Six Steps Toward Securing WordPress

WordPress is a great publishing platform, but there a few steps that should be taken to make it more secure. Here are 6 of the best.

1. Delete the user “admin”

Every WordPress installation automatically generates a user account with the username admin. I’ll admit this is a logical username, but EVERY blog having the same username is not the best idea. Imagine someone trying to compromise your blog. What’s the first username they’re going to attack? That’s right, the admin. So, go to Users>Add New and create a new user for yourself. Make sure to set your role to administrator. Then log out and log back in as the user you just created. Now go back to the Users page and delete the admin account. Problem solved.

2. Use secret keys

According to wordpress.org,

In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random,  unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

WordPress stores the secret keys in the wp-config.php file in your WordPress directory. You need to download a copy of your wp-config.php file in order to add your secret keys. Open the file and scroll down until you find something like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

Now, you can come up with your own unique phrases if you’d like, but I prefer to use the WordPress secret-key generating service. You won’t ever have to remember these keys so they can be long and complicated (actually, they should be long and complicated). To use the key generating service that WordPress provides, go to https://api.wordpress.org/secret-key/1.1/

You’ll see something that looks like this:

define('AUTH_KEY',        '|g_-s~>*qlxC|7x>~IYb180rU6u-r}D#dG>Q[GHCR~ql#l.7-noM5n6=E!.~SEDs');
define('SECURE_AUTH_KEY', ':kN}%tH6,O!fBpO|(u3o3~|ve/_q4:He|7Gm@)k(IIGGb}t`qAqD3-vV t/|I+85');
define('LOGGED_IN_KEY',   ' ,%4j5%9-v6hEa6THQN,+2CjPywX-HxhLj|vYSRb*7ra.Wl7RG%-Hoy4Ln0ZhTf^');
define('NONCE_KEY',       ']{nb6+C)8u&amp;amp;amp;?+e8necJSKzt)e0`x8L vQue!sV!o}d-F<v%DNhZKDv7fFLRH/9]L');

Copy the entire thing and use it to replace the section in wp-config.php that needed the secret keys. Save the file and upload it back to your website in place of the old file.

Please note: if you logged in to your WordPress administration panel before changing they keys, you’ll have to log back in.

3. Turn off directory browsing and protect the wp-config.php file

Don’t let people snoop around your site where they weren’t intended to be. Use an .htaccess file to protect the portions of your website that weren’t meant for public viewing. For example, WordPress has a directory where it stores its plugins. No one needs to look at what plugins you have installed (unless they’re looking for people who are using a plugin with a known vulnerability). So to protect yourself, create a new file and name it .htaccess (yes, it starts with a period) and place the following code in it:

# turn off directory browsing
Options All -Indexes

# protect wp-config.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

Upload the file to the same directory as your wp-config.php file. This protects both your directories and the wp-config.php file that holds important database details.

4. Limit login attempts

No matter how strong a password is, it can be guessed with enough tries. The Limit Login Attempts plugin solves this problem nicely. To protect your site, download the Limit Login Attempts plugin (the download link is at the very bottom of the page), unzip it and upload it to your plugins directory (wp-content/plugins). Now log into WordPress and go to the Plugins page. Find Limit Login Attempts and click Activate (on the far right). You can change how many login attempts are allowed and make other changes by going to Settings>Limit Login Attempts.

5. Encrypt your logins

By default, WordPress login information (username and password) are transfered in plain text. You can use the Chap Secure Login plugin to encrypt your password for increased security. Plugin installations are pretty much all the same, so just follow the same steps as before (download, unzip, upload to plugins folder, activate from admin panel).

Please Note: The first time you try to login after installing this plugin, the login will fail. This is normal. After the first attempt, everything should go back to working properly. As a side note, this failed login will give you a change to see the Limited Login Attempts plugin in action (it should tell you how many tries you have left).

6. Don’t display what version of WordPress you’re using

If there is a known vulnerability with a certain version of WordPress, you don’t want to broadcast to the world that your site contains that vulnerability. WordPress automatically displays the version number as a comment in the header code, but we can change that quite easily. Just add this line to the functions.php file of your WordPress theme if you’re theme doesn’t suppress the version number already.

remove_action('wp_head', 'wp_generator');

Also, if you uploaded the readme.txt file that came with WordPress, you should delete it, since it also contains the version number.

Bonus: Scan you site for vulnerabilities

There is a WordPress plugin developed by the guys over at blogsecurity.net that will scan your site for known vulnerabilities. Do yourself a favor and check your blog.

That’s it for now. Do you have any other techniques that you use to secure your WordPress sites? Please post them in the comments. Thanks.

  • PublishedJune 8, 2009
  • Posted InSecurity