Yet Another WordPress Security Post – Part Two

We deal with hacked sites on a daily basis and one of the most common questions we get is how to avoid getting hacked again. The simple answer to this question is to to minimize your risk online as best as possible.

To help you better approach risk mitigation, and to celebrate the public launch of our WordPress security plugin, we’ve put together part two of our Yet Another WordPress Security Post series.

WordPress Security Tips

Without further adieu, here are some great tips to assist you in securing your WordPress driven website:

1. Update WordPress (often). This applies to almost every software package, but especially important with an application like WordPress since it is an internet facing software and easy target.
2. Use strong passwords. Again, simple advice, but very important if you want to be secure against brute force attacks.
3. Protect your wp-admin. There is no reason for your users to to access the wp-admin directory. You can restrict it with another set of passwords or filter by IP address. This is a simple .htaccess change you can use to add an extra password:

   Add this inside your main .htaccess:

   <Files wp-login.php>
   AuthUserFile ~/.htpasswd
   AuthName “Private access”
   AuthType Basic
   require user mysecretuser
   </Files>

   Add this inside wp-admin/.htaccess

   <Files *.php>
   AuthUserFile ~/.htpasswd
   AuthName “Private access”
   AuthType Basic
   require user mysecretuser
   </Files>

4. Backup your files and the database. This is very important, if there is ever a hosting problem, hacking or even an acidental mistake, you will not lose your data. Our WordPress Security plugin does daily backups automatically for you.
5. Check your permissions. If you can, set all your files to read-only (chmod 440) and all your directories to (chmod 550). If it doesn’t work on your hosting environment, try to use the minimal permission necessary.
6. Do not display errors. On a live site, the PHP errors should not be displayed to your end users. If you can modify your php.ini to disable displaying the errors we recommend it. If you cannot edt your php.ini file please contact your host:
   

   display_errors = Off

7. Do not display your PHP version to the public. It can also be disable by setting the following in the php.ini:
   

   expose_php = Off

8. Remove your WordPress version from the generator. (This is obscure and if an attacker wants to get your information, there are other ways. The idea here is to minimize risk, and it is not the answer to all)
9. Remove your readme.html file. (Same thing applies here. If there is no need for the file once in production, then why keep it?)
10. Restrict access to your upload directory (and do not allow PHP execution).
11. Move your configuration file (wp-config) from default location (if possible).
12. Monitor your files for changes. We recommend our WordPress Security plugin to do so.

Recently, Sucuri co-founder Dre Armeda gave a talk with Brad Williams about “End User Security” at WordCamp Phoenix. The discussion attends to alot of the tips we’ve included here, but may add some good context.

Check it out:

Did we miss some tips? We’d love to hear what you’re doing to protect your WordPress websites. WordPress itself is a very secure platform, but do to its great popularity, it is heavily targeted. Typically security issues that make your site vulnerable aren’t caused by WordPress, but some of its dependencies (exp. shared hosting environments, bad permissions, weak passwords, and desktop infections affecting FTP login).

Stay secure, and Protect Your Interwebs!