.
- Go to the Import tab and upload the edited SQL file.
- Download your wp-config.php file.
- Edit the table prefix area to reflect your change.
If you don’t know what you’re doing or you’re not comfortable, please use a plugin instead. Always backup your database first before performing these tasks.
10. Use a Strong Password
As always, use a strong password. Don’t worry about losing it as you can reset it via your email address. Use a secure password manager like Keepass or Lastpass, which both also include a password generator.
Additional Tips
There are many more plugins that can help your WordPress security such as Antivirus, which scans your database daily for suspicious areas and sends an email if it suspects something. It also scans your theme templates as well permalink backdoor. Always be sure to have anti-spam protection on at all times such as Akismet which is created by Automattic and ships with WordPress. These tips will greatly enhance your WordPress installation’s security however there is no perfect solution. Always be sure to upgrade to the latest version as soon as possible. Spend a while enhancing your blog’s security now before disaster strikes. Happy Blogging!
By 
Pingback: Wordpress Security Tips and Guidelines | digital living 365