Recently, some high-profile blogs that are running WordPress have been hacked or hijacked by malicious users (e.g., TechCrunch). The worst thing is having to try to recover from such an event, you not only have to repair your site, but also your reputation. So, spending a little bit of time trying to prevent or at least make it a bit more difficult for a hacker to take over your WordPress blog is time worth investing.
I have had my fair share of my blogs (both work and personal) getting attacked (denial of service attack, hidden iFrames in my code, SQL injections and my server repeatedly being hit with brute force SSH login attempts from overseas). I have learned a lot from over 5 years of blogging, however I am by far no expert in the security field. But, what I can do is provide a growing list of tricks and tips as well as plugs that you can use to make your WordPress blog a bit more secure. This is not an exhaustive list nor have I personally implemented everything that is on here. I simply wanted to provide a list of items that you can do that may make your blog a bit more difficult to crack. Some security is better than no security, in my opinion. If a bot or hacker spends too much time trying to get in, they will hopefully move on to find something different and easier.
A Word of Warning: Do note, having many plugins running will degrade the performance of your WordPress blog. Some of the plugins run only on demand while others are present and running all of the time, so your mileage may vary. Also, some of these plugins might not work well together. Lastly, a few of the items below require you to have SSH access to your WordPress environment or server. You may have restrictions in place by your hosting provider as well.
The List of WordPress Blog Security Measures
- Do Regular Backups – back up not only your database regularly but also be sure to take a full copy of your entire WordPress directory. A great WP Database backup plugin is “WP-DBManager“. What I do is run a DB backup and then do a complete file backup since the DB backup is within your WP directory and will be copied when you download.
- Scan Your Files for Oddities – I wrote a post on how you can scan a local copy of your WordPress files to find code injections or iFrame. There are also some plugins that can help with that like “WordPress Exploit Scanner” or “AntiVirus“.
- Change Your Password – make it something difficult to figure out. Don’t use numbers in place of letters because everybody does that. Use special characters.
- Rename Your Admin User – there are a couple of ways to do this. You can do some MySQL commands to do it or you can use a plugin to do it for you. Either go into a MySQL manager like phpMyAdmin and rename the user “admin” to something else, or run a command like:
[sourcecode language=”sql”]update tableprefix_users set user_login=’newuser’ where user_login=’admin’;[/sourcecode]
where the “newuser” name is the name that you want your old admin user to be. I personally used “Admin Renamer Extended” which worked great. Basically since all blogs come with an “admin” user, the bot or hacker will start testing against that.
- Keep WordPress Current – this is a lot easier to do now with their built-in automatic upgrading utility. There are other plugins that help as well including “WordPress Automatic Upgrade“.
- Keep Plugins Current – 3rd party developers frequently update their plugins to fix holes or bugs. Be sure to stay on top of those.
- Eliminate Unnecessary Plugins – plugins are security holes in themselves. You best bet is to minimize your risk by not having a bunch installed, or, at minimum, keep the ones you don’t really need disabled.
- Rename your WordPress Database Tables – I actually did this with the use of a plugin called “WP Security Scan” (which has a bunch of other great functions built into it like permission checking, version hiding and WP admin protection). NOTE: be sure that you back up your DB. Also, before you do this, be sure that you have access to your MySQL db as while the plugin got most things, I had to actually go into the “wp_usermeta” table and manually make some changes there. I had been locked out of my WP Admin section because of some user role issues. Another plugin (which I haven’t tried) is SEOEgghead’s “WordPress Table Prefix Rename Plugin“. There are some manual steps available as well.
- Use SSH instead of FTP – or use SFTP if you like having a GUI for your file management. SSH is a bit more secure (another topic completely) and will let you shut down the FTP service and port (something you should do).
- Hide the Contents of your Plugins Folder – There are a few ways you can do this. The easiest is to create a blank document called “index.html” within your plugins directory.
- Don’t Let Search Engines Index your WordPress Folders – Create a “robots.txt” file and include the following line: Disallow: /wp-*
- Protect Your Login Page – there are some plugins that let you move the location of your WP-Admin section. However, you can also protect the actual login page against “brute-force” attacks where an automated bot will try a variety of usernames and password in an attempt to log in. “Login Lockdown” allows you to configure how many attempts can be made and then can block repeated attempts. You can also “encrypt” your password when you are logging in by using “Chap Secure Login“.
