DiggingIntoWordPress

by Chris Coyier & Jeff Starr

Tips to Keep WordPress Secure

Posted by Updated on

With each passing day, strong security becomes more important. This article explains some ways to keep WordPress secure while improving the overall security of your WordPress-powered site. Most of the tips provided here are practice-based security steps that require no plugins or hacks. The idea here is that you don't need to make changes to any code, or modify WordPress in any way in order to maintain strong security. These are security steps that most any WordPress user can use to help protect their site and keep WordPress safe and secure.

Table of Contents

Introduction

The motivation for this article is the idea that WordPress itself is secure. When vulnerabilities are discovered, the WordPress team fixes them up and pushes out a new version asap. In my experience, most security issues are introduced by external factors, such as user inexperience, insecure servers, and badly coded 3rd-party plugins and themes. Much of the advice given in this article is aimed at reducing risk by controlling these and other external factors.

Keep in mind that security is not a set-it-and-forget it kind of thing. There is no such thing as a perfectly secured site. If your site is online, there is risk. Thus, good security is not about trying to eliminate risk, but rather results from reducing risk as much as possible. As stated in the WordPress Codex1:

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain.

Risk elimination is not a one-size-fits-all, click-a-button-and-done type of affair. Rather, risk reduction happens in layers. Everything counts. From server software to form validation and everything in between, every layer of protection works together toward a site's overall level of security. So with that in mind, here are some tips that will help you to keep your WordPress-powered site as secure as possible.

Do Nothing

If you're running WordPress on a well-secured server, and you are 100% sure about any themes and plugins that you're using, then you're pretty much good to go security-wise. I have sites hosted on VPS servers for which I take zero additional security steps outside of common best practices. But good security also depends on how you're using WordPress, which is what most of this article is about.

Use SFTP not FTP

If you're still using regular ’ol FTP, you should switch to SFTP as soon as possible. In a nutshell, FTP sends your credentials and data in clear text, which means your password and connection information is not encrypted2. If you are transferring your files via FTP, anyone listening on the network can grab your data and use it to exploit your site. Using SFTP is just like using FTP, but with SFTP all of your credentials and data are encrypted, which protects them from would-be attackers.

Ask your web host if you are unsure about SFTP support — they should be more than happy to help. Likewise with your current FTP setup, check the documentation to see how to change things over to use SFTP as your file-transfer protocol.

Use SSL/HTTPS

This is the same basic idea as using SFTP instead of FTP. If your site is using the HTTP protocol, all transmitted information is sent without encryption. So all comments, logins, purchases, and other transactions are sent and received unencrypted over the network. This means that an attacker could intercept passwords and other sensitive data in order to exploit your site and its users. This is one reason why Google and other big players are pushing hard for everyone to switch over to HTTPS. With HTTPS, all transmitted data is encrypted, which helps to protect against interception and exploitation.

Of course, switching from HTTP to HTTPS requires more effort than switching from FTP to SFTP. To set up HTTPS for your site, you need an SSL certificate, which must be implemented properly on your server (which can be easier said than done). If you do decide to upgrade to SSL/HTTPS, make sure to do so for all pages on your site, otherwise known as "always-on" SSL. For help making the transition, check out Chris Coyier's write up over at CSS-Tricks. After implementing SSL, test your pages for proper functionality and security using an online SSL checker.

Secure Hosting

Perhaps the most important of all security tips is to host your sites on a secure server. The server is the foundation of your website, so make sure that your web host is reputable and provides stable, secure servers.

Especially with web hosting, you get what you pay for, so avoid "cheap" hosting at all costs. If you can afford it, get anything better than "shared" hosting. Shared hosting means that you are sharing the server space with other users. So if another site on the server is hacked, then all sites on the server may be compromised.

Contrast that scenario with dedicated hosting, where the entire server is dedicated to your sites. That enables you to be as secure as you want to be, without worrying about what your neighbors are doing (or not doing). Likewise with VPS hosting, the security of your sites is not dependent on the security of your neighbors.

