• Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

The Web Mechanic fixes what annoys you about your web site or blog.

  •  Home
  • Services
    • WordPress Maintenance Program
    • WordPress Security Package
    • WordPress Tutoring
  • Portfolio
    • WordPress Website Portfolio
  • Blog
  • About
  • Contact
The Web Mechanic
  •  Home
  • Services
    ▼
    • WordPress Maintenance Program
    • WordPress Security Package
    • WordPress Tutoring
  • Portfolio
    ▼
    • WordPress Website Portfolio
  • Blog
  • About
  • Contact

10 Steps to WordPress Security Protection

by Ken Dawes 7 Comments

Scripted websites/ blogs using WordPress are becoming more and more common. And as such they are becoming ever more tempting targets for hackers and trashers. It might be something as simple as putting a picture on your site that goes “phhpttttt!!! I was here!” Or it might go so far as to taking over your site, denying you access to it and then holding your site for ransom. Malicious code can be placed on your site that might infect visitors’ computers and not the least of your worries, get you banned by the search engines.

Wordpress.org does a great job of eliminating potential entryways into the WordPress code with frequent updates. However, it is open-source code and is developed by hundreds if not thousands of people. (especially when you consider the myriad of themes and plugins available) Unfortunately, hackers work just as hard to find ways to exploit WordPress any way they can.

What can you do?

I have compiled a number of things that you can do proactively to help keep your WordpPress secure. Note: I said “help” keep your site secure. When it comes to websites and hackers, there is no guarantee that your site can’t be successfully attacked. But you can make your site unpalatable to attack and more secure.

Warning! The security measures below range from quick and easy to those demanding some “chops” in coding. It is possible to incorrectly implement some these steps and lock yourself out from your site with no way to correct your mistake. You could even damage your site yourself. I can take no responsibility for any problems you might have from applying these security measures.

That being said… we’ll start with the basic ones and get more complicated as we go on. Or you can have me install my Web Mechanic’s WordPress Security Package.

 

  1. Always use the latest version of WordPress. As I mentioned, software security is an ongoing struggle and WordPress.org does a great job of addressing the latest threats. If you have concerns about being a “first adopter” of new versions, wait a few days or a week before updating. Be aware that updating may cause problems with your plugins or themes. You should back-up your WordPress before updating. See wordpress.orgfor details.

     

  2. Don’t use a simple, easy password. Did you know that the most commonly used passwords are “password” and “1234567”? Is that you? As reported by PCmag.com here are the 10 Most Common Passwords.You should use a strong password that incorporates numbers, upper and lower case letters and “special” characters like ! ” ? $ % ^ & ) I know, I know, it’s going to be hard to remember. Write it down, have your browser memorize it… It’s better than giving carte blanche to your site! WordPress can generate a random strong password for you. In your Dashboard go to “Users” and select your account name (for most people it’s probably “admin”) and make sure that your email address is correct. Log out from WordPress and then instead of logging in again, click on “Lost Your Password?” Your WordPress will email a new, strong randomly generated password.

     

  3. Now that we have talked about your “admin” user account… Get rid of it!  Well, not totally. Add a new user with full administrator privileges.  Use a not totally obvious username and a strong password. Log out of WordPress and then login with your new username and password. Now you can go to the “Users” area and edit the “admin” user account. Most people leave the main username as “admin” … attackers know this!  Edit your “admin” user by changing its role from “administrator” to “subscriber”. Save the change. Now if a hacker tries to take over the standard “admin” account, they will have no privileges to change anything.
    Note!If you installed your WordPress site using Fantastico, you were probably already prompted to enter your own username and password during setup. Change your password to a strong one if you did not do so originally.

     

  4. In the Dashboard navigate to  Settings-General. Make sure that the “Membership-Anyone can register” checkbox is unchecked. Be sure that the “New User Default Role” is set to subscriber.

