WordPress
Article

More Tips to Further Secure WordPress

By Elio Qoshi

WordPress has often been seen as the unofficial scapegoat to blame various security breaches on. Like many other popular web applications, WordPress is an attractive target for attack. Obviously, the security in WordPress, as with any application, needs to be put into context. Luckily, WordPress benefits from a wide variety of security configuration options and third party plugins to help satisfy those who are looking to increase their overall security.

In this article, I’m going to add to Tim Carr’s 10 Tips to Secure WordPress with even more ways you can help secure your site, starting prior to the WordPress installation.

WordPress Security

Clean Your Computer

Before starting the WordPress installation, be sure that your computer is malware/virus free. It might sound obvious, but it’s critical that your system is free of malware and in a trusted state.

If your computer is infected, every security related measure of yours could be futile. It is suggested to protect your systems with antivirus, to keep all the malware and viruses at bay.

Install WordPress in Another Directory

The WordPress core files can happily exist in another location, other than the root directory. This technique is often debated, so your mileage may vary. Scanners and attackers can still find out where WordPress lives, however we thought it’s worth mentioning since the topic does come up often.

Even if this doesn’t directly provide additional security, it will definitely help keep your server organized which is also very important.

For example, if your site has the domain www.example.com, it would be preferable to install WordPress in something like www.example.com/directory.

The next step is to copy the index.php and .htaccess files to the root directory. If the .htaccess file is invisible, you have to make hidden files visible in your FTP/SFTP/SCP software or in your cPanel File Manager.

Don’t worry about the error you’ll now get if you browse to your site. Go to index.php and modify following:

require(‘/wp-blog-header.php’);
to
require(‘/directory/wp-blog-header.php’);

Now your login URL will be www.example.com/directoy/wp-admin.

After installation, you should go to your WordPress settings in the admin panel and change the WordPress URL, so that it points at www.example.com/directory and blog URL www.example.com.

Change the Database Prefix

By default, WordPress creates the database with tables prefixed in wp_. The thinking is that spammers and hackers that are using automated tools know your database structure. Having a default database prefix makes their life much easier. This is another topic of debate, however as with installing WordPress in another directory, it’s a question that comes up frequently.

During wp-config.php configuration in the installation process, change the table prefix to something random and unique like wp_Df3R_.

To organize your tables in a more efficient way, start the prefix with wp_ and end it with _. You may use numbers, letters, and underscores.

Secure wp-config.php

As the most important file in WordPress, it stores valuable information like database, username, password and authentication keys, nobody should have direct access to wp-config.php.

As mentioned above, we can store wp-config.php outside of the root folder. Now we’ll add an additional layer of security to it.

To deny access to this file, you should add the code below at the top of the .htaccess file:

<files wp-config.php>
    order allow,deny
    deny from all
    </files>

This file shouldn’t be modifiable or writable by others. To prevent other users from reading it, the file permission should be 440 or 400, however you should consult your host to check this.

Remove the WordPress Version Number

Sometimes leaving the WordPress version number can be a security risk, especially if WordPress isn’t updated regularly. Of course, we strongly recommend regular updates, as with performing other regular WordPress maintenance tasks.

The code that generates the WordPress version is in header.php:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

To remove the WordPress version number, you should add the following line to your active theme’s functions.php file:

<?php remove_action('wp_head', 'wp_generator'); ?>

Use Secret Keys

Using Secret Keys plays a role in WordPress security. These security keys help encrypt the data stored in the cookies WordPress uses. Without knowing these keys, attackers will have a harder time entering your WordPress site.

WordPress creates these for you at the time of installation, however these values might not exist with older sites or if the wp-config.php file has been manually replaced.

By default Secret Keys are listed listed in wp-config.php, like the following:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

If you ever need to regenerate these keys, you can visit the official generator provided by WordPress.org at https://api.wordpress.org/secret-key/1.1/salt/.

If an attacker has the security keys, they can regain access to the site even if the passwords have been changed. So if your site is compromised, don’t forget to change your secret keys – not just your passwords!

Disable Directory Browsing

WordPress allows users to browse the web directories, if they know where to look. Obviously, this is something we want to avoid. Directory browsing can be used by attackers to find your most vulnerable files. It’s not uncommon for developers or webmasters to leave backup files or archives in odd places.

Disable Directory Browsing

Ensuring that no one can view the contents of directories can be done by adding a single line in .htaccess

Options –Indexes

Secure Multiple Installations

If you have more than one instance of WordPress on the same host, you should use different user credentials for each database. The database username and password should be unique in the wp-config.php files for each of your websites. This will ensure the isolation of every single site, in case one of them gets hacked.