Some things to look for in a good web host:

  • Solid reputation as secure, reliable, supportive, responsive, etc.
  • Provides a properly configured server
  • Provides current versions of all software (Apache/Nginx, PHP, MySQL, etc.)
  • Provides reliable methods for backing up and restoring your data
  • Happy to discuss all details regarding service, security, features, et al

Unfortunately finding a good web host these days is easier said than done, but it is of critical importance nonetheless. Taking the time to do your own research and find the best possible web host is one of the best security moves you can make.

Strong Passwords

Everyone on the Web should be using strong passwords. Unfortunately, there are many folks who have yet discover the joys of getting hacked. Seriously, people. Tell your friends. Spread the word. Strong passwords are mission-critical. You've got to use strong passwords and change them regularly.

One of my pastimes is watching network traffic. One thing I see more of every day is brute-force hacking attempts. And 99% of it is aimed right at your site's login page. They want in. They want to exploit your site. Fortunately it's trivial to deny them access: use ultra-strong passwords for everything. That includes not only your WordPress password, but also credentials for things like email, database connections, SFTP, and anything else that requires authentication. As stated in the WP Codex1:

Hackers thrive on predictability. They predict that many peoples passwords are in fact ‘password’, or that their username is probably their real name or some default value such as ‘admin’. Be unpredictable.

As a complete bonus, WordPress now features a built-in password-strength meter on every user's Profile screen. This makes strong passwords a no-brainer for all of your users. Here are some additional tips for rocking strong passwords:

  • Keep it long, random, and alphanumeric
  • Never share your password with anyone
  • If you do let others use your passwords for tech support or whatever, change the passwords afterward
  • Use an online password generator to generate strong passwords

And if you want to super-secure the WordPress login page, you can implement two-factor authentication.

Stay Current

This also should be drilled into everyone's skull at this point: stay current with the latest version of WordPress. Doing so is made dead-simple, with features like one-click and auto-updates — there really is no excuse for lagging behind on the updates. This goes not only for the WordPress core files, but also for all plugins and themes that are installed on your site (whether active or not, keep ’em updated).

In addition to keeping all of the software up-to-date, it's wise to keep an eye on the latest WP development news for important heads up on security and other breaking issues.

Clean Up Rogue Files

Good security involves limiting liability as much as possible. Keeping loose, unused files on your server unnecessarily increases the liability of your site. Take a few moments to examine your directory structure and remove any files that are not required. To give you a better idea, you should remove things like:

  • Development-only files (like for testing, version control, etc.)
  • Unused (inactive) themes
  • Unused (inactive) plugins
  • Unused PHP scripts
  • Unused JavaScript files
  • Sensitive information and/or notes
  • Any other loose files that are not required

If you must keep such files on the server, you should protect them against unwanted access. Here are two alternate .htaccess techniques for securing any file on the server:

via mod_rewrite

RewriteRule /filename\.ext - [F,L]

via mod_alias

RedirectMatch 403 /filename\.ext

To use either of these techniques, change the filename to match the name of your file, and ext to match the file extension. Then add to your site's root .htaccess file and upload to your server. Test by requesting the file in your browser. Using either method should return a “403 - Forbidden” error.

Keep Good Backups

This is another no-brainer for most people, but there are some who have yet to suffer catastrophic data-loss and learn the lesson on their own. Keeping good backups of your site is essential to avoid losing critical data and getting back up to speed if and when something bad happens. And there is a lot of bad that can happen these days. Having a current set of tested, working backups enables you to get back on track without losing any precious data. Remember, good backups are:

  • Kept secure
  • Well-tested
  • Current

Further, understand that you need to back up not just your database, but your files as well. Basically you need to keep backups that will enable you to reconstruct your entire site to its current state at a moments notice. If that sounds like you, then you're good to go in this department. If not, then you may want to check out some of the useful backup plugins available in the WP Plugin Directory.

