WordPress is one of the most dangerous pieces of web software you can install on your server. A hacker can cause real havoc accessing your WordPress administrator account. Believe me, I know from firsthand experience!While hackers or spammers can maliciously delete or change content, the worst ones won’t. They’re more likely to sneak a few links into your content, or place phishing sites deep within your file structure. You’ll only know your site’s been compromised when Google, PayPal, or a bank contacts you.Changing your password isn’t enough, either. The first thing a hacker will do is install a file-browsing plugin. This will enable them to upload systems that could create additional WordPress administrator accounts or place further phishing pages on your site.
Installing for the first time?
If you’re embarking on a new WordPress installation, there are several steps you can take that provide additional security from day one.1. Use strong MySQL database namesI’d recommend using a new database for every WordPress installation. Just because WordPress can install tables within an existing database, doesn’t mean you should!Strong IDs and passwords are essential: avoid naming your database “wordpress” with a user ID of “user” and a password of “password.” You’re only likely to set these once, so they can be as complex as you like. If you forget them, you can check the details in
wp-config.php.Finally, remember to back up your database regularly. Automate the process so it’s impossible to forget.2. Set a custom table prefixBy default, WordPress uses a table prefix of
wp_users, and so on. Change the prefix so that it becomes more difficult to run SQL injection queries and similar attacks.
You can add further security walls following a successful installation.3. Lock down
wp-config.php contains vital information about your installation and only you should have access. The following entry in your root’s
.htaccess file should prevent unauthorized copying:
<files wp-config.php> order deny,allow deny from all</files>
4. Avoid using the default “admin” IDPrior to version 3, WordPress set the ID of the first administrator account to “admin.” The version 3 installer gives you the option to change it, but I suspect many who updated from earlier editions never did.If a hacker knows your ID is “admin,” all they have to do is guess the password. It’s easy to define a new administrator account and then delete “admin” from the Users section. Remember to use a strong password too.5. Restrict access to your IP addressIf you only have a few WordPress users accessing the administration panels, you can restrict access to those IP addresses. If you’re using Apache, create an
.htaccess file in
wp-admin with the following code:
order deny, allowallow from 188.8.131.52 # user 1 IPallow from 184.108.40.206 # user 2 IP, etcdeny from all
Similar conditions can be configured for IIS.Note that you can’t use this method if you have a dynamic IP address; however, you could implement an extra level of basic server password authentication if necessary.6. Remove WordPress references from your themeA hacker will only try to hack WordPress if they know you’re using it. You can remove all references to the CMS and its version number within the theme files; for example, most
header.php files contain code such as:
<meta name="generator" content="WordPress" />
Removing these references will fail to stop a hardened hacker, but it will make it less obvious to script kiddies.7. Update regularlyIf you’re still using WordPress 1.5, perhaps it’s time for an upgrade. Newer versions fix many of the publicized exploits and, by using the latest edition, you know hackers have had less time to hone their skills.8. Install good security plugins …The WordPress site has a collection of security plugins with useful descriptions and reviews from other users. The WP Security Scan plugin scans your WordPress installation for vulnerabilities and suggests security fixes.9. … but be careful what you installThe Web is awash with great and not-so-great free WordPress plugins and themes. Any of them could contain malicious code, handing over the driving keys to your installation. Be careful and, where possible, test code locally before deploying it to your live server.
10. I’ve been hacked! What do I do?
If you’ve received an email alerting you to phishing content on your site, I’d recommend the following course of action:
- Change all your site passwords, such as FTP, cPanel, SSH, and so on.
- If you have no recent database backup, export your articles to a WordPress XML file. Double-check it for any PHP code or unexpected content.
- Make a note of any plugins or settings you’re using.
- If absolutely necessary, download resource files such as images or videos, but check each one to ensure it’s what you expect.
- Wipe your files and database from your website. That’s all of them—not just the WordPress folders.
- Return to the top of this page and do a fresh reinstallation.
I bet you wish you’d secured WordPress earlier!Do you have any tips for improving WordPress security? Do you have any hacker scare stories?
If you want to read more from Craig, subscribe to our weekly tech geek newsletter, Tech Times.