With so many publishers large and small running on the WordPress platform it is a natural target for hackers. The overall security of your site depends on a lot of factors, including the security protocol your hosting company implements at the server level. Some hosts are more secure than others. You should investigate your host for yourself.
Don't take their, "we take the security of your site very seriously" corporate nonsense at face value. If lots of people complain about their sites being hacked and the common denominator is their host, well - that pretty much speaks for itself.
That said, there's a lot you can do to help to protect your site from hacking attempts by malicious douchebags. Here are a handful of things I believe anyone running WordPress should do to help better secure a site and reduce the chances of it being hacked (or, at the very least, make it more difficult to hack).
Installing WordPress
If at all possible DO NOT use a tool like Fantastico or Softaculous (both of which are often provided by your hosting service to streamline the installation process).
While those tools make installation SUPER easy, their cookie-cutter installation settings can also make WordPress installations more vulnerable.
The software is easy to install manually by following the simple installation instructions in the WordPress Codex.
If you can't follow those simple instructions you probably should not be doing any of this on your own to begin with.
Always Create a New Database
If your host provides cPanel access creating a new database is very easy. Use a little common sense when naming your database (i.e. don't name it "wordpress", "wrdp", etc.) Create a name you will be able to remember is associated with that particular website, but something a hacker or automated attack program wouldn't easily identify with a specific domain. For example, the database name for www.domain.com should not be "domain". You can use both letters and numbers in the database name. And I suggest you do.
Once your new database has been created you will need to assign a database user to it. You should always create a new user for each database. Using the same user for every database is asking for trouble. In the event that someone gains access to your hosting space they could potentially gain access to every database that exists there using the same user information. That would be bad. As with naming the database, use some common sense. The username shouldn't match your domain or your database name. Again, you can use both letters and numbers. And again, I suggest you do.
You will also have to assign a password to your new database user. I use the password generator from Strong Password Generator. The tool offers two recommended password lengths, 7 and 14. Never use recommended password lengths. Why? Because most people do. And when it comes to securing your WordPress installation, the last thing you want to do is what most people do. Choose another password length. The longer, the better. The database user password can contain letters, numbers and symbols. For the best security, make sure it contains all three.
Editing Your wp-config.php file
Now that you've created your new database and database user (I sure hope you kept copies of the names and password, because you'll need them now), it's time to make some changes to your wp-config.php file. NOTE: when you upload WordPress the name of that file will be wp-config-sample.php. Follow the instructions for making the necessary changes to the file in the "WordPress Famous 5-minute Install" and don't forget to delete the "-sample" part of the file name once you're done.
There are also more detailed instructions for editing the wp-config.php file, but you will likely never need them. If too much information makes your head hurt, I suggest you not even look at the more detailed instructions. I've done LOTS of WordPress installations and never needed to do anything more than what is explained in the 5-minute install.
Before saving your shiny new wp-config.php file, you'll want to do one more thing: change the $table_prefix value. By default the value is "wp_". For some extra protection against hacking attempts, change it to something less generic. You can change the values that come before and/or after the underscore (i.e. "wp_e8x1am4p5le", "e9x_a31pl7e", etc.) Once you've properly configured your wp-config.php file, you're ready to actually install WordPress by heading to https://www.domain.com/wp-admin/install.php - obviously you need to replace "domain" with YOUR domain information, but if you didn't know that already you should stop reading now and never attempt to install or secure a WordPress site yourself. Seriously.
Upon visiting the www.domain.com/wp-admin/install.php URL, you'll be greeted by a WordPress setup page. In WordPress releases prior to 3.0 the "admin" account was created by default during the installation process. Thankfully that's no longer the case. You will be prompted to enter the name of your site, a brief description and - most importantly - the username and password for the initial administrator user account.
You don't have to input your own password. If you don't, WordPress will generate one for you. I don't recommend allowing it to do that. Head back over to Strong Password Generator and create your own password. Remember not to use recommended lengths. Do I really need to remind you of that? I didn't think so. WRITE DOWN OR COPY/PASTE YOUR PASSWORD INTO A FILE! The "New WordPress Site" e-mail will not include your password if you do not allow WordPress to generate one for you.
WordPress Security Plugins
There are several plugins I install on every new WordPress site I build. No single plugin covers all the bases, but combined they offer about as much security for a WordPress installation as is possible.
- WP Security Scan - this plugin will help to bring to your attention some basic security vulnerabilities like the use of auto-generated passwords, file permission issues and the existence of an "admin" user account. Very basic, but very useful. While the information in the plugin directory states the plugin is compatible up to version 2.8.4, I continue to use it on my sites without any problems.
- Secure WordPress - Secure WordPress takes what WP Security Scan began and runs with it. It removes the version information from the site's header, as well as eliminating core, plugin and theme update information for all non-admin users. It also offers an optional free malware and vulnerability scan through sitesecuritymonitor.com.
- Exploit Scanner - it is important to note that this plugin does not actually remove any hacked or suspicious files. That is left for the user to take care of. It can also throw up false positives from time to time, but your site's security is definitely a better safe than sorry proposition. Exploit Scanner notifications are split into 3 categories: severe, warning and note, which helps you to prioritize what needs to be checked NOW and what might be able to wait until you have some free time.
