WordPress has often been seen as the unofficial scapegoat to blame various security breaches on. Like many other popular web applications, WordPress is an attractive target for attack. Obviously, the security in WordPress, as with any application, needs to be put into context. Luckily, WordPress benefits from a wide variety of security configuration options and third party plugins to help satisfy those who are looking to increase their overall security.
In this article, I’m going to add to Tim Carr’s 10 Tips to Secure WordPress with even more ways you can help secure your site, starting prior to the WordPress installation.
Clean Your Computer
Before starting the WordPress installation, be sure that your computer is malware/virus free. It might sound obvious, but it’s critical that your system is free of malware and in a trusted state.
If your computer is infected, every security related measure of yours could be futile. It is suggested to protect your systems with antivirus, to keep all the malware and viruses at bay.
Install WordPress in Another Directory
The WordPress core files can happily exist in another location, other than the root directory. This technique is often debated, so your mileage may vary. Scanners and attackers can still find out where WordPress lives, however we thought it’s worth mentioning since the topic does come up often.
Even if this doesn’t directly provide additional security, it will definitely help keep your server organized which is also very important.
For example, if your site has the domain www.example.com, it would be preferable to install WordPress in something like www.example.com/directory.
The next step is to copy the
.htaccess files to the root directory. If the
.htaccess file is invisible, you have to make hidden files visible in your FTP/SFTP/SCP software or in your cPanel File Manager.
Don’t worry about the error you’ll now get if you browse to your site. Go to
index.php and modify following:
Now your login URL will be www.example.com/directoy/wp-admin.
After installation, you should go to your WordPress settings in the admin panel and change the WordPress URL, so that it points at www.example.com/directory and blog URL www.example.com.
Change the Database Prefix
By default, WordPress creates the database with tables prefixed in
wp_. The thinking is that spammers and hackers that are using automated tools know your database structure. Having a default database prefix makes their life much easier. This is another topic of debate, however as with installing WordPress in another directory, it’s a question that comes up frequently.
wp-config.php configuration in the installation process, change the table prefix to something random and unique like wp_Df3R_.
To organize your tables in a more efficient way, start the prefix with
wp_ and end it with
_. You may use numbers, letters, and underscores.
As the most important file in WordPress, it stores valuable information like database, username, password and authentication keys, nobody should have direct access to
As mentioned above, we can store
wp-config.php outside of the root folder. Now we’ll add an additional layer of security to it.
To deny access to this file, you should add the code below at the top of the
<files wp-config.php> order allow,deny deny from all </files>
This file shouldn’t be modifiable or writable by others. To prevent other users from reading it, the file permission should be 440 or 400, however you should consult your host to check this.
Remove the WordPress Version Number
Sometimes leaving the WordPress version number can be a security risk, especially if WordPress isn’t updated regularly. Of course, we strongly recommend regular updates, as with performing other regular WordPress maintenance tasks.
The code that generates the WordPress version is in
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
To remove the WordPress version number, you should add the following line to your active theme’s
<?php remove_action('wp_head', 'wp_generator'); ?>
Use Secret Keys
Using Secret Keys plays a role in WordPress security. These security keys help encrypt the data stored in the cookies WordPress uses. Without knowing these keys, attackers will have a harder time entering your WordPress site.
WordPress creates these for you at the time of installation, however these values might not exist with older sites or if the
wp-config.php file has been manually replaced.
By default Secret Keys are listed listed in wp-config.php, like the following:
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
If you ever need to regenerate these keys, you can visit the official generator provided by WordPress.org at https://api.wordpress.org/secret-key/1.1/salt/.
If an attacker has the security keys, they can regain access to the site even if the passwords have been changed. So if your site is compromised, don’t forget to change your secret keys – not just your passwords!
Disable Directory Browsing
WordPress allows users to browse the web directories, if they know where to look. Obviously, this is something we want to avoid. Directory browsing can be used by attackers to find your most vulnerable files. It’s not uncommon for developers or webmasters to leave backup files or archives in odd places.
Ensuring that no one can view the contents of directories can be done by adding a single line in
Secure Multiple Installations
If you have more than one instance of WordPress on the same host, you should use different user credentials for each database. The database username and password should be unique in the wp-config.php files for each of your websites. This will ensure the isolation of every single site, in case one of them gets hacked.
It’s a simple tip, but reusing the same credentials is something people do all the time.
WordPress Security Plugins
If you don’t feel comfortable making the above mentioned changes, there are several plugins that help you maintain the security of your WordPress installation, or even to help you recover quickly if you fall victim to a malicious attack.
Here’s a list of the most popular security plugins:
Charles Costa has previously explored the topic of WordPress Security Plugins, that is well worth reading.
With a large percentage of websites being powered by WordPress it’s no big surprise WordPress security is a popular topic. If you’re serious about your website and your website security, you should definitely explore your options and take the extra time to lock your site down.
To recap, we’ve previously covered 10 Tips to Secure WordPress, in this article, we covered even more tips to help you better manage your website security. If you’re keen about learning more, I’d also recommend reading the official WordPress.org documentation “Hardening WordPress“.
Please let us know in the comments below if you have any of your own extra tips for increasing WordPress security.
Elio is a open source designer and founder of Ura Design. He coordinates community initiatives at SitePoint as well. Further, as a board member at Open Labs Hackerspace, he promotes free software and open source locally and regionally. Elio founded the Open Design team at Mozilla and is a Creative Lead at Glucosio and Visual Designer at The Tor Project. He co-organizes OSCAL and gives talks as a Mozilla Tech Speaker at various conferences. When he doesn’t write for SitePoint, he scribbles his musings on his personal blog.