With each passing day, strong security becomes more important. This article explains some ways to keep WordPress secure while improving the overall security of your WordPress-powered site. Most of the tips provided here are practice-based security steps that require no plugins or hacks. The idea here is that you don't need to make changes to any code, or modify WordPress in any way in order to maintain strong security. These are security steps that most any WordPress user can use to help protect their site and keep WordPress safe and secure.
Table of Contents
- Do Nothing
- Use SFTP not FTP
- Use SSL/HTTPS
- Secure Hosting
- Strong Passwords
- Stay Current
- Clean Up Rogue Files
- Keep Good Backups
- Stick with Trusted Sources
- Use Quality Plugins
- Know what You're Doing
- Know where You're Doing It
- Don't Hack the Core
- Ensure Proper File Permissions
- Disable Error Display
- Keep Spammers at Bay
- Run a Clean Machine
- Monitoring and Logging
- Going further
- Even More Security
The motivation for this article is the idea that WordPress itself is secure. When vulnerabilities are discovered, the WordPress team fixes them up and pushes out a new version asap. In my experience, most security issues are introduced by external factors, such as user inexperience, insecure servers, and badly coded 3rd-party plugins and themes. Much of the advice given in this article is aimed at reducing risk by controlling these and other external factors.
Keep in mind that security is not a set-it-and-forget it kind of thing. There is no such thing as a perfectly secured site. If your site is online, there is risk. Thus, good security is not about trying to eliminate risk, but rather results from reducing risk as much as possible. As stated in the WordPress Codex1:
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain.
Risk elimination is not a one-size-fits-all, click-a-button-and-done type of affair. Rather, risk reduction happens in layers. Everything counts. From server software to form validation and everything in between, every layer of protection works together toward a site's overall level of security.
So with that in mind, here are some tips that will help you to keep your WordPress-powered site as secure as possible.
If you're running WordPress on a well-secured server, and you are 100% sure about any themes and plugins that you're using, then you're pretty much good to go security-wise. I have sites hosted on VPS servers for which I take zero additional security steps outside of common best practices.
But good security also depends on how you're using WordPress, which is what most of this article is about.
Use SFTP not FTP
If you're still using regular ’ol FTP, you should switch to SFTP as soon as possible. In a nutshell, FTP sends your credentials and data in clear text, which means your password and connection information is not encrypted2. If you are transferring your files via FTP, anyone listening on the network can grab your data and use it to exploit your site. Using SFTP is just like using FTP, but with SFTP all of your credentials and data are encrypted, which protects them from would-be attackers.
Ask your web host if you are unsure about SFTP support — they should be more than happy to help. Likewise with your current FTP setup, check the documentation to see how to change things over to use SFTP as your file-transfer protocol.
This is the same basic idea as using SFTP instead of FTP. If your site is using the HTTP protocol, all transmitted information is sent without encryption. So all comments, logins, purchases, and other transactions are sent and received unencrypted over the network.
This means that an attacker could intercept passwords and other sensitive data in order to exploit your site and its users. This is one reason why Google and other big players are pushing hard for everyone to switch over to HTTPS. With HTTPS, all transmitted data is encrypted, which helps to protect against interception and exploitation.
Of course, switching from HTTP to HTTPS requires more effort than switching from FTP to SFTP. To set up HTTPS for your site, you need an SSL certificate, which must be implemented properly on your server (which can be easier said than done). If you do decide to upgrade to SSL/HTTPS, make sure to do so for all pages on your site, otherwise known as "always-on" SSL.
Perhaps the most important of all security tips is to host your sites on a secure server. The server is the foundation of your website, so make sure that your web host is reputable and provides stable, secure servers.
Especially with web hosting, you get what you pay for, so avoid "cheap" hosting at all costs. If you can afford it, get anything better than "shared" hosting. Shared hosting means that you are sharing the server space with other users. So if another site on the server is hacked, then all sites on the server may be compromised. Like living in a bad part of town.