- Limit Login Attempts or Login LockDown - both Limit Login Attempts and Login Lockdown offer similar functionality. Essentially they limit the number of login attempts based on IP address and locks out any IP address that exceeds the limit for a specified period of time. You can configure the number of attempts to length of time of the lock out with each plugin. Limit Login Attempts states it is compatible up to WordPress version 3.0.1 while Login LockDown claims to be compatible up to only version 2.8.4, though I should note that I am still using Login Lockdown on several sites without issue.
- WordPress Firewall - one of the most useful features of this plugin is the ability to have an e-mail sent if there has been a suspected attack. Not only are you alerted via e-mail, but that e-mail includes information about the specific file that was accessed and the IP address of the offender. A particularly noteworthy feature is that when an attack is suspected the offending IP address is redirected either to the site's home page or a 404 page (your choice). You can also whitelist specific IP addresses (like, I don't know - YOURS) so you are still able to make changes to the files associated with your theme or plugins via WordPress without triggering the plugin. Again, the plugin documentation claims the plugin is only compatible up to WordPress version 2.8, but I continue to use it and haven't had any problems with it thus far.
Keep Your WordPress Software Up-To-Date
ALWAYS keep your WordPress core software updated to the latest version. While WordPress often makes significant changes to the functionality and usability of the software with major releases, incremental upgrades are often released to plug identified security vulnerabilities and resolve reported issues. You're tempting fate by keeping older versions up & running. You have been warned.
An Added Layer of Security
Donna Fontenot (a.k.a. "DazzlinDonna" has developed a great tool called "MonitorHackdFiles". It's a cron script that will help to alert you to files that are changed or new files that are added. It won't stop such an attack, but it will alert you via e-mail if it happens so you can immediately take action. Learn more about how to install and use Donna's indispensable tool.
BACKUP, BACKUP, BACKUP!
There's no way to secure your site 100%. If you fall victim to a hacker, you damn well better have a backup of your site. Having access to regular backups of your site can not only prevent catastrophe, but make reverting back to a "clean" version of your database quick and virtually incident-free. There are several WordPress plugins available to help you backup your data and protect yourself against data loss in the event of an attack. Here are three you should take a closer look at:
Better Safe Than Sorry
Seem like a lot of effort? Trust me when I tell you that protecting your site is much less time consuming and infuriating than trying to figure out what the hell to do after your site has been attacked. Not to mention the fact that you usually don't even know your site has been hacked until it is kicked out of Google. That is NOT a lesson you want to learn the hard way. BELIEVE ME!
Do everything you can to prevent an attack to begin with any you'll never have to experience first hand what it's like to cross into that whole new realm of monumentally screwed. 🙂
As someone who has recently rescued a hacked site and put many security fixes in (that should have been there before) I thought I knew everything there was to know about WordPress security, but your excellent easy to follow article shows I didn’t! Thanks so much Alysson.
Hi, Sue. Thanks for taking the time to comment.
As with anything, there’s always more to learn and I’m sure there’s something important that I’ve left out of this post, but I certainly hope one or more of my tips helps you better secure WordPress sites in the future.
.-= Alysson recently posted: The Dangers of Oversimplifying Niche SEO =-.
Thank you, I also recommend to have a hosting to provide at least one backup of your full website every week.
🙂
Good tip, William. Thanks for taking time to comment. Having a complete backup of your database is always a good idea. The cPanel I’ve mentioned previously gives you easy access to be able to generate complete database backups and most hosts these days use the cPanel interface.
.-= Alysson recently posted: The Dangers of Oversimplifying Niche SEO =-.
Hi Alysson,
Your post is a good checklist for anyone setting up WordPress sites.
I will retain your advice “Do things differently to most”. Don’t use Fantastico, install WordPress the hardcore way like a pro.
Your list of security plugins is now on my list of essential plugins. Then back up regularly – of course.
However, I would suggest waiting a few weeks before upgrading when there is a major upgrade.
My site crashed when I upgraded to WordPress 3.0. I made the mistake of trusting that everything will go well. I was wrong.
When doing a major upgrade, remember to deactivate all plugins first.
Thanks for such a great post.
.-= Ben Wan recently posted: How to Get Free Traffic to your Website =-.
Definitely a good tip, Ben. Though infrequent, upgrading can sometimes throw you a curve ball and screw something up. Yet another instance in which having a clean and up-to-date backup is a life saver! 🙂
.-= Alysson recently posted: The Dangers of Oversimplifying Niche SEO =-.
Alysson, great tips and I’ve got another one to add — only allowing access to your /wp-admin/ folder from specific IP addresses using an .htaccess file.
If you don’t have one in your /wp-admin/ folder already, just create it with the following:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# allow home IP address
allow from 11.111.111.111
# allow work IP address
allow from 22.222.222.222
You just need to edit the ‘allow from XXX’ lines to include your IP addresses. Anyone who tries to access the /wp-admin/ folder from a different IP address will see a ‘404 Page Not Found’ error.