- Move Your WP-Config.php File Up a Level – you can safely move your WP-Config.php file to the directory above your WordPress directory. This allows you to make it just a bit harder to discover your MySQL information that is contained in that file.
- Make your Directories Not Browsable – if when you go to a directory like /wp-content/uploads/, do you see a listing of files and directories? If you do, you want to probably turn off indexing. To do that, simply add “Options –Indexes” or “Options All –Indexes” to your .htaccess file in your site’s root directory.
- Monitor Changes to Files within your Blog – there is a cool plugin called “WordPress File Monitor” that will take a snapshot (either of creation dates/times or MD5 hashes) of your current blog’s files & directories. Then, if these files change, you can receive an email notification and an admin dashboard notification when files have changed (be sure to exclude your cache & upload directories for starters)
- Check Your Permissions – unfortunately, this is a tricky topic and varies from server to server. Generally, you want to really restrict who has access to your files on your server. For shared hosting, these are already configured for you. For others, you should probably restrict items to 755 or 644. You can start looking as some permission recommendations right on WordPress.
- Install a WordPress Firewall – I tested this plugin a while ago and it produced some interesting results (some false positives, for example). But, it looks like a pretty useful plugin: WordPress Firewall Plugin from SEOEgghead.
- Lock Down phpMyAdmin – if you have self installed phpMyAdmin (a popular web-based MySQL management tool), be sure that you keep it current and secure it. One of my blogs was hacked because of an old install of phpMyAdmin that wasn’t secured.
- Hide Your WordPress Version – if the version of your WordPress blog is out in the open, a hacker can use that information to know what exploits or vulnerabilities exist for that particular version. You can manually hide this information yourself by searching in your theme’s header file for this line and delete it:
[sourcecode language=”php”]<meta name="generator" content="WordPress <?php bloginfo(‘version’); ?>" /> <!– leave this for stats –>[/sourcecode]
or use the plugin “Secure WordPress” (which has a lot of good features) to disable that.
- Scan Your WordPress Blog for Vulnerabilities – using the “WP-Scanner” plugin, you can scan your WordPress blog for vulnerabilities. (Note: as of this writing, the scanner was offline.)
- BONUS: Perishable Press 4G Blacklist – I just recently discovered this “firewall” that supposedly protects your server against various malicious activity. You can read up on it here. It looks fairly interesting and I’m testing it.
List of Useful Plugins
Below is a list of plugins that are mentioned in the items above. These are direct links to their existence within WordPress.org or their site if not on WP.
- Admin Renamer Extended
- WordPress Automatic Upgrade
- WP Security Scan
- Login Lockdown
- Chap Secure Login
- WordPress Exploit Scanner
- WordPress File Monitor
- WordPress Table Prefix Rename Plugin
- WordPress Firewall Plugin
- Secure WordPress
Other Resources & Ideas
Of course, many people have written about how to harden or secure your WordPress installation or the server where it resides. Some things you might want to read or consider are:
- WordPress.org – WordPress actually as a (vague) article on strengthening your WordPress install. There are some good points but simply them admitting that there are things you should do to make it more secure is a bit scary.
- SSH Login Lockouts – take a look at SSHGuard or Fail2Ban which prevent unauthorized SSH login attempts on your server and banning them in your firewall.
- SSH Key Authentication – instead of using passwords to login to your server, do it with Keys.
- Set Up Monitoring – be sure that you monitor your server for uptime. You might be able to see a hack in process (strange activity or increased traffic) and stop it from completing.
- Knockd – you can set up sort of a cool “knock knock” pattern via telnet on particular ports that signals your server to open up your SSH port. Great idea and you can get more info here.
I’m sure that everyone has their own tips and tricks to make their blog a bit more secure. I would love to hear about them (and possibly implement). Over time, WordPress will get more secure as will plugins (hopefully). The best thing to do is to keep everything current and pay close attention to what the blogosphere is saying.
Did you find this solution useful? If so: [paypal-donation reference=”WP Security”]
Note: I can provide answers to questions about the items mentioned above, but I am by far no expert. You should try to contact the authors of the plugins for questions specific to those items.
Have I left anything out? If you have a great security plugin or security technique designed to harden a WordPress server, please let me know.
HTD says: Leave a comment if you have been hacked or have some suggestions to add to this list.