Stick with Trusted Sources

This one’s easy. Install only reputable themes and plugins from trusted sources, and stay away from "shared" or "pirated" versions of themes and plugins. It's just too easy for evildoers to slip bad code into their pirated warez. Sure, on the surface everything may look fine, and the plugin or theme may otherwise function normally. But beneath the hood, malicious code can do bad things without your knowledge. Don't be a victim. Always get your plugins, themes, and scripts from trusted sources.

Use Quality Plugins

As discussed in our recent poll, it's not so much the number of plugins as it is the quality of plugins that you run on your site. When looking for plugins, look for signs of quality, such as:

  • Current with latest WordPress
  • Positive ratings and feedback
  • Signs of active support
  • Number of other users
  • Updated recently

And so forth. Keeping an eye out for signals of quality and reliability will help you choose the best possible themes and plugins for your site. And that will help keep your site secure.

Know what You're Doing

This goes not just for using WordPress, but for any online work in general. There's a lot involved, a lot of moving parts, a lot that can happen. It's important to educate yourself as much as possible to gain an understanding about how things work, what they do and so forth.

Likewise with WordPress, it's key to understand how to use and get the most out of the software. Doing so will help you make educated decisions and get the most out of WordPress with the least amount of effort. And of course, understanding is a precursor to good security.

Know where You're Doing It

I am amazed at how cavalier some people are about working online via any wi-fi connection they can find. They just walk into any shop, connect to the local free wi-fi and get to work. Why is this a bad idea? Because you never know who is lurking on the same unencrypted network looking for victims.

Never log in, make purchases, or do anything other than browse when working off an unknown or insecure wi-fi signal. Otherwise it's just too easy for attackers to hijack the signal and steal your information. And you would have no idea until it was too late. Unless you've taken explicit steps to secure your connection, stick to trusted networks for all work and business related activity.

Don't Hack the Core

Plain and simple: do not hack any WordPress core files. Doing so on production sites is a recipe for disaster. Same is true for plugins and themes — do not modify their core files. Instead, if you want to change default functionality, do so via prescribed channels, such as:

  • Modify or customize core functionality via plugin
  • Modify or customize theme appearance or functionality via child theme
  • Make changes to your theme via functions.php

Also important to good security: when making changes via any of these methods make sure to use the WP API whenever possible.

Ensure Proper File Permissions

If your server is configured correctly, all WordPress files and folders should be created with proper permissions. The general rule is that the permission level of files should be set at 644 and folders set at 755. Of course, it's not always that simple, various configurations are possible3. If upon examination you discover that file and folder permissions are not correct (or don't look quite right), consult the WP Codex and ask your web host for help.

Disable Error Display

During development, displaying errors on the front-end of your site is perectly fine. But during production, when your site is live online, displaying information about errors is a bad idea. Doing so could reveal sensitive information about your server configuration, PHP setup, and any potential vulnerabilities. Broadcasting that kind of information for the world to see is just not a good move.

Instead, once development is complete and you're ready to go live, take a moment to disable error display on your site. WordPress errors are easy to disable by opening wp-config.php and adding the following line:

define('WP_DEBUG', false);

If a similar line already exists with a value of true, just change it to false and you're good to go. Likewise you want to make sure that display of PHP-generated errors is disabled. Here are some articles that explain how to do so:

If in doubt about PHP errors, ask your developer or web host for more information.

Keep Spammers at Bay

One thing you don't want is a bunch of spammers leaving comments on your posts. Spam comments send a signal that your site may be of poor quality, neglected, and possibly insecure. SEO implications aside, such signals tend to repel legitimate visitors and attract malicious behavior. To help control spam, you can install a plugin (there are many), or just use WordPress’ built-in spam-control features. Eliminating spam helps your site's reputation, ranking, and security.

Run a Clean Machine

Another critical security step is to make sure that your local machine and devices are free of spyware, viruses, and any other malware. Even if your server and site are squeaky clean and super secure, it's all for nothing if you're working from an infected machine. As stated at the WordPress Codex1:

No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.