Contrast that scenario with dedicated hosting, where the entire server is dedicated to your sites. That enables you to be as secure as you want to be, without worrying about what your neighbors are doing (or not doing). Likewise with VPS hosting, the security of your sites is not dependent on the security of your neighbors.
Some things to look for in a good web host:
- Solid reputation as secure, reliable, supportive, responsive, etc.
- Provides a properly configured server
- Provides current versions of software (Apache/Nginx, PHP, MySQL, etc.)
- Provides reliable methods for backing up and restoring your data
- Happy to discuss all details regarding service, security, features, et al
Unfortunately finding a good web host these days is easier said than done, but it is of critical importance nonetheless. Taking the time to do your own research and find the best possible web host is one of the best security investments that you can make for your site.
Everyone on the Web should be using strong passwords. Unfortunately, there are many folks who have yet discover the joys of getting hacked. Seriously, people. Tell your friends. Spread the word. Strong passwords are mission-critical. You've got to use strong passwords and change them regularly.
One of my pastimes is watching network traffic. One thing I see more of every day is brute-force hacking attempts. And 99% of it is aimed right at your site's login page. They want in. They want to exploit your site. Fortunately it's trivial to deny them access: use ultra-strong passwords for everything. That includes not only your WordPress password, but also credentials for things like email, database connections, SFTP, and anything else that requires authentication. As stated in the WP Codex1:
Hackers thrive on predictability. They predict that many peoples passwords are in fact ‘password’, or that their username is probably their real name or some default value such as ‘admin’. Be unpredictable.
As a complete bonus, WordPress now features a built-in password-strength meter on every user's Profile screen. This makes strong passwords a no-brainer for all of your users. Here are some additional tips for rocking strong passwords:
- Keep it long, random, and alphanumeric
- Never share your password with anyone
- If you do let others use your passwords for tech support or whatever, change the passwords afterward
- Use an online password generator to generate strong passwords
And if you want to super-secure the WordPress login page, you can implement two-factor authentication.
This also should be drilled into everyone's skull at this point: stay current with the latest version of WordPress. Doing so is made dead-simple, with features like one-click and auto-updates — there really is no excuse for lagging behind on the updates. This goes not only for the WordPress core files, but also for all plugins and themes that are installed on your site (whether active or not, it's always best practice to keep ’em updated).
In addition to keeping all of the software up-to-date, it's wise to keep an eye on the latest WP development news for important heads up on general security, zero-day threats, and other breaking issues.
Clean Up Rogue Files
Good security involves limiting liability as much as possible. Keeping loose, unused files on your server unnecessarily increases the liability of your site. Take a few moments to examine your directory structure and remove any files that are not required. To give you a better idea, you should remove things like:
- Development-only files (like for testing, version control, etc.)
- Unused (inactive) themes
- Unused (inactive) plugins
- Unused PHP scripts
- Sensitive information and/or notes
- Any other loose files that are not required
If you must keep such files on the server, you should protect them against unwanted access. Here are two alternate .htaccess techniques for securing any file on the server:
RewriteRule /filename\.ext - [F,L]
RedirectMatch 403 /filename\.ext
To use either of these techniques, change the
filename to match the name of your file, and
ext to match the file extension. Then add to your site's root .htaccess file and upload to your server. Test by requesting the file in your browser. Using either method should return a “403 - Forbidden” error.
Keep Good Backups
This is another no-brainer for most people, but there are some who have yet to suffer catastrophic data-loss and learn the lesson on their own. Keeping good backups of your site is essential to avoid losing critical data and getting back up to speed if and when something bad happens. And there is a lot of bad that can happen these days. Having a current set of tested, working backups enables you to get back on track without losing any precious data. And always keep multiple copies of your backup files. Remember, good backups are:
- Kept secure
Further, understand that you need to back up not just your database, but your files as well. Basically you need to keep backups that will enable you to reconstruct your entire site to its current state at a moments notice. If that sounds like you, then you're good to go in this department. If not, then you may want to check out some of the useful backup plugins available in the WordPress Plugin Directory.
