I’m often asked by clients to perform security reviews and security hardening procedures on their WordPress sites. In this post I want to tell you what I think the key areas are that need to be addressed when securing your site.
WordPress security is an issue, I have fixed dozens of hacked sites, by following this guide (and the videos that acompany this post) you can make your site much less attractive to the would-be hacker.
Video Coaching
I have a free video coaching guide to show you how to make all of these changes I mention below, simply join my mailing list in the sidebar to the right for details of the coaching videos.
The processes are quite long and drawn out, so a video explains it in much more detail.
Before You Start
You are going to make fundamental changes to your site if you follow this guide, please take a backup and know how to restore before you start, you have been warned 🙂
Keep Your Site Up To Date
The first and most important step if to keep your core wordPress file and all plugins up to date. Many updates to WordPress are security patches, so whenever the banner pops up at the top of your dashboard, take action and update your site.
The only caveat I would add is to check that any critical plugins (e-commerce etc) are compatible with the latest update before you do that.
Change Default Table Prefix
By default the WordPress tables are called wp_, so a hacker knows that the users are held in wp_users table, they already have part of the puzzle if they try an SQL injection.
Change the default table prefix to wp_{somethinghardtoguess}_
Change Default Admin Name
On earlier versions of WordPress you were forced to accept admin as the default super user name, this had thankfully changed with newer installs, you can choose your admin user name.
If you are using admin as your super user, consider changing it for something more difficult to guess, the hacker already has half the puzzle if he know your admin login name, a brute force attempt to send thousands of passwords to yoru site is made much easier.
Security Keys
WordPress has the facility to encrpy a lot of the security information it holds in browser cookies to stop people gaining access to those credentials, but you need to add some encryption keys to wp-config to make this work.
Look for teh following section
define(‘AUTH_KEY’, ‘LONG STRING’);
define(‘SECURE_AUTH_KEY’, ‘LONG STRING);
define(‘LOGGED_IN_KEY’, ‘LONG STRING’);
define(‘NONCE_KEY’, ‘LONG STRING`’);
define( ‘AUTH_SALT’, ‘LONG STRINGl’ );
etc etc
Use the following tool to set random encrypted keys https://api.wordpress.org/secret-key/1.1/
Use Strong Passwords Throughout
Make sure you are using strong passwords over all of the important layers of your site. WordPress users have a password strength guide, but you may want to use this tool for the other layers http://www.pctools.com/guides/password/
The passwords you need to check are
- WordPress admin logins
- The WordPress database password (held in wp-config)
- FTP users
- The login to your hosting panel
Don’t use the same password on all layers, and consider changing hte password on a regular basis
Hide WordPress versions
If a hacker knows what version you are running, it makes it easier to find vulnerabilities. Hide the version of WordPress you are running. It can be found in two key areas
The file yourdomain.com/readme.html, delete this file. Note this will be re-isntalled with each new version installed, I like to set the file permissions to 000 on this file.
If you view source of your wordpress page you will see the version written into the source code, this is a good plugin to remove that loop hole http://wordpress.org/extend/plugins/replace-wp-version/
Access Backend via HTTPS
To ensure all access to your backend dashboard is encrypted, I like to do the following
Ensure I can access my site via https, check with your hosting company, you may need to buy an SSL certificate.
Enable the force ssl options,you can either force all logins to be encrypted or all backend activity to be encrypted by adding one of the following commands to yoru wp-config file.
- define(‘FORCE_SSL_ADMIN’, true);
- define(‘FORCE_SSL_LOGIN’, true);
For more details on SSL admin see http://codex.wordpress.org/Administration_Over_SSL
Only FTP To Your Site Using SFTP
Not really a WordPress security fucntion, but only upload and download files to yoru site using SFTp not FTP, your ftp password will be sent in the clear over the net if you use FTP.Check with your hosting company on how to configure SFTP.
For more details on using SFTP see this post https://wpdude.com/sftp-flip-sake
Security Plugins
There are a couple of additional security plugins I like to install
wp-malwatch, kind of an anti virus plugin for your site to spot malware
Login lockdown – stops incorrect logins after three attempts and locks the user ID
Want A Secure WordPress Install
If you want me to secure your site, get a quote for a security review from my WordPress technical support page
6 thoughts on “Case Study: Security Hardening WordPress”
Great post Neil!
I’m so glad I spoke with you and got you to give my website a security overhaul when I was hacked! You provide such a great service plus the amazing bonus of teaching the masses with step-by-step instruction on how to go about protecting their own WP websites. Thanks Neil!!
Nice article, Neil.
To get the full set of security keys for the wp-config.php file, you need to go to https://api.wordpress.org/secret-key/1.1/salt now. That version generates extra keys for making things even more secure.
Cheers nathan, I was looking for that URL but could not find it when writing this post
Good Article. I use the plugin “semisecure login reimagined” to encrypt passwords for my user logins on most of my sites. What do you think about it? I use VPN to remotely access the backend (I don’t have to do it very often), so I thought that this plugin would be ok for my normal users.
Also, how can I configure WordPress with a more strict password policy? It seems like 6 chars is the default policy, but this no good. I want to enforce longer, stronger passwords.
Thanks,
Mike.
HI Mike
Have you seen this article?
http://sltaylor.co.uk/blog/enforce-strong-wordpress-passwords/
Neil
Ah… thanks Neil. This should do the trick. I’m still very surprised that WordPress hasn’t make this into core functionality, or that a plugin isn’t available.
Mike.
Comments are closed.