A complete discussion on this topic is beyond the scope of this article, but there is much information available online. Hopefully you already are familiar with the importance of running a clean machine; if not, take the time to read up and protect your computers and devices from security vulnerabilities. This includes doing things such as:

  • Connecting to the Web via secure router
  • Running behind a trusted, reliable firewall
  • Staying current with all software and updates
  • Don't allow access to untrusted networks or devices
  • Stay aways from shady sites, pirated warez and so forth

Of course, there is much more to the art of securing your personal work environment (computer and devices). Unless you're already savvy, do the research and take proper steps to secure your work setup.

Monitoring and Logging

Logging and monitoring are your best friends when it comes to troubleshooting errors and investigating security issues. Most servers record detailed access and error logs that contain a wealth of information about every request and error, including valuable data such as date/time, IP address, requested URI, response codes, and much more. Examining access and error logs may be a little overwhelming for the uninitiated, but once you're familiar with the basic syntax of your log files, you can use them to help resolve all sorts of issues. If you're not sure how to access these files, ask your web host.

Going further

Up to this point, we've covered steps that most anyone can do to help keep WordPress secure. Most of the techniques we've seen so far require little to no modification to any files or code. Going much further with security typically requires making changes to your site, its files, code, and so forth.

For security techniques that require making changes to your site, it is important to consider the return on investment. A good example is the practice of protecting the /wp-admin/ directory with .htaccess. Sure it sounds like a good idea, and may even provide some extra bit of security, but the potential for problems with plugins and themes makes it something that you may want to avoid.

There are many examples like this, where the promised security benefit simply is not worth the potential risk. So my best advice is to stick with techniques that:

  • Are easy to implement
  • Are not overly invasive
  • Introduce no additional risk

With these things in mind, here are some additional security techniques that are aimed at providing additional layers of security with minimal risk, minimal effort, and minimal amount of changes required to your site.

Authentication Keys

Inside of the WordPress wp-config.php file, make sure to add some strong, random security keys to the section, "Authentication Unique Keys and Salts". Adding these authentication keys helps to improve the security of WordPress login routines and is highly recommended.

Note that you can add, change, or edit these keys at any time with no harm done other than invalidating any existing cookies. So basically the worst that can happen if/when you change the keys is that any logged-in users will have to log in again.

To generate a strong, random set of salts, visit the official page at https://api.wordpress.org/secret-key/1.1/salt/. Then copy and paste into your configuration file, upload to the server, and done.

Disable Directory Views

Directory views are what happen when no index file exists in a directory. In such cases, it is possible to view all files in sort of a generic list display. In some cases directory views can be useful (like when sharing photos or videos), but in general they should be disabled.

By default, WordPress includes blank index.php files in various directories throughout the WP core, and some plugin and themes include them as well. That's a good start to disable directory views, but there may be some plugins or themes that do not include any index file. And that may leave your files exposed and potentially vulnerable.

On a properly configured server, directory views already should be disabled, but if not or if you just want to make double-sure, you can include the following line in your site's root .htaccess file:

Options -Indexes 

For more information, check out this in-depth article on disabling and customizing directory views over at Perishable Press.

Change the Default Database Prefix

When you install WordPress, it sets up the database tables using the default prefix, wp_. This value is set in the wp-config.php file, and easily may be customized before installing WordPress. Doing so after WordPress has been installed is possible, but requires some extra fiddling that you may find tedious and not worth the effort.

Changing the database prefix to anything other than the default adds another thin layer of protection against SQL-related attacks, which typically target the database via the default prefix, wp_. Thus by changing that value to anything else, even something as simple as wp__ (adding another underscore), you'll thwart 99.9% of attacks that are targeting via the default prefix value.

So for any future WordPress installs, crack open wp-config.php and locate the variable, $table_prefix. Then change it to something different, random, like sitename_wp_ or _wp_ or whatever works for you. For more information and some useful tips, check out Change Your Database Prefix to Improve Security here at DigWP.com.

