20+ Ways to Harden and Secure Your WordPress Blog

htd_wordpress_jail

htd_wordpress_jailRecently, some high-profile blogs that are running WordPress have been hacked or hijacked by malicious users (e.g., TechCrunch). The worst thing is having to try to recover from such an event, you not only have to repair your site, but also your reputation. So, spending a little bit of time trying to prevent or at least make it a bit more difficult for a hacker to take over your WordPress blog is time worth investing.

I have had my fair share of my blogs (both work and personal) getting attacked (denial of service attack, hidden iFrames in my code, SQL injections and my server repeatedly being hit with brute force SSH login attempts from overseas). I have learned a lot from over 5 years of blogging, however I am by far no expert in the security field. But, what I can do is provide a growing list of tricks and tips as well as plugs that you can use to make your WordPress blog a bit more secure. This is not an exhaustive list nor have I personally implemented everything that is on here. I simply wanted to provide a list of items that you can do that may make your blog a bit more difficult to crack. Some security is better than no security, in my opinion. If a bot or hacker spends too much time trying to get in, they will hopefully move on to find something different and easier.

A Word of Warning: Do note, having many plugins running will degrade the performance of your WordPress blog. Some of the plugins run only on demand while others are present and running all of the time, so your mileage may vary. Also, some of these plugins might not work well together. Lastly, a few of the items below require you to have SSH access to your WordPress environment or server. You may have restrictions in place by your hosting provider as well.

The List of WordPress Blog Security Measures

  1. Do Regular Backups – back up not only your database regularly but also be sure to take a full copy of your entire WordPress directory. A great WP Database backup plugin is “WP-DBManager“. What I do is run a DB backup and then do a complete file backup since the DB backup is within your WP directory and will be copied when you download.
  2. Scan Your Files for Oddities – I wrote a post on how you can scan a local copy of your WordPress files to find code injections or iFrame. There are also some plugins that can help with that like “WordPress Exploit Scanner” or “AntiVirus“.
  3. Change Your Password – make it something difficult to figure out. Don’t use numbers in place of letters because everybody does that. Use special characters.
  4. Rename Your Admin User – there are a couple of ways to do this. You can do some MySQL commands to do it or you can use a plugin to do it for you. Either go into a MySQL manager like phpMyAdmin and rename the user “admin” to something else, or run a command like:
    [sourcecode language=”sql”]update tableprefix_users set user_login=’newuser’ where user_login=’admin’;[/sourcecode]

    where the “newuser” name is the name that you want your old admin user to be. I personally used “Admin Renamer Extended” which worked great. Basically since all blogs come with an “admin” user, the bot or hacker will start testing against that.

  5. Keep WordPress Current – this is a lot easier to do now with their built-in automatic upgrading utility. There are other plugins that help as well including “WordPress Automatic Upgrade“.
  6. Keep Plugins Current – 3rd party developers frequently update their plugins to fix holes or bugs. Be sure to stay on top of those.
  7. Eliminate Unnecessary Plugins – plugins are security holes in themselves. You best bet is to minimize your risk by not having a bunch installed, or, at minimum, keep the ones you don’t really need disabled.
  8. Rename your WordPress Database Tables – I actually did this with the use of a plugin called “WP Security Scan” (which has a bunch of other great functions built into it like permission checking, version hiding and WP admin protection). NOTE: be sure that you back up your DB. Also, before you do this, be sure that you have access to your MySQL db as while the plugin got most things, I had to actually go into the “wp_usermeta” table and manually make some changes there. I had been locked out of my WP Admin section because of some user role issues. Another plugin (which I haven’t tried) is SEOEgghead’s “WordPress Table Prefix Rename Plugin“. There are some manual steps available as well.
  9. Use SSH instead of FTP – or use SFTP if you like having a GUI for your file management. SSH is a bit more secure (another topic completely) and will let you shut down the FTP service and port (something you should do).
  10. Hide the Contents of your Plugins Folder – There are a few ways you can do this. The easiest is to create a blank document called “index.html” within your plugins directory.
  11. Don’t Let Search Engines Index your WordPress Folders – Create a “robots.txt” file and include the following line: Disallow: /wp-*
  12. Protect Your Login Page – there are some plugins that let you move the location of your WP-Admin section. However, you can also protect the actual login page against “brute-force” attacks where an automated bot will try a variety of usernames and password in an attempt to log in. “Login Lockdown” allows you to configure how many attempts can be made and then can block repeated attempts. You can also “encrypt” your password when you are logging in by using “Chap Secure Login“.
  13. Move Your WP-Config.php File Up a Level – you can safely move your WP-Config.php file to the directory above your WordPress directory. This allows you to make it just a bit harder to discover your MySQL information that is contained in that file.
  14. Make your Directories Not Browsable – if when you go to a directory like /wp-content/uploads/, do you see a listing of files and directories? If you do, you want to probably turn off indexing. To do that, simply add “Options –Indexes” or “Options All –Indexes” to your .htaccess file in your site’s root directory.
  15. Monitor Changes to Files within your Blog – there is a cool plugin called “WordPress File Monitor” that will take a snapshot (either of creation dates/times or MD5 hashes) of your current blog’s files & directories. Then, if these files change, you can receive an email notification and an admin dashboard notification when files have changed (be sure to exclude your cache & upload directories for starters)
  16. Check Your Permissions – unfortunately, this is a tricky topic and varies from server to server. Generally, you want to really restrict who has access to your files on your server. For shared hosting, these are already configured for you. For others, you should probably restrict items to 755 or 644. You can start looking as some permission recommendations right on WordPress.
  17. Install a WordPress Firewall – I tested this plugin a while ago and it produced some interesting results (some false positives, for example). But, it looks like a pretty useful plugin: WordPress Firewall Plugin from SEOEgghead.
  18. Lock Down phpMyAdmin – if you have self installed phpMyAdmin (a popular web-based MySQL management tool), be sure that you keep it current and secure it. One of my blogs was hacked because of an old install of phpMyAdmin that wasn’t secured.
  19. Hide Your WordPress Version – if the version of your WordPress blog is out in the open, a hacker can use that information to know what exploits or vulnerabilities exist for that particular version. You can manually hide this information yourself by searching in your theme’s header file for this line and delete it:
    [sourcecode language=”php”]<meta name="generator" content="WordPress <?php bloginfo(‘version’); ?>" /> <!– leave this for stats –>[/sourcecode]

