Hardening Your WordPress Installation

tips for web designer

We say hardening rather than securing because it is impossible to completely secure any site. Hardening is about taking all possible steps that make it harder for others to corrupt or steal from your site.

Before going much further, reading this may give you the idea that WordPress is not secure. Most of what is discussed below is basic server security. The rest is pretty much what you need to be aware of for any software product you use. There is nothing here that implies WordPress is less secure than any similar product. In fact, it may be more secure than many.


Do not name folders for the version of WordPress you have installed.

Knowing the version number gives WordPress hackers (or hackers for any software product you may be using) information about what break-in techniques they might try.

Consider using a plugin like Replace WP-Version to remove version information from your installation.

Change the prefix you use for database files.

The default prefix for WordPress table names is "wp-". When installing WordPress, you are given the option specify another prefix. Choose one that will not be easy to guess.

Change the name of the Administrative user

The default administrative user account for WordPress is admin. Change it to something longer and not easily guessed.

This also applies to accounts for the database management system accounts, since WordPress will be storing your site information in the database.

Use a Strong Password On All Accounts

· Password crackers are plentiful and strong. Don't make it easy for them.

· Monitor your logs for password guessing attempts.

· Consider plugins like Login Lockdown to monitor login attempts and lockout repeated failed login attempts from the same IP address.

Adjust File Permissions as Needed

· Make sure your file and folder permissions for your WordPress installation match those recommended by WordPress.

· Consider using a plug-in like WP Security Scan or Secure WordPress to test your installation for any installation and configuration items you may have overlooked.

Select Plugins and Themes Carefully

· Make sure any plugin you select is updated regularly and has the active support of its author. If you get a plugin from the WordPress site that has not been updated recently, you may see a message warning you that the support for the plugin may be suspect.

This plugin hasn't been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

· Themes and Plugins from the WordPress site are the safest, but there are many more available from other sites. You should understand that you could be installing code that will let others into your site or programs that will steal your data. Investigate carefully.

· Consider installing a plugin like TAC (Theme Authenticity Checker) to check for malicious code in themes.

Keeping Up-to-date

· Keep your software up to date. This applies to more than just WordPress. It includes your Server's operating system, your web server software, PHP, and your database software as well. It also includes your plug-ins and Themes. Keep a checklist and schedule for checking for available updates.

· If you are using a hosting provider, you may not be able to control the Operating System, PHP, and database upgrades. But you should not hinder them either. If your provider is able to move on to a better version of software that requires that you make small coding changes, do it. Don't put it off.

· For WordPress, follow the upgrade instructions on the WordPress site.

· Take upgrades to any free or purchased themes when they are offered and compatible with your other software. If you have written your own theme, periodically look for coding statements or function calls that WordPress, PHP, or your database vendor have deprecated for security reasons. That means you will have to read realease notes for those products. As with any software, if you don't keep your theme code up to date, you may be exposed.

Backup Your Database, files, and logs frequently

· Understand what kind of backup support your hosting provider supplies for your database and files. Don't assume that they will be able to restore your files to any point in time you specify. Sometimes it is just the ability to restore to the previous night's state. If you were hacked a few days ago, this won't help.

· Keeping copies of the source code for your theme is not sufficient. WordPress stores user accounts and the data from your pages in the database. If you cannot restore your database, you may end up setting your site back in time to the day you first installed your theme.

· Date your backup files. Do not overwrite old ones for a while, just incase there is a problem you have not noticed.

· Keep copies someplace else other than your server. Don't use server copies if you think you have been hacked.

· Verify the backups are occurring. Put it on your checklist and schedule.

· Consider installing a plugin that performs a full WordPress backup and possibly one that e-mails you the results. But remember, if your site is hacked, these backup schedules may be modified or deleted, so pay attention.

Monitor your files and logs

· Look for unexpected changes in files.

· Consider products that detect changes to file that should not be changing. Tripwire is a one well established example, but there are other products, as well.

· Monitor logs for password guessing attempts.

· Consider a plugin like Login Lockdown to monitor login attempts and lockout repeated failed login attempts from the same IP address

Use a Security Plugin for your version of WordPress.

Start by looking at multi-purpose plugins, and then fill in any gaps with more specific products.

Try plugins like:

· BulletProof Security

· WordPress Firewall

· BlogSecurity's WPIDS plugin

Manage Commenters

· You may allow comments on your BLOG posts, but always approve at least the first post by a new use. It is better to approve all posts, since spammers are often wise to this technique.

· Never follow links any commenter has posted in a comment.

· Delete any links from the comments before you allow the comment to appear on your site.

· Consider using an anti-spam plugin like Akismet

· Consider using a Captcha-like plugin at login such as Captcha or Sweet Captcha. A Captcha-like feature requires that the user enter a third pass phrase that is randomly selected and displayed on the screen in an obscure manner that automated software applications cannot read. This is helpful, and eliminates spambots, however, there are organizations who pay people by the hour to enter captcha phrases for the spambot, so it is not total protection.

· Consider a honey pot like Blackhole that attempts to lure bots into a false comment area, records their information, and then black lists them on your site.

There are many more plugins available to help you manage your WordPress site, with new products in development now. Older products sometimes fade away. So go to the WordPress site and do your research.