     

  5. This is a good time to add some login protection. Hackers will often try a brute force means of accessing your site by trying thousands of passwords in hopes of discovering the right one. The “Login Lockdown” plugin will, upon activation, deny login access for 60 minutes to anyone who tries 3 wrong passwords in 5 minutes. If you want to adjust these settings, you can modify them on the Login Lockdownconfiguration page.

     

  6. Here’s another plugin that can help keep the wolves at bay. It’s the WordPress Firewall 2 plugin. This plugin does a lot! It monitors your WordPress site for attacks, protects your plugins, and is a Swiss Army Knife of protection…  It is an updated version of the original Firewall plugin by SEOEgghead. You can read about its features at the original plugin homepage.

     

  7. Now this is where we start getting more geeky. In the root of your WordPress installation is a file called .htaccess. It can control a lot of things on your website. More than I can go into in this post. Anyway, you can add this following line into the .htaccess file using a text editor.
    [field name=prevent-dir-browse]

    Normally browsers can see into folders and report on and even access the files within. To prevent this random viewing website designers put an empty index.html file into each folder. WordPress has many, many folders – too many to make this practical. Making this addition to the .htaccess file denies folder will keep browsers (and people) out of folders where they have no need of access.

     

  8. In the WordPress root there is a file named wp-config.php, it’s quite an important file and you don’t want someone to “accidentally” gain access to it as it contains the username and password for your mySQL database connection. We can deny access to it by adding a few more lines to the same .htaccess file that we mentioned in #7.
    [field name=protect-wpconfig]

     

  9. This next tip I found is from Jeff Starr at the Perishable Press website.  Many recent attacks on WordPress have used very long request strings… Much longer than legitimate ones would be. The code below can be copied to make a php file that can be placed in your WP plugin folder. Further explanation may be found at his blog post “Protect WordPress Against Malicious URL Requests”
    [field name=bad-query-code]

    UPDATE: Instead of copying and pasting the above to make your own plugin, Jeff has uploaded it as a downloadable plugin on WordPress.org – Block Bad Queries (BBQ) Plugin

     

  10. WordPress.org suggests replacing the “Secret Keys” in your wp-config.php file with your own secret ones. If you go to the WordPress Secret Key Generatora randomly set will be generated similar to these below (don’t use these.. they wouldn’t be very secret!)
    define('AUTH_KEY',        'N!3MZ9+>l-5)=K&+_j7mM+}ZK5UFvZQ E{=*Vzp0Eae+i^oXY]!)B@vFj?x;&y=c');
    define('SECURE_AUTH_KEY', 'OeX>dl;tuRc$w+ehD{2]k%k{3uhH|L|8DNQu[/Np8_&qz_ rp7v+z6YODdjz9%~s');
    define('LOGGED_IN_KEY',   'oOO1smvP?

    Just copy and then paste the secret keys over the ones in your wp-config.php file. Don’t worry about having to remember them, they are used by WordPress to encrypt information.

    UPDATE: I have found an easier way to do this with a downloadable plugin called the WordPress.org – Update Unique Keys Plugin. With this plugin you can periodically change and update your “Unique Keys” from within your WordPress Dashboard… Easy!

     

Filed Under: WordPress Security Tagged With: Wordpress, WordPress Assistance, wordpress question, WordPress Security

Reader Interactions

Comments

  1. timani says

    March 10, 2010 at 12:12 pm

    Solid wordpress security tips worth a retweet!

  2. Brian says

    March 13, 2010 at 12:14 pm

    For #10, the Secret Keys, I have published a plugin to help update the wp-config.php file. It’s hosted on WordPress titled Update Unique Keys

  3. ken says

    March 13, 2010 at 1:06 pm

    Hi Brian,
    Great! Thanks! That makes it much more convenient for folks to update their Secret Keys.
    People should note that if they install some of the security plug-ins mentioned above they should be deactivated before activating “Update New Keys” as they will think that a modification to the wp-config.php is an attack. Be sure to reactivate your security plugins afterwards!

    Ken

  4. Morgan says

    April 30, 2010 at 7:01 am

    I just tried #8 and it blocked me from being able to browse my site. Is there a step I’m missing in there?

