Increasing Your WordPress Security
October 2, 2015



WordPress-Logo

There isn’t a piece of software on the face of the planet that is 100% secure and after spending the last week increasing the security on the over 200 WordPress sites we have I decided I should share what I learned about WordPress security. WordPress is one of the largest Content Management Systems (CMS) used on the web which makes it an ideal target for hackers. Writing one piece of software will allow them potential hacks for over 60 million (source wordpress.org) sites. With this in mind there are a number of easy changes, additions and practices you can use to make your WordPress site infinitely more secure.

Username and Passwords

Usernames and passwords are the easiest things to secure on your website – but many people still have very weak usernames and passwords. When making a username, be sure not to use the default admin. This will be the first username every single hacker will try when attempting to break into your site. If you already have your username as admin then simply make a new username with a different email (which can be changed later back to your original email) and then delete the old user. You can then attribute all the content from the previous user to the user you just created.

WordPress-Reset-Password

Ever since WordPress 4.3 your WordPress install will by default give you a very strong randomly generated password. This was not always the case however, so many users still have weak passwords. If you go to update your password now WordPress will automatically give you a very strong password. If you want a strong password that is slightly more memorable, use my password generator which combines an adjective with an animal and then replaces letters with numbers and characters. I made this before WordPress created their own password generator and most of our sites still use passwords generated from it with no problems.

Once you have your strong password you can save it to your computer so long as your computer is secure. Software like LastPass, iCloud Keychain and 1Password will all save your password to your computer with some additional security if you’re worried about it.

Use a secure password and then save it to your computer!

If you are extra worried about attackers it’s also a really good idea to enable 2-factor authentication via plugins such as iThemes security or Clef. The iThemes security plugin is a part of a larger plugin which contains many security features (although this is not my favorite security plugin) where as Clef is a plugin used only for 2-factor authentication.

For those who don’t know, 2-factor authentication basically is setup so that when you login with your username and password, you will also receive a one-time password or number that you have to enter as well. This number will be sent to an authorized phone or email so that only you get access to it. Hence the 2-factor (2 layers of security) authentication; first your regular password and then your one-time password or number sequence.

File Permissions

File permissions are probably the second largest problem for WordPress owners. Setting your file permissions incorrectly can result in disaster. The most important thing to note is that no folder in your WordPress install should have 777 file permissions. Some plugins will ask for 777 file permissions but I would steer clear of those if at all possible.

Unless absolutely necessary, don't have any 777 file permissions!

Basically 777 permission means that anyone can read, write or execute that file or in that directory. This means that files can be rewritten with malicious code or malicious scripts can be placed in folders and then executed.

The All In One WP Security & Firewall plugin (spoiler alert this is my favorite security plugin and I recommend you use it as well) will tell you if your file permissions are properly set or not. It will also tell you what they should be so that either you or your system administrator can change them.

Plugin-File-Permissions

Here is an overview from the WordPress Codex about what file permissions should be set as:

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process.

/
The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/
The WordPress administration area: all files should be writable only by your user account.

/wp-includes/
The bulk of WordPress application logic: all files should be writable only by your user account.

/wp-content/
User-supplied content: intended to be writable by your user account and the web server process.

Within /wp-content/ you will find:

/wp-content/themes/
Theme files. If you want to use the built-in theme editor, all files need to be writable by the web server process. If you do not want to use the built-in theme editor, all files can be writable only by your user account.

/wp-content/plugins/
Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.

Changing File Permissions

If you have shell access to your server, you can change file permissions recursively with the following command:

Directories:

Files:

Before we move on I just want to go over one common problem that a lot of people might have. If you find that you have changed file permissions and either your theme manager or your media manager aren’t working then you probably have the ownership of those directories set incorrectly. For most installs all files need to be writable by the web server process. On our server this means the ownership is set to apache:apache with 755 permissions. I find that a lot of people will find that they set the permissions and then things won’t work so they’ll go back to 777. Now you know how to avoid that so you won’t do that though, RIGHT?!

Backup Often

Let’s say the worst happens and you get hacked. If you have a lot of backups ready to go then no problem – granted you’ll have to put in some work to recreate your site but at least all your content and data is safe. Without backups this becomes one of the worst nightmares you can possibly imagine. If you’re worried that you may end up with a huge backlog of backups – remember that online storage is super cheap now and it’s better to have a huge backlog as opposed to losing your website. With a little management you can also trim down the backlog as well.

