6 Tips for a More Secure WordPress Website

Google Chrome's this website is infected with malware message

WordPress powers nearly 73M (million!) websites around the World, making it the most popular CMS in existence right now. About 15% of the top one million sites on the web use WordPress, including business heavyweights like Honda, the New York Times, CNN, NASA, TechCrunch and others.

Those are some impressive stats for something that started off as a humble little blogging platform but has grown to become so much more. WordPress’ extensibility (the ability to add plug-ins for almost any functionality you can think of) and ease of setup and use have certainly contributed to its explosion in popularity. But unfortunately that ease of use and popularity are also what make WordPress sites an attractive target for hackers.

Most hosting providers now offer simple or “one-click” installs that make installing and setting up WordPress so easy that even non-techies can do it. Unfortunately, what makes those automated setups so simple is that they create your WordPress installation using the default settings and unless you make some effort to change some of those, would be hackers can make assumptions about your site that make exploiting it easier. For example, automated WordPress setups always create an account with the username admin, which incidentally has administrative privileges (meaning, permissions to do everything). Unless you change or disable the admin account, hackers can simply use a brute force program to crack that account’s password and they have total control of your site. Not good.

Google Chrome's this website is infected with malware message
Dont’ be that site. You don’t want your visitors getting a message like this.

While there are some general security practices (like using strong passwords and changing them often) that you should be following regularly, here are 6 steps I follow (and you should too) for every WordPress installation:

6 Steps to a More Secure WordPress Website

  1. Don’t use your hosting provider’s automated setup or the admin username. It’s a little more effort and requires a little more knowledge to manually install WordPress but the added security is well worth it. Hosting providers that offer “one-click” installs should also have a simple control panel for creating databases. Once you’ve done that, WordPress’ simple 5-minute installation process will do the rest. For the reason mentioned earlier, please change the admin username to something (almost anything) else during the install process.
  2. Change your database table prefixes. By default, WordPress starts all tables it creates with the prefix wp_. Since all WordPress sites use the same table names, unless you change the prefix during setup, would be hackers will know exactly what the name of those tables are. You can change the prefix by looking for the following line in the wp-config.php file:
    $table_prefix = 'wp_';
  3. Change the default secret keys. The secret keys defined in the wp-config.php file are used for additional password hashing and cookie security. Since you should already be in wp-config.php changing your table prefixes (step 2), the extra security provided by this step is too easy to pass up. This site, https://api.wordpress.org/secret-key/1.1, will automatically generate new keys for four of the secret keys, which you can just copy and paste to replace the following lines in wp-config.php:
    define('AUTH_KEY', 'put your unique phrase here');
    define('SECURE_AUTH_KEY', 'put your unique phrase here');
    define('LOGGED_IN_KEY', 'put your unique phrase here');
    define('NONCE_KEY', 'put your unique phrase here');
  4. Move wp-config.php. The default location of wp-config.php is in the root of your WordPress website. Like the rest of the files in your site, this technically makes it accessible to the web. That’s not ideal since it contains all your database connection information. Once you’ve uploaded all the WordPress files to your website, move wp-config.php one directory up from the root of wherever WordPress is location. WordPress will automatically look for it there if it can’t find it in the root directory and this means that only those with FTP or SSH access to your server can view it.
  5. Secure your scripts. WordPress has lots of files that aren’t necessarily intended to be accessed by site visitors. We can protect those files in a number of ways:
    • First, the wp-config.php file really only needs to be read, so we can adjust its permissions accordingly. This usually means a 400 or 440 permission. Sometimes you can change permissions through your FTP program, otherwise you’ll need to use SSH. If your server uses .htaccess, you can add an additional layer of security to wp-config.php by adding the following lines to the very top of that file to prevent anyone from attempting to browse to it:
      <files wp-config.php>
      order allow,deny
      deny from all
      </files>
    • Other files and folders in the wp-admin and wp-includes directories aren’t meant for public consumption, so let’s block access to those as well by adding mod_rewrites to the .htaccess file as long as you’re still there. Add the following rules after the wp-config lines above and before #BEGIN WordPress:
      # Block the include-only files.
      RewriteEngine On RewriteBase /
      RewriteRule ^wp-admin/includes/ - [F,L]
      RewriteRule !^wp-includes/ - [S=3]
      RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
      RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
      RewriteRule ^wp-includes/theme-compat/ - [F,L]
      
      #BEGIN WordPress
  6. Tighten up file permissions. Some interesting plug-in functionality is possible because certain files within WordPress are writeable by the server. Generally speaking however, making files writeable can be dangerous. It’s usually good practice to restrict file permissions as much as possible and only ease them when completely necessary. If you have shell access to your server, you can use the following commands to recursively lock down directories and files (respectively) in your WordPress installation:
    find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;
    find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

Fear Not, Get Help

Some of the steps above may sound like gibberish to you or some terminology sounds familiar but you’re justifiably anxious about trying them on your site. Even if your WordPress website was set up years ago, it’s not too late to use some of these techniques to secure it.

I’m happy to help. Use the form below to get in touch for an honest assessment of your site’s security.

  • This field is for validation purposes and should be left unchanged.