There’s no disputing the popularity of WordPress, which powers more than 74.6m sites around the world, with 48% of Technorati’s top 100 blogs being managed by the platform. In the online world though, anything that’s popular is more open to attack and WordPress is no exception. However, the types of attack that tend to hit WordPress sites – unless you’re a big brand – are generally carried out by people without a huge amount of technical know-how. These are often referred to a ‘script kiddies’ as they use common code, techniques and kits in order to hack target sites.
The good news about this is that it means that often an attack can be dealt with quickly and easily. It’s not necessary to get to the stage where an attack does damage though, as most can be prevented in the first place. So today, we’ll be looking at how you can secure your installation and avoid common hacks.
Start with the Server
Before you think about securing your site, you should start from the ground up and that means making sure that your hosting server is secure in the first place. Starting with the basics, you should choose a host based on security and reputation and not on price. Whilst I’m sure there are some decent cheap hosts out there, for the most part hosting that costs you $2 per month is not going to cut the mustard.
Most of the managed WordPress hosting services have a reputation for secure hosting. They don’t all allow some performance-related plugins though, so you should check first to see exactly what access and level of control you have.
Applying a automatic update in wordpress is evil. Let’s say that i build a site for a customer with a specific plugin (usually we used more than 5 plugins). The next time that Wordpress will update, it could breaks the functionality of some (all) plugins. This without counting the template of the site.
Hey @ProfesorJorge. Thanks for the response! In the nature of this post (high security), I disagree that it’s evil. However, in terms of making sure functionality doesn’t break (especially when using multiple third party plugins that you don’t control), applying an automatic update is evil.
Everything requires balance though, and every person’s case is different. There may are some scenarios where applying an automatic update is an effective - even enforced - security measure.
You can also put your wp-config.php file one step above its root directory. It will be accessible to WordPress itself but not to others unless WordPress is installed in some sub-directory.
Avoid using wp_ prefix for WordPress Tables, and avoid using Admin username just like told in this article.
There is a plugin “All In One WP Security & Firewall”. It can do many of these things for you. But be cautious about using it. If you know things well you can extra-tight your security with this plugin.
I just tranlated slides from my WordCamp speech to English (it is the first version of translation, there may be many grammar mistakes). You can find many security tips there.
@picwellwisher12pk I don’t like to move wp-config up. This action prevents reveal information when server stops to interpret PHP code and shows source code. There was a bug in Plesk years ago that allows to show source code - this is the origin of this technique. If you move wp-config up, you need to allow scripts to access directories outside web. It may pose a greater risk.
Changing wp_ prefix is good advice, but it prevents only against simple bots and script kiddies. If SQL injection is possible, you can get correct prefix easily. Good practice is to block queries including “union” and other suspicious SQL commands.
Awesome advice @smitka. And thanks for translating your presentation and sharing it here. There’s a lot of good WP security advice in it. I really love slide 13 and 15 and how you point out the misorder of priorities in relation to business impacts.
Hi, the tutorial on wpbeginner looks very good. Pay atention to the “Admin Ajax Issue” section to allow admin-ajax.php. Some plugins also use admin-post.php file.
There are three very good plugins:
WordFence
iThemes Security
All in one WP security and firewall
My favourite one is WordFence. It has some interesting features:
Limiting (not blocking) some traffic
Notification when plugins/themes update available
File change detection with possibility to roll back changes
On the other hand iThemes provides pretty good url filtering and has ability to change wp-admin slug.
I really like combo of WordFence + some rules from .htaccess generated form iThemes Security + rules to block queries contain “wp-config.php” and to block harvesting user names.
I usually don’t use security plugins on my own servers - I block login and scanning attempts with fail2ban and use WAF (naxsi) to enhance overall security (but it is quite hard to maintain rules).
Hi @AmitMojumder – security is a very broad topic. If there’s ever anything in particular you’d like to see on the WordPress channel, let me know and I’ll feed it back to the authors
@mginop thanks for the heads up, I’ve fixed the smart quotes!