    or use the plugin “Secure WordPress” (which has a lot of good features) to disable that.

  20. Scan Your WordPress Blog for Vulnerabilities – using the “WP-Scanner” plugin, you can scan your WordPress blog for vulnerabilities. (Note: as of this writing, the scanner was offline.)
  21. BONUS: Perishable Press 4G Blacklist – I just recently discovered this “firewall” that supposedly protects your server against various malicious activity. You can read up on it here. It looks fairly interesting and I’m testing it.

List of Useful Plugins

Below is a list of plugins that are mentioned in the items above. These are direct links to their existence within WordPress.org or their site if not on WP.

Other Resources & Ideas

Of course, many people have written about how to harden or secure your WordPress installation or the server where it resides. Some things you might want to read or consider are:

  • WordPress.org – WordPress actually as a (vague) article on strengthening your WordPress install. There are some good points but simply them admitting that there are things you should do to make it more secure is a bit scary.
  • SSH Login Lockouts – take a look at SSHGuard or Fail2Ban which prevent unauthorized SSH login attempts on your server and banning them in your firewall.
  • SSH Key Authentication – instead of using passwords to login to your server, do it with Keys.
  • Set Up Monitoring – be sure that you monitor your server for uptime. You might be able to see a hack in process (strange activity or increased traffic) and stop it from completing.
  • Knockd – you can set up sort of a cool “knock knock” pattern via telnet on particular ports that signals your server to open up your SSH port. Great idea and you can get more info here.

I’m sure that everyone has their own tips and tricks to make their blog a bit more secure. I would love to hear about them (and possibly implement). Over time, WordPress will get more secure as will plugins (hopefully). The best thing to do is to keep everything current and pay close attention to what the blogosphere is saying.

Did you find this solution useful? If so: [paypal-donation reference=”WP Security”]

Note: I can provide answers to questions about the items mentioned above, but I am by far no expert. You should try to contact the authors of the plugins for questions specific to those items.

Have I left anything out? If you have a great security plugin or security technique designed to harden a WordPress server, please let me know.

HTD says: Leave a comment if you have been hacked or have some suggestions to add to this list.

8 Responses

  1. Cool… I just tried most of the above – the wp-scanner found something up with my search form. Fixed!

  2. Hi love your post, what has your testing show in regards to the Perishable Press 4G Blacklist. i am very interested in using it for my own sites. i ran it through my favorite htaccess syntax checker an it came up with 16 errors. you can find the link to the checker in the link to my name

  3. Mike  What does this mean “Move Your WP-Config.php File Up a Level – you can
    safely move your WP-Config.php file to the directory above your
    WordPress directory. This allows you to make it just a bit harder to
    discover your MySQL information that is contained in that file.”

  4. Let’s say that your site is set up like this:

    WWW
    – BLOG (under the WWW directory)
    -wp-config.php (under the BLOG directory)

    You can actually move your wp-config.php up a level so instead of it being under the BLOG directory, it can be under the WWW directory.

  5. I really love your post, I think these 21 security tips is the best but I think they are making slow performance and might not working altogether. what do you think the important of these securities should have, can work altogether and good performance?
    Thank you in advance to reply me back.

  6. [URL=http://www.kema-ryiadh.com/%d8%b4%d8%b1%d9%83%d8%a7%d8%aa-%d9%86%d9%82%d9%84-%d8%a7%d8%ab%d8%a7%d8%ab/]?????
    ??? ???? ???????[/URL]

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Other articles of interest

Global Product Review Disclosure

Disclosure: This is a global disclosure for product review articles on HighTechDad. It does not apply to Automobile reviews and there are other exceptions. Therefore, it may or may not be applicable to this particular article. I may have a material connection because I may have received a sample of a product for consideration in preparing to review the product and write this or other content. I was/am not expected to return the item after my review period. All opinions within this and other articles are my own and are typically not subject to the editorial review from any 3rd party. Also, some of the links in the post above may be “affiliate” or “advertising” links. These may be automatically created or placed by me manually. This means if you click on the link and purchase the item (sometimes but not necessarily the product or service being reviewed), I will receive a small affiliate or advertising commission. More information can be found on my About page.

About HighTechDad

Michael Sheehan (“HighTechDad”) is an avid technologist, writer, journalist, content marketer, blogger, tech influencer, social media pundit, loving husband and father of 3 beautiful girls living in the San Francisco Bay Area. This site covers technology, consumer electronics, Parent Tech, SmartHomes, cloud computing, gadgets, software, hardware, parenting “hacks,” and other tips & tricks.

Recent Articles

Explore Categories