It’s a simple tip, but reusing the same credentials is something people do all the time.

WordPress Security Plugins

If you don’t feel comfortable making the above mentioned changes, there are several plugins that help you maintain the security of your WordPress installation, or even to help you recover quickly if you fall victim to a malicious attack.

Here’s a list of the most popular security plugins:

Charles Costa has previously explored the topic of WordPress Security Plugins, that is well worth reading.

Conclusion

With a large percentage of websites being powered by WordPress it’s no big surprise WordPress security is a popular topic. If you’re serious about your website and your website security, you should definitely explore your options and take the extra time to lock your site down.

To recap, we’ve previously covered 10 Tips to Secure WordPress, in this article, we covered even more tips to help you better manage your website security. If you’re keen about learning more, I’d also recommend reading the official WordPress.org documentation “Hardening WordPress“.

Please let us know in the comments below if you have any of your own extra tips for increasing WordPress security.

  • Mark Voyer

    Greeeeeeeeeeat

  • pino

    So obscurity is the way to go for WordPress? Changing the db prefix, moving wp corefiles in a subdirectory of the PUBLIC www root, not showing the version number add 0% security. The real fix should be: keep your version up to date.

    Instead of just securing the wp-config. You should secure ALL files. Don’t try and come up with a security measure of your own. Drupal for instance uses the following:

    Order allow,deny

    The one WordPress uses (taken from https://codex.wordpress.org/htaccess):

    Order deny,allow
    Deny from all

    The Use secret keys is a no brainer. So yeah.

    The directoery traversal, if your host allows this, look for another one imho. Most hoster who allow this, don’t even allow you to set the Options -Indexes.

    Sorry, but this was just a very poor list that will simply add no real extra security.

  • https://beakerstudio.com Evan

    Assuming patches are being installed as they are made available, none of the following will actually make your WordPress site more secure:
    – Changing the database prefix. Anyone with access to your DB is going to be able to see the tables with “SHOW TABLES”.
    – Obscuring the version. Why would you need to do this if you are installing patches?
    – Disabling public directory browsing. Being able to see your public file tree shouldn’t open you to exploits. If there’s a file in your public file tree that shouldn’t be accessible, remove it, or if it’s a script add a conditional to the top which halts direct execution.

    The three best ways (that I know of) to harden WordPress security are:
    1. As previously mentioned, install those patches. Not just for WordPress, but plugins as well.
    2. Use bcrypt instead of MD5 for password hashing. There is a plugin titled “wp-bcrypt” that does this. It’s very small and simple.
    3. Avoid using tons of plugins, especially ones with poor security track records. Poorly written plugins are probably the most common source of WordPress exploits.

    And of course have a database backup strategy for just in case things go wrong.

  • Tim

    Will never use iThemes Security again. Tried it on a couple different sites and it locked me out of them several times. Had to go into the database using phpmyadmin and delete the plugin tables for it to get access back. Not to mention their own website got hacked before, so how secure is the plugin? Not sure why it gets so many good reviews? BulletProof Security is better, IMO.

  • Tobias Redmann

    I also created a little plugin to hide some version info: https://wordpress.org/plugins/zorro/

  • Web Niche

    Nice article with some great tips, thank you.

    After moving my WP installation to a sub directory and copied (not moved) index.php &.htaccess file to the root, which version of .htaccess do I update with the below code, root/.htaccess or root/subdir/.htacces? and should both .htaccess files permissions be set to 440/400 ?

    order allow,deny
    deny from all

    Thanks in advance

  • http://www.cygnet-infotech.com/ Hemang Rindani

    Insightful article. Website is an important source of information that acts as a bridge between business and clients. It is important to ensure that the information flow and storage is flawless. WordPress is a great web content management system (CMS) that allows a developer to have complete control over website effortlessly. However, because of its popularity, WP has been often exploited to security threats which worries the users. To tackle this, it is important for the developers to understand the possible types of attacks and search for the right tools and techniques to counter them. WordPress has amazing tools to
    enhance website security. All in one security plugin acts as a firewall and secures the database from external threats. It protects website from every dimension by providing features related to user account and login security, user registration, database security, protecting file system, backup and restore, blacklist and firewall, brute force login prevention and comment spam security.
    Apart from using such tools, I would strongly recommend to keep the system and plugins updated. This includes patches and improves security.

Recommended

Learn Coding Online
Learn Web Development

Start learning web development and design for free with SitePoint Premium!

Instant Website Review

Use Woorank to analyze and optimize your website to improve your website to improve your ranking!

Run a review to see how your site can improve across 70+ metrics!

Get the latest in WordPress, once a week, for free.