Stick with Trusted Sources
This one’s easy. Install only reputable themes and plugins from trusted sources, and stay away from "shared" or "pirated" versions of themes and plugins. It's just too easy for evildoers to slip bad code into their pirated warez. Sure, on the surface everything may look fine, and the plugin or theme may otherwise function normally. But beneath the hood, malicious code can do bad things without your knowledge. Don't be a victim. Always get your plugins, themes, and scripts from trusted sources.
Use Quality Plugins
As discussed in our recent poll, it's not so much the number of plugins as it is the quality of plugins that you run on your site. When looking for plugins, look for signs of quality, such as:
- Current with latest WordPress
- Positive ratings and feedback
- Signs of active support
- Number of other users
- Updated recently
And so forth. Keeping an eye out for signals of quality and reliability will help you choose the best possible themes and plugins for your site. And that will help keep your site secure.
Know what You're Doing
This goes not just for using WordPress, but for any online work in general. There's a lot involved, a lot of moving parts, a lot that can happen. It's important to educate yourself as much as possible to gain an understanding about how things work, what they do and so forth.
Likewise with WordPress, it's key to understand how to use and get the most out of the software. Doing so will help you make educated decisions and get the most out of WordPress with the least amount of effort. And of course, understanding is a precursor to good security.
Know where You're Doing It
I am amazed at how cavalier some people are about working online via any wi-fi connection they can find. They just walk into any shop, connect to the local free wi-fi and get to work. Why is this a bad idea? Because you never know who is lurking on the same unencrypted network looking for victims.
Never log in, make purchases, or do anything other than browse when working off an unknown or insecure wi-fi signal. Otherwise it's just too easy for attackers to hijack the signal and steal your information. And you would have no idea until it was too late. Unless you've taken explicit steps to secure your connection, stick to trusted networks for all work and business related activity.
Don't Hack the Core
Plain and simple: do not hack any WordPress core files. Doing so on production sites is a recipe for disaster. Same is true for plugins and themes — do not modify their core files. Instead, if you want to change default functionality, do so via prescribed channels, such as:
- Modify or customize core functionality via plugin
- Modify or customize theme appearance or functionality via child theme
- Make changes to your theme via functions.php
Also important to good security: when making changes via any of these methods make sure to use the WP API whenever possible.
Ensure Proper File Permissions
If your server is configured correctly, all WordPress files and folders should be created with proper permissions. The general rule is that the permission level of files should be set at
644 and folders set at
755. Of course, it's not always that simple, various configurations are possible3. If upon examination you discover that file and folder permissions are not correct (or don't look quite right), consult the WP Codex and ask your web host for help.
Disable Error Display
During development, displaying errors on the front-end of your site is perectly fine. But during production, when your site is live online, displaying information about errors is a bad idea. Doing so could reveal sensitive information about your server configuration, PHP setup, and any potential vulnerabilities. Broadcasting that kind of information for the entire world to see is just not a good move. Why risk it?
Instead, once development is complete and you're ready to go live, take a moment to disable error display on your site. WordPress errors are easy to disable by opening
wp-config.php and adding the following line:
If a similar line already exists with a value of
true, just change it to
false and you're good to go. Likewise you want to make sure that display of PHP-generated errors is disabled. Here are some articles that explain how to do so:
- Advanced PHP Error Handling via PHP
- Advanced PHP Error Handling via htaccess
- How to Enable PHP Error Logging via htaccess
If in doubt about PHP errors, ask your developer or web host for more infos.
Keep Spammers at Bay
One thing you don't want is a bunch of spammers leaving comments on your posts. Spam comments send a signal that your site may be of poor quality, neglected, and possibly insecure. SEO implications aside, such signals tend to repel legitimate visitors and attract malicious behavior. To help control spam, you can install a plugin (there are many), or just use WordPress’ built-in spam-control features. Eliminating spam helps improve your site's reputation, ranking, value, and security.
