How to make sure your WordPress site is secure

Brute force attack on WordPress powered sites

How to make sure your WordPress site is secure is an ongoing process and here are some steps to take to protect your WordPress site.

There is a very real, very large on-going attack against WordPress sites. It has been going on for a while now, but it severely escalated last month.

Whilst there is the clear risk of having your WordPress site compromised, the more immediate threat posed here is that of a denial of service attacks, which will render your sites slow and in some cases, completely exhaust the resources available to your services causing a system crash. This is a global attack across a wide range of web hosts on the Internet from a number of IP addresses; from a botnet.

There a few things you can do immediately in order to reduce the risk of being affected, but please be aware that these are all intended to be temporary fixes to what would likely be a temporary problem.

How to make sure your WordPress site is secure.

Here are 9 tips you can implement straight away to make sure your WordPress site is secure.

1 Improve your password

It is strongly recommended that your password is a combination of lower and uppercase characters and numbers, WordPress also allows for some special characters such as: !”?$%^). You can create a secure but memorable password by use lengthy mnemonic based pass phrases with upper/lower/number/special characters. Use first characters from each word and substitute some characters with numbers.
e.g. “I Really Love My Web Site Long May It Last” transforms to ir1mw51mi1. To make it more secure you can encapsulate it with a set of characters like XBir1mw51mi1BX

2 Change admin username

The default username for admin is just that. To leave this like that is to open the front door half way. Any hacker exploiting this will then have the username and only need to guess the password. Changing the username would not be enough. As Admin is the first user also has the User ID of 1 so an experienced hacker can omit the username and go for User ID=1. To get around this you log in as admin, create a new user with administrator privileges and then you log in as the new user. Then you delete user admin and you have effectively closed this open door.

3 Change database table prefix.

The default prefix used by WordPress is “wp_”. It is easy to change the prefix to another term that is difficult to guess. The same technique as the password can be used here, a mnemonic based prefix but shorter (You don’t need a too long prefix – 3-5 characters would be enough)

4 Protect your wp-config.php file

The wp-config file contains all the database access details and should be hidden from public view in all circumstances.
In your .htaccess file put in these lines:

<Files wp-config.php>
 order allow, deny
 deny from all
 </Files>

You can also place this file in the directory below the WordPress installation. To do this you will probably have to ask your web developer or hosting company to do this for you.

5 Hide your WP-Content

In this directory are all your files that you have updated (images etc.), theme and plugins.
You may create a blank index.php file here or create an .htaccess file in this folder with the content of:

Options All -indexes

WordPress directories have an index.php file in all its core directories but some plugins may not have this file.

6 Backup your site

Backing up your WordPress files is essential, although many do not do it. Every day things can go wrong, servers go down and human error can cause errors. In the event of a site crash or breakdown, a backup is essential to restore your site. Other than the default tables created by WordPress you should also back up any tables created by plugins.

7 Update plugins and WordPress to latest versions

Most often updates are issued to fix bugs and add features but sometimes an update is issued because to security holes. These are the updates you should look out for. Remember to take a back-up of your database and files prior to any updates. Sometimes an update can cause a conflict with other plugins and stop them from working, or in the worst case cause the site to go down.

8 Keep your site ‘clean’

Delete any unused themes or plugins. Even though you have disabled these, they are still physically on your site and thus accessible for an attack. Inactive themes and plugins are just taking space on your server and is a ‘welcome in’ for hackers. But, if you do decide not to delete these files it is equally important to keep them up to date.

9 File Permissions

Make sure you only give the necessary level of access to your files. This is done by setting file and directory permissions. This is particularly important for special files and download areas. By setting permission you determine who has access to the files by either Reading, Writing and/or Executing a file. If you have access levels wide open you may allow visitors to read files with sensitive information or maybe also update them.

Advanced techniques to protect your WordPress site

Here are two advanced techniques you can use to make sure your WordPress site is secure.

Protect against Script Injections.

These are instances when a hacker is executing an SQL within the comment to gain access. To prevent this you need to modify the .htaccess file with the following code.

Options +FollowSymLinks
 RewriteEngine On
 RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
 RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
 RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
 RewriteRule ^(.*)$ index.php [F,L]

Using the .htaccess file’s powerful features, we can check requests. What is done in above lines is to check whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.

Source: Protect Your WordPress Blog Using .htaccess

Block for content scrapers

If your site or blog is known to the outside world (it does not have to be well known) the content can be used/linked to other websites without your permission. The biggest problem here is using your images on your server stealing your server’s bandwidth. To protect against this you place these lines in your .htaccess file.

RewriteEngine On
 #Replace ?mysite.com/ with your blog URL
 RewriteCond %{HTTP_REFERER} !^http://(.+.)?mysite.com/ [NC]
 RewriteCond %{HTTP_REFERER} !^$
 #Replace /images/nohotlink.jpg with your "don`t hotlink" image URL
 RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Only your website will be able to link to your images, no one else can link to your images and use them on their websites because it would be too difficult to do. The other websites will display the ‘nohotlink.jpg’ image instead of the image they hoped to display.

Source: How to Protect Your Blog from Content Thieves

The above information should be adequate for you to create a secure WordPress blog. If you have not yet applied any of these, I would recommend that you do this now.
If you know of any other methods do you use to secure your WordPress blog then please mention this in a comment.

If in doubt – Call in a Specialist

If you find yourself daunted by these tasks, why not deal with what you know best, which is your business, and let us deal with what we know best? Would you try to fight that court battle without a lawyer? Then why try to maintain your own website if you’re not the web professional? By securing a qualified web professional to update and maintain your site properly you are actually saving potential lost sales and visitors.

If you’re interested in securing a maintenance contract for your website for your peace of mind, please look at one of our WordPress Care Plans that we have in place. We’d be happy to set this up for you or contact us to learn how we can protect and keep your site in good working order.