Most good web hosts will provide you with backups for both your databases and your physical files so be sure to set those up if you have to. If you’re looking for a plugin to help with your backing up, UpdraftPlus Backup and Restoration is by far the highest rated and has the most installs. It’s description reads, “Backup and restoration made easy. Complete backups; manual or scheduled (backup to S3, Dropbox, Google Drive, Rackspace, FTP, SFTP, email + others)”.

Keep WordPress Updated

This sounds like a simple one but lot’s of people fail to realize how important keeping your WordPress install updated is. If an exploit is found and you don’t update your install then you have no defense against it. All updates should be done as soon as possible to ensure the best possible security for your install.

The core isn’t the only thing that has exploits on your install either – the same goes for plugins. Many plugins will be updated for security reasons so be sure to use the latest versions of everything. WordPress is an extremely complicated piece of software so exploits are bound to be found – make sure you’re up to date to combat attackers.

Update! Update! Update!

Extra Things You Can Do

The following are some small tips and tricks that will increase your overall security. While not as huge as what’s listed above, these will definitely help secure your site and should be read over.

Database Precautions

If you run multiple WordPress installations on the same server, make sure you have a different database with a different user for each installation. If you only use one database then if a hacker cracks your database for one installation they will have access to every other installations data.

Securing wp-includes

Since no scripts should ever be accessed by any user in wp-includes we can lock it down using mod_rewrite in the .htaccess file. You can see the code that should be added to the .htaccess file  below:

Don't use the above code on Multisite - it will cause errors

To ensure the code above is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags so keep it outside of them!

Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files via the Editor under Appearance. This is often the first tool an attacker will use if able to login after a brute force attack (remember to use those secure usernames and passwords). Luckily, WordPress has a constant to disable editing from Dashboard. Placing the following line in wp-config.php will disallow use of the Editor in any harmful way:

This will not prevent an attacker from uploading malicious files to your site

Locking Down Your Login Page

Before going into the different options for security plugins I want to go over something that most of the security plugins will provide you with, login timeouts. If a hacker tries to brute force your website they will obviously have to try numerous login attempts. What most of the security plugins will do is lockout an IP address that fails to login numerous times in a row. This is one of the best preventative measures against attacks to your site.

My favorite All In One WP Security & Firewall plugin will provide this functionality.

Security Plugins

Now that we’ve covered the basics of securing your WordPress install, I’ll answer the question you’ve all been begging to ask. In classic WordPress fashion – yes there is a plugin for that. There are a huge number of security plugins available for WordPress. Check out the list below of some of the highest rated (with the most installs) plugins on the official repository:

As mentioned earlier in the article, All In One WP Security & Firewall is my personal choice for a security plugin. It has everything I need along with a very nice user interface that let’s you know exactly what’s going on. With this plugin you can check username and password strength, lockout your login page, check and change your file permissions, disable RPC Pingback (a commonly used exploit) assuming you aren’t using the WordPress app which requires it, rename your login page and so much more.

The plugin gives you a great visual breakdown of your security flaws and how you can improve them. It also comes built in with a WHOIS lookup so you can see who’s messing with you (although they are most likely proxied) and a blacklist manager so you can manage blacklisting IP addresses yourself (the login lockdown will automatically blacklist IP’s for you as well).

Summary

If you take only one thing away from reading everything here it should be although security can be a scary thing, it can be easily maintained and managed. Get ahead of the game and follow these steps to ensure your site is safe and secure:

  • Use strong usernames and passwords
  • Ensure proper file permissions
  • Backup often
  • Keep everything up to date
  • Perform extra precautions if necessary
  • Get a security plugin that meets your needs

If you do all that then you’re WordPress install will be safe. There are always new attacks and exploits but there is an entire team of developers behind WordPress working together with you to ensure you have a secure CMS.

As always thank you for reading and please share it around as much as you can! I would like to hear what security plugin is everyone’s favorite so sound off in the comments below! Please feel free to put any suggestions or ideas for future tutorials in the comments section below as well.


Comments