Securing Wordpress

**tombiz** · Dec 5, 2008, 21:09

When you Google "how to secure wordpress" you get a plenty of results. However, what are the most important things that I can do to secure my blog?

Thanks.

**Mittineague** · Dec 5, 2008, 21:38

I'd say the single most important thing is to always keep your blog updated to the latest version.

Being open-source, vulnerabilities, once known, can be easily found by the skiddies. Stay a step ahead of them and the odds are in your favor.

**tombiz** · Dec 5, 2008, 21:45

I am already on top of that. Anything else? Based on the reading that I've done, its recommended securing of the .htaccess file.

**Mittineague** · Dec 5, 2008, 22:17

Having sercure permission settings is important, and yes, the htaccess file shouldn't be HTTP accessible. Another thing you could do is NOT use the default "wp" prefix.

**tombiz** · Dec 5, 2008, 22:27

How do I make sure that "the .htaccess file is not HTTP accessible" ?

**Dan Schulz** · Dec 5, 2008, 23:07

The best way to do it would be to put a two letter combination other than wp into the config.php file before you install WordPress. That way it will set up the database using that prefix instead of the default wp. I've got a few links that show how to secure WordPress laying around. I'll see if I can find them for you.

**tombiz** · Dec 5, 2008, 23:46

Is it possible to change the prefix once the blog is already live? Like mine.

**Dan Schulz** · Dec 6, 2008, 00:26

I think so. You'd have to update your config.php file afteword though.

**felgall** · Dec 6, 2008, 00:32

Rename all the tables in the database and change the value in the config.php file. The first of these would be most easily done via phpMyAdmin selecting each table in turn then going to the operations tab, type the new prefix in place of wp_ in the "rename to" field and press the Go button, then repeat for the next table.

Alternatively you need to type in to the SQL tab (substituting your chosen prefix for each spot where I have put blog_)

Code:

RENAME TABLE wp_comments TO blog_comments;
RENAME TABLE wp_links TO blog_links;
RENAME TABLE wp_options TO blog_options;
RENAME TABLE wp_postmeta TO blog_postmeta;
RENAME TABLE wp_posts TO blog_posts;
RENAME TABLE wp_terms TO blog_terms;
RENAME TABLE wp_term_relationships TO blog_term_relationships;
RENAME TABLE wp_term_taxonomy TO blog_term_taxonomy;
RENAME TABLE wp_usermeta TO blog_usermeta;
RENAME TABLE wp_users TO blog_users;

**tombiz** · Dec 6, 2008, 00:34

I have the WP Security Scan plugin installed. It allows me to change the prefix. If I use the plugin's option to change the prefix, will I still need to update the config.php file?

**Dan Schulz** · Dec 6, 2008, 00:39

I'm pretty sure you would, yes.

**tombiz** · Dec 6, 2008, 00:47

I tried using the WP Security Scan plugin to change the prefix but I get the following message when I enter the new prefix and click the START RENAMING button.

Your User which is used to access your Wordpress Tables/Database, hasn't enough rights( is missing ALTER-right) to alter your Tablestructure. Please visit the plugin documentation for more information. If you believe you have alter rights, please contact the plugin author for assistance.

What do I need to change? I am the admin.

**felgall** · Dec 6, 2008, 01:18

You will need to use a user login that has alter rights to be able to run that option. You may want to give the user that WordPress uses alter rights temporarily in order to run that command and then remove the alter rights again as that user would not normally need alter rights except to make that change.

**tombiz** · Dec 6, 2008, 01:42

Can I create a second user account for myself with admin rights to accomplish this?

**Dan Schulz** · Dec 6, 2008, 01:58

Yes, you can. In fact, I'd also make that user the administrator and leave it - then delete the admin account name afterword (assigning everything to the new user).

**tombiz** · Dec 6, 2008, 02:09

Dan,

What else do you recommend to secure a wordpress blog? There are many options that come up on Google, but which are the top 3?

**Dan Schulz** · Dec 6, 2008, 10:33

Still going through my bookmarks. I've got hundreds of them on WordPress alone, so it's taking some time - despite being organized better than the Dewey decimal system.

**Mittineague** · Dec 6, 2008, 11:18

Regarding the htaccess file check to see that it has

RewriteEngine on
Options +FollowSymlinks

and

Code:

RewriteRule ^\.htaccess$ - [F]

it's also a good idea to have

Code:

Options -Indexes

The "on" is needed for the "rules" to work.
The "symlinks" is for rewritten URL links.
The "[F]" flags HTTP requests for ".htaccess" as Forbidden.
Although folders can have a "dummy index" file so that HTTP requests like
.../wp-content/plugins/
won't show Apache's default directory content list, the "-Indexes" works for folders without one.

Also, you can remove the readme.html file. It contains the WordPress version number. Of course the version also shows other places too, and it's not that important if you keep the blog up to date, but I have had HTTP requests for it in my logs.

I realize some measures are "security by obscurity" which really isn't security at all. But the more difficult you make things for the skiddies the more likely they'll go elsewhere.