In the past few weeks I have read about dozens of WordPress based sites that have come under some form of attack, while I feel sympathetic for the victims I hate to say that most of the ways WordPress based sites are attacked can be prevented by simple measures that any site owner can accomplish. I will start off, what will be a mufti-part series on how to secure your WordPress site now. While this is not the end all, be all of WordPress security, following these tips will be an effective start to thoroughly protecting your WordPress site and will make your site much more secure than most. If you really are serious about making money online, protect your business, it’s your responsibility.
- Keep your WordPress version up to date, they update the software for a reason, not out of boredom.
- Keep your plugins updated, same reasoning as above.
- Use a strong password with a combination of upper and lowercase letters, numbers and symbols.
- If your site is on a dedicated server, make sure you are running the latest versions of Apache/Nginx/PHP/ MySQL etc as these packages are updated frequently and, once again, for a reason.
- Harden your server configuration by setting proper file permissions, security settings and get rid of any processes that are not required for your application.
- If you are utilizing shared hosting, contact your hosting provider and ask them what they are using for security settings and ask them if there are any recommended settings they would be willing to implement for you.
- Set your database permissions for the user that has access to be as limited as possible, no need to allow a broader range of access to the database than WordPress needs. In case you are wondering, these should be “SELECT, INSERT, UPDATE, DELETE and CREATE, ALTER, DROP”
Change the name of your Admin account:
This should go without saying as its been said many many times before, but here goes again (with instructions on how to do it) Do not use the name admin for your login. Sounds simple right? well, apparently not because most owners of WordPress based sites are still using that account or have not removed the admin account. I have seen many tips about adding another account or changing permissions on the admin account, but honestly why would you want to leave a potential doorway into your home unsecured when you can very easily just get rid of it all together. When someone wants to gain access to your site, the easiest way is to attempt a brute force attack which will try to login over and over using different passwords, if your login name is admin, that’s one part of your login that they no longer have to guess. Here is the easy and effective way to remedy this issue:
- Log into your website control panel (Cpanel/Plesk etc)
- Find the section for database administration (phpMyAdmin etc) and log in
- locate your WordPress database in the left hand navigation area (in phpMyAdmin) and select it.
- As always, prior to piddling with your database make sure you have a backup.
- Click on the small square box to the left of the table that ends in _users
- In the main window, you will see lines with any users that are on your site, locate the line that has your admin account.
- Click the pencil icon to edit this record, DO NOT click the X as that will delete the line and you will be SOL.
- In the window that opens, you will see a line that is named user_login, this line and possibly the user_nicename lines are the ones you want to change. The rest should be left alone, especially the password section (it is not editable from this section, do not try to) You can set the login name to anything you want, I recommend setting it to something different than the nice name or your author name. Make it hard to guess.
- Click GO to save these changes to your database and then test by logging into your admin area, if it fails just change it back in phpMyAdmin or use the database backup if you really messed something up.
Don’t use the standard wp_ prefix for your database:
By default wordpress will prefix all your database tables with wp_ when you install it, and this is not good. The vast majority of attacks on a WordPress site are carried out in one of two ways> The attacker wull either attempt to guess your password or inject a piece of malicious code or gain access to your datbase in which case, knowing the table prefix just made that job a walk in the park. if you are doing a fresh install, fixing this is as simple as setting a different prefix at that time. To accomplish this at the time of install follow these steps.
- Immediately after you upload your files (before running the installer) open the file wp-config.php from your site root folder.
- Locate the line near the top that says $table_prefix = ‘wp_‘;
- Change the wp_ portion to something else, random such as aX19lp_ (dont actually use this example)
- Save the file, then run the installer as you normall would.
If you have a WordPress site that is already set up and you are already making money online using it, you obviously don’t want to start over from scratch, so I will teach you how to change your table prefix. There is the easy version that can be accomplished by installing a plugin that can be found here or if you want to do it the hard way, here are the instructions for that as well.
- As always, before messgin with your database make a backup.
- Edit your wp-config.php file to the prefix you want to use as instructied in the “fresh install” instructions and save that file.
- Open your phpMyAdmin again and look at your database for the site in question.
- You will notice all the tables begin with the prefix wp_
- one by one, we are going to change these to the prefix of our choice.
- In phpMyAdmin open your sites database again.
- Note each line in your database will be something like wp_links
- Click on Query at the top of phpMyAdmin to open the enter query screen.
- for the wp_linkls table in your database, paste in Rename table wp_links to yournewprefix_links (replace yournewprefix with your new prefix :-p
- Repeat this process for each table in the database, replacing the wp_links and yournewprefix_links sections with the appropriate content for each table (note your site will be inoperable during this process)
- Once you are done, double check that all tables have indeed been renamed.
The previous steps take care of the table prefixes, but there are also areas within some tables that will need to be edited to reflect your new table prefix name.
- In your database, locate the table that was previously named wp_options and open that table to view its contents.
- Click on the table name link and then click the “Browse” menu item.
- Look under the option_name header and change wp_user_roles to reflect your new table prefix. You can change it by clicking on the edit button for that record.
- In phpMyAdmin highlight yournewprefix_usermeta link and click browse menu.
- Change each value under the meta_key header, that starts with the old prefix wp_ to your new prefix, the number of these will vary by site.
Thats it, test your site to make sure everything is working, if something starts on fire or isn’t working just restore the backup that you created prior to trying this and use the plugin method I mentioned it in the first place to do it :-)
Securing your WordPress configuration file:
Sitting inside your WordPress directory sits a file, a very important file. This file contains your database login information, wouldn’t it be nice if you could secure this oh-so important file a bit more? Well, you can, the wp-config.php file can be moved up one directory out of your site root folder and into a folder thats not viewable from outside your server.
Add a second layer of protection to your admin area:
By adding password protection to your wp-admin directory you can add a second layer of security to your administration area, this can be accomplished in Cpanel by clicking the option that says “password protect directory” and following the onscreen instructions, or it can be done the old fashioned way by using your .htaccess and .htpassword files.
Secure your WordPress installation:
Additionally, there is a great plugin available here that addresses many more items that are very beneficial to your site:
- removes error-information on login-page (prevents tool-tips from alerting hackers the username isn’t admin)
- adds virtual index.html to plugin-directory (prevents directory browsing of your plugins folder)
- removes the wp-version, except in admin-area (removes the version information in your page source that attackers can use to target vulnerabilities in certain WordPress versions)
- And more, just check the link for full details. It really is a must have.
The items I have mentioned above are by no means the complete list of things one can do to secure your WordPress money maker, but it is a very good start that addresses the big points and the “must do” items that are the largest risk factors. I hope you find this useful, please feel free to share your opinions, additions, questions or concerns. This will be part 1 of 3 and should take care of the much needed foundation work to secure your site and protect your business, look for the next two installments over the next two weeks.