WordPress is an open source (read free) CMS that is easy to use & maintain and is now the choice of many. Because everybody is jumping onto the WP bandwagon it makes the platform an ideal candidate for hack attacks and stealing information. The problem is compounded because of lack of awareness on the part of many DIY’ers who take the plunge without even realizing the security risks associated with setting up a WP site.
There are a large number of posts that list out fairly detailed and excellent information on securing WordPress, but, these tend to overwhelm most of the users because of the technicalities involved.
Fortunately, we have a simple and straightforward guide that makes it fairly easy to secure your WordPress installation and most of it can be achieved within 15 minutes.
The guide is divided into two parts:
- Auditing you security – (Bare essentials required to secure WordPress)
- Start Fortification - (Suggested steps to bolster WordPress security)
1. Auditing Your Security
Once you setup a new WordPress install, do not proceed with even an iota of work until you have run through and secured the following security audit bullets:
- Create a new administrator user with a new login name. Delete the default “admin” user.
- Use random passwords of at least 12 characters. Here’s a helpful random password generator.
- Install and activate the Login Lockdown plugin.
- Install, activate, and run the Secure WordPress plugin.
- Install, activate, and run the WP Security Scan plugin. Run its File Permissions check, and change your folder permissions accordingly.
- Install, activate, and run the Maintenance Mode plugin to create a landing page and “cloak” the work in progress.
Following the above steps will provide a certain minimum level of security and protection to you WordPress setup.
2. Start Fortifying
Once you are through the basic auditing, you may proceed through the following steps to start securing your WordPress site.
1) Encrypt your login
Whenever you try to login to your website, your password is sent unencrypted. This is a big security threat when operating on a public network. We suggest that you encrypt your login with the Chap Secure Login plugin.
2) Protect your wp-admin folder
The wp-admin folder for WordPress contains critical information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.
3) Remove WordPress version info
If you are using a WordPress versions prior to 2.6, then, a potential threat that is often overlooked is that a large number of WordPress themes include the WordPress version info in the meta tag. Crackers can easily get hold of this information and it helps them plan specific attack targeting the security vulnerability of a particular version.
To remove the WordPress version info, log in to your WordPress dashboard.
Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
Delete it and press Update File.
In WP2.6 and above you can simply install the WP-Security Scan plugin as specified in the auditing guide above.
4) Hide your plugins folder
If you navigate to http://yourwebsite.com/wp-content/plugins, you will be able to see a list of all the plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using an ftp program, upload the index.html to the /wp-content/plugins folder.
5) Change your login name
It is common knowledge that the default WordPress username is admin. You can make it more difficult for a cracker to crack your login credentials by changing your login name.
In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.
Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion.
6) Upgrade to the latest version of WordPress and plugins
The single biggest exploitable entry point on any WordPress install is going to be outdated versions of WordPress, themes and plugins.
The Update Notifier Plugin helps solve this problem by checking the official repository on a regular schedule and sending you an email when it’s time to upgrade.
The latest version is WP 2.9.2 (as of this post). You can download it here.
9) Backup! Backup! Backup!
No matter how secure your site/blog is, common sense asks you to prep for the worst-case scenario. Install the wp-database-backup plugin and schedule it to backup your database daily.
10) Define user privileges
If there is more than one author for your blog, you might want to install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.
11) Use Captcha whenever possible15 Minutes, Bandwagon, Bare Essentials, Bullets, Cloak, Free Cms, Hack Attacks, Iota, Lack Of Awareness, Lockdown, Maintenance Mode, Plunge, Random Password Generator, Random Passwords, Security Audit, Security Risks, Security Scan, Straightforward Guide, Technicalities, Work In Progress