Make Your WordPress Site More Secure


WordPress is the most popular CMS platform in the world. It is an open source system used primarily for small to medium websites and is used by, quite literally, millions of websites. If you thought hacking attacks are typically aimed at government agencies and pharmaceutical companies, think again. In 2013 61% of security attacks targeted to small to medium websites. Hackers like WordPress websites as, if not setup correctly, they can be easy targets. The hacker can breach a site through various methods such as an outdated version of WordPress, insecure code in the plugin or theme or through the server if the host provider may not have used best practices in securing the server.

Below are a few simple tips on how to secure your WordPress site. Please make sure you backup your website before making any changes and, if possible, try these changes on a staging site beforehand.

1. Keep WordPress Updated

I cannot stress how important this is. WordPress is open source so for every security update it will publish security notes about the release. So anyone, including hackers, can see how an old version of WordPress can be hacked! If your site is out of date then it drastically increases the chances of being attacked.

WordPress 3.7 brought in ‘automatic updates’. If allowed, once WordPress releases a new version it will then automatically update once a user visits your site.

To allow for all updates including major versions e.g. 3.9 to 4.0, add the following code into the bottom of your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

If you want WordPress just to update minor releases and not major releases e.g. 3.8.1 to 3.8.2 add the following line instead.

define( 'WP_AUTO_UPDATE_CORE', 'minor' );

Finally if you prefer to update manually as you are worried your site might break or its versioned controlled, then add the following line of code into the file instead to prevent all automatic updates

define( 'WP_AUTO_UPDATE_CORE', false );

You will also need to keep your plugins updated as the plugin developers should release security updates from time to time.

2. Change The Login URL And Protect The Login Page

Changing the login URL and protecting the login page is vital. Most WordPress attacks are ‘brute force login attacks’ which means the wp-login.php file is hit with common usernames and passwords in the hope that one of them will work. Your login page could be hit a thousand times within a short period of time.

One frustrating thing from a developers point of view is that you can’t rename the wp-login.php file or change this using a WordPress setting.

So, to get some much-needed protection, we can use the iTheme Security plugin. This allows you to change the login URL (along with a lot of other features which we won’t get into right now).

To change the login URL once the plugin is enabled you go to Security -> Settings -> Hide Login Area and change the login slug. The plugin will show a 404 page for the wp-login.php page.

WordPress Security Login URL

The next thing on the checklist is to limit the login attempts for the login page. When you are hit with a brute force login attack there could be hundreds or thousands of login attempts. As WordPress does not automatically lock the user out after ‘x’ number of failed login attempts, its important to get this set up.

The iThemes Security plugin mentioned earlier has this feature, or alternately you can use Limit Login Attempts. Once installed  go to Security -> Settings -> Brute Force Login Attempts and click enable. You can then set the maximum number of login attempts and the length of the lockout period that follows failed ‘x’ login attempts. This will stop the brute force login attempts in their tracks!

3. Change The ‘Admin’ Username

The username ‘admin’ is the most commonly used name and thus is the name hackers will use the most when trying to login into your site.

To change the username admin you should either:

  • create a new user, log in as the new user, transfer any posts from admin to the new user and delete the ‘admin’ user or
  • run the following SQL query, changing wp_ to the table prefix of your website
UPDATE wp_users SET user_login = 'my_new_username' WHERE user_login = 'admin'

4. Delete User ID 1

Along similar lines to the username ‘admin’, the User ID 1 is another security vulnerability. To change this you simply need to create a new user, add any existing posts of User ID 1 to the new user, then delete the User with the ID of 1.

5. Hide WordPress Version Number

Your WordPress version number is, in itself, potentially dangerous information. It allows the hacker to search the web for sites with a certain version numbers that he or she knows how to hack or, even worse, informs the hacker that you are on an outdated version of WordPress.

The WordPress version number shows up as a meta tag in the head of your site and also in the RSS Feed. To remove the meta tag, we add the following piece of code into the functions.php file.

remove_action('wp_head', 'wp_generator');

Then, to remove the version number from the RSS feeds, we would also add the following code into the functions.php file.

function wp_remove_version_number()
{
    return '';
}
add_filter('the_generator', 'wp_remove_version_number');

6. Change The Table Prefix

Ideally when you run the install of your fresh new WordPress site you would change the database table prefix to something other than the default ‘wp_’.

The reason for this is that there are malicious scripts which look to run queries through your database. If you leave the table prefix to ‘wp_’ then the script will run, however if your table prefix is not wp_ then it will be harder for any script to get information from your database.

If your table prefix is currently wp_ then you need to do the following.

  1. Open up the wp-config.php and change the variable $table_prefix to the new table prefix.
  2. Run the following SQL queries in your database:
RENAME table 'wp_commentmeta' TO 'new_prefix_commentmeta';
RENAME table 'wp_comments' TO 'new_prefix_comments';
RENAME table 'wp_links' TO 'new_prefix_links';
RENAME table 'wp_options' TO 'new_prefix_options';
RENAME table 'wp_postmeta' TO 'new_prefix_postmeta';
RENAME table 'wp_posts' TO 'new_prefix_posts';
RENAME table 'wp_terms' TO 'new_prefix_terms';
RENAME table 'wp_term_relationships' TO 'new_prefix_term_relationships';
RENAME table 'wp_term_taxonomy' TO 'new_prefix_term_taxonomy';
RENAME table 'wp_usermeta' TO 'new_prefix_usermeta';
RENAME table 'wp_users' TO 'new_prefix_users';
SELECT * FROM 'new_prefix_options' WHERE 'option_name' LIKE '%wp_%'
SELECT * FROM 'new_prefix_usermeta' WHERE 'meta_key' LIKE '%wp_%'

7. Plugin Moderation

Plugins can be a major cause of site vulnerabilities. Some plugins can be insecure and introduce large holes for the hacker to exploit.

There are many excellent plugins for WordPress such as WordPress SEO, Posts 2 Posts and W3 Total Cache  – but how do you determine if the plugin is likely to be secure?

Firstly check the plugin information. There are a few telling signs:

  • Check the amount of times the plugin has been downloaded. If it has only being downloaded a few hundred times then it may not be the greatest but if its been downloaded a few hundred thousand times then it will probably be more secure; if 100,000 users have used the plugin there is a far higher chance that bugs will have been found and fixed.
  • Look at the rating and author. They can help you gauge the quality of the plugin. I usually find that plugins with a 4.5 star rating or above are pretty good, but do also check how many star ratings have been submitted.
  • Most importantly, check the support forums to see is there are any common bugs and if they have been resolved. If there were bugs that were not fixed then you probably should not install the plugin.

There should also be information warning you about the plugin if it has not been updated in a while. If you see a warning on the plugin page then I strongly suggest not installing it as the author has probably stopped working on the plugin.

8. Go Easy On The Plugins

One of the problems with open source is that it’s free. So any plugin on WordPress.org is voluntary, and the author has no contract obliging him to fix issues or make sure the plugin is secure.

At StudioForty9 we tend to only install a handful of selected plugins that we have looked at and know are secure. They are also mainly written by core developers of WordPress who know what they are doing.

This approach of limiting the amount of plugins on your site is definitely the best approach for keeping your site secure.

Finally

Like any CMS, WordPress can be fragile and can have security vulnerabilities. However the above steps will certainly harden your WordPress website and make it harder for anyone to hack.

If you have any other suggestions for improving security of your WordPress site please do leave a comment below.

Colin Murphy
Colin Murphy |