Protect the Login Page

Out of the box, the WordPress Login Page enables anyone with access to enter credentials and attempt to log in. This openness is great for legit users, but it also invites the inevitable brute-force login attack4. As discussed previously, if you and all registered users have chosen strong passwords, then there is no reason to worry about anything. But if you're not 100% sure about all of the passwords used on your site, you may want to take some steps to protect the Login Page from future attacks. There are numerous strategies for doing so:

Any of these techniques will help to protect your WordPress Login Page, so do some research and find the best solution for your needs. Personally, for sites at which I am the only author, I like to add a thin slice of .htaccess to lock things down:

<Files wp-login.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
</Files>

That simple code snippet will allow you to access the Login Page while denying access to everyone else. You can whitelist additional IP addresses by repeating the Allow from line as many times as needed. The key to using this snippet is that it must be added to the .htaccess file that's located in the same directory as wp-login.php (i.e., the root WordPress directory). That's either gonna be located in the root of your site, or in a subdirectory that contains all of your WordPress files.

Protect wp-config.php

One of the most sensitive files included in your WordPress installation is wp-config.php. That's because the config file contains your database connection credentials, which would enable an attacker literally to own and/or destroy your entire site. On a properly configured server, the wp-config.php file should already be inaccessible to any outside access. But if you are not sure, or just want to add another layer of protection to be extra safe, here is a quick .htaccess snippet that will protect your configuration file from all outside access:

<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

As a bonus, I like to also like to lock down the xmlrpc.php file:

<Files xmlrpc.php>
	Order Allow,Deny
	Deny from all
</Files>

Either of these code snippets should be placed in the .htaccess file that is located in the root WordPress directory (i.e., the same directory that contains the wp-config.php and xmlrpc.php files).

Note: while it is fine for all sites to protect the wp-config.php file, you should only protect the xmlrpc.php file if you are sure that you're not using it for anything.

Disable File Editing

By default, WordPress enables admin-level users to edit plugin and theme files from within the WP Admin Area (under Appearance > Editor). I like to disable this functionality to help contain any security breach, and also because I never use it. To disable file editing from within the Admin Area, add this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Placing this line in wp-config.php is equivalent to removing the edit_themes, edit_plugins and edit_files capabilities for all users.

For more great wp-config.php tricks, check out these fine articles at DigWP.com and WP-Mix.com:

Remember to make a backup of your wp-config.php before editing :)

Add a Strong Firewall

In case you can't tell, one of my passions is web security. I wrote a plugin called Block Bad Queries (BBQ) that is 100% free and used by over 50,000 users to help protect their WordPress site. The free BBQ plugin is powerful and dead-simple, but it there is no UI to make changes and fine-tune things. So I developed BBQ Pro, which features advanced protection and is fully customizable. BBQ Pro is lightweight, flexible, and fast.

Of course, I am biased as it's my own plugin, but it's worth mentioning here because it fits in perfectly with the sort of holistic security strategy advocated in this article.

Even More Security

If you've made it this far, congratulations. We've covered many awesome security techniques to help keep your WordPress site secure. Going further I would recommend checking out some choice .htaccess techniques. .htaccess techniques are great because they operate at the server level without requiring PHP or MySQL, so you can add specific layers of security with optimal performance.

To learn more about using .htaccess to secure and optimize your website, check out my book .htaccess made easy. There you'll find a complete guide to .htaccess and a treasure trove of awesome .htaccess techniques.

And for even more in-depth tutorials on WordPress security techniques, check out my video screencast series over at Lynda.com on Securing WordPress Sites.

References

  1. WP Codex: Hardening WordPress
  2. Why You Need To Stop Using FTP
  3. WP Codex: File Permissions
  4. WP Codex: Brute Force Attacks

Resources

5 Responses

  1. PressList September 29, 2015

    Thanks for this excellent article – we’ve featured it in the latest issue of PressList!

  2. Awesome….im still using FTP :| sometimes

  3. I am thinking about switching to https will it effect the SEO of my site?

    • Jeff Starr

      If done correctly it should help to improve the SEO of your site. Google is pushing hard for an “all-HTTPS” Web, so following suit seems to be advisable.

Comments are closed. Contact us with any critical information. Thank you!

Code is poetry