Useful Security Modifications for WordPress

WordPress is pretty secure, especially when compared to our content management systems.  We’ve put together this handy infographic on WordPress security issues.  This post is an update with some tweaks and plugins that can help tighten security on your WordPress site, and (hopefully) prevent hacking.

1. Keep WordPress Updated!

This is not a hack or a plugin, just common sense.  The WordPress team is constantly working on updates that address security vulnerabilities first.  Everything else comes second.  So updating WordPress with every stable release is critical.

2. Deny Access to wp-content directories

Most of the critical files are kept in these directories, and mean people can execute harmful code by getting into these directories.  Lock them down by adding an .htaccess file within the wp-content directory.  In the file, include:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

3. Remove the WordPress version from your meta description

This will make it slightly harder for people to identify in which ways your site may be vulnerable based on the version of WordPress you are using.  Of course, since you followed tip #1, you have the latest version.

4. Change your database prefix

The default prefix is wp_ but you can choose anything during install.  This is a trickier process after install.  Change your database prefix to something only you know.  If you’ve already installed WordPress, and you most likely already have, check out this comprehensive tutorial on changing the wp_ database prefix over at WPBeginner.

5. Prevent all directory browsing

The WordPress file structure is so well known, it can be predicted and browsed, and the information found there can demonstrate certain vulnerabilities.  Add this to your .htaccess file:

# directory browsing
Options All -Indexes

6. Deny access to the wp-admin directory

You need access to this directory, but nobody else does.  Limit who can access this directory based on their IP.  If you have a dynamic IP, this is not a permanent fix.  Remember to always backup your .htaccess file before making any changes!

order deny,allow
allow from [enter your ip]
deny from all

7. Password protect the wp-admin directory

As an alternative, or complimentary step, you can password protect this directory through your hosting control panel.  If using cPanel, under the “security” category, choose “password protect directories” and follow the instructions from there.

8. Change your admin username

The default is admin.  For obvious reasons, it is more secure to set a new and secure username and password.  Choose something nobody would guess (not like mydomainadmin).  Along the same lines, choose a super-secure password, something randomly generated.

9. Prevent brute force attacks

Install the Login Security Solution WordPress plugin, compatable above version 3.3.  This plugin has a number of features that make it more difficult (but not impossible) to hack WordPress.  Most notably, the plugin will slow down the login response time if it appears someone is maliciously trying to log in.  It also adds a great deal of features related to password quality, including an option to require a new password every xx days.  Nice.

10. Move the wp-admin directory altogether

The easiest way to do this is with the Better WP Security plugin.  This plugin comes with all sorts of other security related features but it allows you to quickly change the login URL.  Why change it?  Two main reasons.  First, people can navigate to yourdomain.com/wp-login and get instant verification that you’re using WordPress.  And, because of #8, they may even have your username.  If you didn’t set up a strong password, you’ve essentially invited someone to break in.  The plugin also changes the wp-admin and other dashboard links so something with basic WordPress knowledge can’t stroll right in.

What have you done to protect your site?  Let us know in the comments or send us a message through our Facebook page.

Leave a Reply

Your email address will not be published. Required fields are marked *