Run a Clean Machine
Another critical security step is to make sure that your local machine and devices are free of spyware, viruses, and any other malware. Even if your server and site are squeaky clean and super secure, it's all for nothing if you're working from an infected machine. As stated at the WordPress Codex1:
No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
A complete discussion on this topic is beyond the scope of this article, but there is much information available online. Hopefully you already are familiar with the importance of running a clean machine; if not, take the time to read up and protect your computers and devices from security vulnerabilities. This includes doing things such as:
- Connecting to the Web via secure router
- Running behind a trusted, reliable firewall
- Staying current with all software and updates
- Don't allow access to untrusted networks or devices
- Stay aways from shady sites, pirated warez and so forth
Of course, there is much more to the art of securing your personal work environment (computer and devices). Unless you're already savvy, do the research and take proper steps to secure your work setup.
Monitoring and Logging
Logging and monitoring are your best friends when it comes to troubleshooting errors and investigating security issues. Most servers record detailed access and error logs that contain a wealth of information about every request and error, including valuable data such as date/time, IP address, requested URI, response codes, and much more. Examining access and error logs may be a little overwhelming for the uninitiated, but once you're familiar with the basic syntax of your log files, you can use them to help resolve all sorts of issues. If you're not sure how to access these files, ask your web host.
Up to this point, we've covered steps that most anyone can do to help keep WordPress secure. Most of the techniques we've seen so far require little to no modification to any files or code. Going much further with security typically requires making changes to your site, its files, code, and so forth.
For security techniques that require making changes to your site, it is important to consider the return on investment. A good example is the practice of protecting the
/wp-admin/ directory with .htaccess. Sure it sounds like a good idea, and may even provide some extra bit of security, but the potential for problems with plugins and themes makes it something that you may want to avoid. The headaches just aren't worth it, IMO.
There are many examples like this, where the promised security benefit simply is not worth the potential risk. So my best advice is to stick with techniques that:
- Are easy to implement
- Are not overly invasive
- Introduce no additional risk
With these things in mind, here are some additional security techniques that are aimed at providing additional layers of security with minimal risk, minimal effort, and minimal amount of changes required to your site.
Inside of the WordPress wp-config.php file, make sure to add some strong, random security keys to the section, "Authentication Unique Keys and Salts". Adding these authentication keys helps to improve the security of WordPress login routines and is highly recommended.
Note that you can add, change, or edit these keys at any time with no harm done other than invalidating any existing cookies. So basically the worst that can happen if/when you change the keys is that any logged-in users will have to log in again. No biggie.
To generate a strong, random set of salts, visit the official page at https://api.wordpress.org/secret-key/1.1/salt/. Then copy and paste into your configuration file, upload to the server, and done.
Disable Directory Views
Directory views are what happen when no index file exists in a directory. In such cases, it is possible to view all files in sort of a generic list display. In some cases directory views can be useful (like when sharing photos or videos), but in general they should be disabled.
By default, WordPress includes blank
index.php files in various directories throughout the WP core, and some plugin and themes include them as well. That's a good start to disable directory views, but there may be some plugins or themes that do not include any index file. And that may leave your files exposed and potentially vulnerable.
On a properly configured server, directory views already should be disabled, but if not or if you just want to make double-sure, you can include the following line in your site's root .htaccess file:
For more information, check out this in-depth article on disabling and customizing directory views over at Perishable Press.
Change the Default Database Prefix
When you install WordPress, it sets up the database tables using the default prefix,
wp_. This value is set in the
wp-config.php file, and easily may be customized before installing WordPress. Doing so after WordPress has been installed is possible, but requires some extra fiddling that you may find tedious and not worth the effort.
Changing the database prefix to anything other than the default adds another thin layer of protection against SQL-related attacks, which typically target the database via the default prefix,
wp_. Thus by changing that value to anything else, even something as simple as
wp__ (adding another underscore), you'll thwart 99.9% of attacks that are targeting via the default prefix value.
So for any future WordPress installs, crack open
wp-config.php and locate the variable,
$table_prefix. Then change it to something different, random, like
_wp_ or whatever works for you. For more information and some useful tips, check out Change Your Database Prefix to Improve Security here at DigWP.com.