  5. ken says

    July 10, 2010 at 12:56 pm

    Sorry I hadn’t noticed your comment earlier, Morgan! I’m not sure, but I think my site was displaying the code incorrectly when you looked… I have it fixed now… Please try again!
    Ken

  6. Melinda says

    September 17, 2010 at 8:23 pm

    Thanks for the great tips, I used several of them since I recently got hacked. I had some security in place but not enough apparently!

  7. Penny says

    September 23, 2010 at 5:22 am

    Thank you SO MUCH for tweeting me this article. It has been super helpful!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Testimonials

I used an acquaintance to build my website originally, but was very frustrated with the way the site looked and worked, and received no help at all. I called the Web Mechanic, and two short weeks later, I have a site I can be proud of. My clients appreciate the difference, and Ken’s work has made my site a valuable tool for my business. I highly recommend the Web Mechanic’s services to anyone needing help with a website.

Giles Beilby
Aiden Construction

The Web Mechanic not only provided prompt and outstanding service, but also improved the original design of our web site by enhancing our navigational constructs.

Sherreen Ogletree
Wiltech Systems Group

Ken Dawes of The Web Mechanic made complicated changes to my Wordpress site easy by finding the exact plugins, creating the code, and tutoring me on how to modify my page hierarchy in clear terms that even a novice such as myself could understand. He’s a life saver.

Alice Shapiro
The Poet's Tongue

Ken was a fantastic resource to me in helping convert my website design and content into WordPress in order to allow greater flexibility. He also was very helpful in helping me understand the steps for starting and maintaining a blog as well as other neat things, using widgets that act as plug-ins for WordPress …whenever I have a question, I know he’s there to help me figure it out!

Jen Berkley
The Insight Advantage

At a time when our chef recipe site traffic was doubling by the month, we had the unfortunate experience of malicious hacking defacements. We were unable to find the bad code inserted in the site and were at our wits end. We found Ken the Web Mechanic via Twitter, and hired him to fix the site. He did a wonderful job making our site secure and safe, was affordable, and easily reachable via email and phone. We highly recommend him for fixing and protecting your Wordpress site, and will use him again in the future without hesitation. Thank you so much Ken!

Savory Tv

I had been dreading creating a workable web site for more than a year, and then, thanks to a referral, I found Ken. He took my concept, improved it with my blessing and made it a reality. I love the layout and site design, but I also love the ease of administration. When Ken finished the site, he explained the “inner” workings to me in terms that I could understand, with no web guru jargon, providing simple instructions so that I can maintain my site. I am 100% satisfied and will definitely be on his repeat customer list. I encourage you to talk with Ken if you want a current, attractive website that matches your business model and that is easy to administer.

Rebecca Bond
Secure Db2

I put out one tweet on Twitter and there you were! I wasn’t quite sure what to expect but your FAR exceeded my expectations. Not only are you fast in responding but you also take the time to explain everything in a very user friendly way. I was never frustrated and you took care of the problem very efficiently. I felt that you are well versed in what I needed for our website to be up and running. you did more than I thought you even would and I so appreciate it! I will definitely be calling on you again!

Ming
Reiki Fur Babies, LLC

Ken Dawes successfully migrated our website to WordPress and made it much easier for the less initiated to maintain and made it look exactly the same as the old site. Well done!

Rev. Steve Ellis
St. John Episcopal Church

I have been working with Ken for over 10 years and his web support and attention to detail keeps my website organized, material accessible, and ready for all types of web, tablet and mobile device layouts. His skills also make sure my site is protected, ready for my usage spikes, and synced with my ISP to head off any potential issues.

I highly recommend Ken for taking care of your ISP, web material, and website issues.

Dave Beulke
Pragmatic Solutions

Secondary Sidebar

Topics

  • WordPress Assistance
  • WordPress Security
  • WordPress Tutorial
  • WordPress SEO
  • WordPress Wednesday
  • Test Map