Much obliged for the advice, Lord Vader. For those who access their blogs from a handful of different places and are comfortable editing their .htaccess files, it’s yet another layer of security to consider adding.
.-= Alysson recently posted: 2010-08-28 TweetWeek Wrap-up… =-.
Great article, another backup option for WordPress that works great is VaultPress. I have been using it for my websites for a few months now and it works great with a constant backup plus security running. The plugin is from the makers of WordPress. It adds another layer of security but I still do manual backups every couple days.
.-= Brennan recently posted: Best Places To Book Luxury Hotel Rooms Online =-.
VaultPress is a solid solution for those looking for a premium, paid security option. Unlike the other security precautions listed here, VaultPress is a paid subscription service with monthly recurring fees for as long as you continue to use the service.
It is important to mention that VaultPress is a solution only for WordPress versions 2.9.2 and above, so before considering signing up and begin the clock ticking on the recurring monthly fees, make sure your blog is already running WordPress version 2.9.2 or higher.
.-= Alysson recently posted: The Dangers of Oversimplifying Niche SEO =-.
Must reply here:
Find it quite remarkable that Vaultpress haven´t – after long time – implemented backupFTP on own webhost-account…(as I understand it)
(like BackupBuddy)
What is the upside for businesses to put all of their critical content on some others server.
Security/Integrity is getting more importan each and every day!
Seems almost to be some kind of secret businessplan here – but I don´t know.
It´s a nobrainer for me atleast – BackupBuddy rules!(as for now)
It´s gonna be interesting to follow the development of this kind of backupservices though – as I easy can imagine – many spinoffs…
😉
M
Hi Alysson,
Thanks for the informative article.
My web host backs up my site every weekend, and that has proved a life saver. I once inadvertently made my site inaccessible when I inserted some php code for customization, but got the whole thing back online (and averted a developing heart attack) by quickly messaging my host and asking for a restore.
I am nevertheless going to install some of the plug-ins you listed.
Thanks again —
Lucky Balaraman
.-= Lucky Balaraman recently posted: Find Happiness 23- Wealth Is Important- but Should It Be Your Main Focus =-.
It’s happened to the best of us, Lucky. 🙂 Backups are a life saver in a variety of situations, not just as a precaution against being hacked.
.-= Alysson recently posted: 2010-08-28 TweetWeek Wrap-up… =-.
For those that find setting up MonitorHackdFiles too intimidating, I suggest a similar plugin that runs under WordPress: WordPress File Monitor. Available via WP, this plugin works great on WP3.01.
.-= Sandy ALlen recently posted: Boy- oh BOY! =-.
Thanks for sharing that plugin, Sandy. I’ll definitely check it out. As for MonitorHackdFiles, it’s a great option even for those not running WordPress. Because it is a cron script that runs at the root directory level, it will help to monitor changes to any files that exist at the server level…whether you’re running WordPress, Joomla, Drupal or any other software – including, I would assume, popular e-commerce software (though it’s important to note that I have not tested or used MonitorHackdFiles on any e-comm enabled sites, so this is conjecture on my part).
.-= Alysson recently posted: The Dangers of Oversimplifying Niche SEO =-.
Nice article. I have applied most of those tricks to my blog and I will be sure to apply the rest of them to it later.
.-= Julius recently posted: Glimpses on Understanding Life =-.
Thanks for stopping by, Julius. I’m glad you found some info in the post useful.
.-= Alysson recently posted: 2010-08-28 TweetWeek Wrap-up… =-.
Great article. It’s rare to find such an in depth piece on wordpress security that is as practical as this. I’ll be passing this onto my clients and using it myself. thanks.
.-= Gareth Rees recently posted: =-.
Hi Alysson,
I enjoyed the article, and it came just at the right time. I’m working on setting up two WordPress sites over the next couple of weeks.
I have a question about the potential security threat of Plugins and Themes. It seems that a malicious developer could easily insert spyware or a virus into any plugin or theme that you install and compromise your WordPress security. I’m always a little hesitant installing anything on my site, so I check for positive reviews before doing so and stick to well known extensions.
Is there any sort of inherent security built into WordPress to protect against that? Or is there any good way to verify they are safe?
Regards
Hi Alysson,
Great article. We’ve been using WordPress since the beginning and have built a secure, managed, WordPress hosting company called Page.ly. We’re backed by FireHost and our setup for complete WordPress install with popular plugins plus more is under two minutes. It’s a complete package including updates and nightly backups. Although it’s not free, free/cheap hosting is problematic for most. I’d love to have you take a look at it. http://page.ly
All the best. =)
.-= Sally Strebel recently posted: New Pagely Vertical Platform – Managed WordPress Hosting =-.
Most of the wordpress systems indeed get hacked due to insecure hosting accounts, wordpress like most other web system uses the same protection and encryption. But yes, there are people trying to decode wordpress in n ways trying to exploit it and your protection layers are surely a great way to start taking measures.
.-= Catalin recently posted: Web developer essential tools =-.