• 04
  • Nov

Wordpress LogoGetting your site hacked is a major humiliation and can leave you feeling violated. There are several ways that you can help secure your Wordpress installation. I recommend that anyone running Wordpress follow these steps when possible to avoid potential security breaches against your blog.

WARNING: Before making any changes be sure to backup!

Thanks for most of the tips from Blog Security.

  1. Use captcha whenever possible:
    I have yet to hunt down a captcha solution for the comments, but I do have captcha in place for logins with Raz-Captcha and my contact form with Contact Form 7. This keeps bots from spamming and trying to crack your login. If anyone knows of a captcha system for the comments, please let me know.
  2. Limit access to your wp-admin directory:
    There are two ways you can achieve this. Limiting access to your wp-admin directory by IP address (this may not be a good solution if you have a dynamic IP) and password protecting the wp-admin directory. Both of these methods require an implementation of an .htaccess file.
    1. Protect wp-admin directory by IP address:
      1. Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
      2. Append the following contents where XXX.XXX.XXX.XXX = your outside IP address. Append multiple “Allow from” lines for multiple IPs:
        Order Deny,Allow
        Deny from all
        Allow from XXX.XXX.XXX.XXX
    2. Password protect the wp-admin directory:
      1. Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
      2. Create a file ABOVE YOUR PUBLIC_HTML directory named “.htpasswd”. Make sure you put this outside the web accessible directory or someone could read your password! Usually this is where you go when you first login to your FTP.
      3. Append the following contents to the “.htpasswd” file where xxxx = your username and yyyy = your password:
        xxxx:yyyy

        remember, the more complex the better.

      4. Append the following to your “.htaccess” file inside of your wp-admin directory. Make sure you use the absolute path to the “.htaccess” file. If you don’t know, ask your ISP. xxxx = the username that you entered in your “.htpasswd” directory:
        AuthUserFile /home/username/.htpasswd
        AuthGroupFile /dev/null
        AuthName EnterPassword
        AuthType Basic

        require user xxxx

  3. Restrict access to your wp-config.php:
    I have seen cases on web servers where the PHP install gets broken and all PHP files become readable. This is bad because your wp-config.php file contains your database username and password.

    1. Create a file within your Wordpress root install directory named “.htaccess” if there isn’t already one.
    2. Append the following to your “.htaccess” file inside of your wp-admin directory:
      <Files wp-config.php>
      Order Deny,Allow
      Deny from All
      </Files>
  4. Restrict access to the wp-content and wp-includes directories:
    1. Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.
    2. Append the following to the “.htaccess” file. NOTE: you may have trouble with some plugins with this method:
      Order Allow,Deny
      Deny from all
      <Files ~ “.(css|jpe?g|png|gif|js)$”>
      Allow from all
      </Files>
  5. Keep your Wordpress install and plugins up to date:
    The newest versions of Wordpress automatically notify you if there is an update for your Wordpress and your plugins. Keeping these up to date will keep black hats from using known vulnerabilities to gain access where they shouldn’t be.
  6. Use the wordpress online security scanner.
    This plugin along with a CGI script at Blog Security will perform version checks, XSS checks on your template and look at your plugins for vulnerabilities.
  7. Change your Wordpress database table prefix:
    1. If you are installing you can just choose the option during installation.
    2. If you have already installed, follow these steps outlined here. There is also a plugin here.
  8. Change your ‘admin’ username:
    All wordpress installs have a default ‘admin’ account. This is a security risk. Basically this entails creating a new user with administrative privileges, logging in with that user, and then deleting the old ‘admin’ account. There should be an option to transfer all the posts to the new account automatically.
  9. Create a unprivileged user for posting:
    Not only does this protect your Wordpress blog from black hats, it also protects it from you. Kind of a similar concept of why you shouldn’t login as root to your Linux box.
  10. Implement Mod Security:
    Append the following to your “.htaccess” file within the root of your Wordpress install. This is not specific to Wordpress, but are general rules to prevent some malicious attacks on your site as a whole (You may have to do some reformatting because of word-wrap):
    EDIT - SEE: BlogSecurity Wordpress Modsecurity White Paper

I hope you enjoyed and implemented these security tips and maybe you can have some peace of mind knowing that you are more secure than before you read this article. If you have any more suggestions, please leave some in the comments.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]