Protect the Login Page
Out of the box, the WordPress Login Page enables anyone with access to enter credentials and attempt to log in. This openness is great for legit users, but it also invites the inevitable brute-force login attack4. As discussed previously, if you and all registered users have chosen strong passwords, then there is no reason to worry about anything. But if you're not 100% sure about all of the passwords used on your site, you may want to take some steps to protect the Login Page from future attacks. There are numerous strategies for doing so:
- Use a plugin to protect the login page
- Implement two-factor authentication
- Implement HTTP authentication
- Whitelist IP addresses (see below)
Any of these techniques will help to protect your WordPress Login Page, so do some research and find the best solution for your needs. Personally, for sites at which I am the only author, I like to add a slice of .htaccess to lock things down:
<Files wp-login.php> Order Deny,Allow Deny from all Allow from 123.456.789 </Files>
That simple code snippet will allow you to access the Login Page while denying access to everyone else. You can whitelist additional IP addresses by repeating the
Allow from line as many times as needed. The key to using this snippet is that it must be added to the .htaccess file that's located in the same directory as
wp-login.php (i.e., the root WordPress directory). That's either gonna be located in the root of your site, or in a subdirectory that contains all of your WordPress files.
One of the most sensitive files included in your WordPress installation is
wp-config.php. That's because the config file contains your database connection credentials, which would enable an attacker literally to own and/or destroy your entire site. On a properly configured server, the
wp-config.php file should already be inaccessible to any outside access.
But if you are not sure, or just want to add another layer of protection to be extra safe, here is a quick .htaccess snippet that will protect your configuration file from all external access:
<Files wp-config.php> Order Allow,Deny Deny from all </Files>
As a bonus, I like to also like to lock down the xmlrpc.php file:
<Files xmlrpc.php> Order Allow,Deny Deny from all </Files>
Either of these code snippets should be placed in the .htaccess file that is located in the root WordPress directory (i.e., the same directory that contains the
xmlrpc.php files). You may also want to check out our tutorial on xmlrpc.php and site security for more info on securing xmlrpc.php.
Disable File Editing
By default, WordPress enables admin-level users to edit plugin and theme files from within the WP Admin Area (under Appearance > Editor). I like to disable this functionality to help contain any security breach, and also because I never use it. To disable file editing from within the Admin Area, add this line to your site's
Placing this line in
wp-config.php is equivalent to removing the
edit_files capabilities for all users.
For more great wp-config.php tricks, check out these fine articles at DigWP.com and WP-Mix.com:
- Pimp your wp-config.php
- Optimize WordPress Performance with the wp-config.php File
- WordPress Configuration Tricks
- WordPress wp-config.php tricks
Remember to make a backup of your
wp-config.php before editing :)
Add a Strong Firewall
In case you can't tell, one of my passions is web security. I wrote a plugin called Block Bad Queries (BBQ) that is 100% free and used by over 50,000 users to help protect their WordPress site. The free BBQ plugin is powerful and dead-simple, but it there is no UI to make changes and fine-tune things. So I developed BBQ Pro, which features advanced protection and is fully customizable. BBQ Pro is lightweight, flexible, and fast.
Of course, I am biased as this is my own plugin, but it's worth mentioning here because it fits in perfectly with the sort of holistic security strategy advocated in this article.
Even More Security
If you've made it this far, congratulations. We've covered many awesome security techniques to help keep your WordPress site secure. Going further I would recommend checking out some choice .htaccess techniques. .htaccess techniques are great because they operate at the server level without requiring PHP or MySQL, so you can add specific layers of security while maintaining an optimal level of performance.
To learn more about using .htaccess to secure and optimize your website, check out my book .htaccess made easy. There you'll find a complete guide to .htaccess and a treasure trove of awesome .htaccess techniques.
And for even more in-depth tutorials on WordPress security techniques, check out my video screencast series over at Lynda.com on Securing WordPress Sites.
- WP Codex: Hardening WordPress
- Why You Need To Stop Using FTP
- WP Codex: File Permissions
- WP Codex: Brute Force Attacks