Tim TrottTim TrottDon't quit

WordPress Security 101

By , Tuesday 10th April 2012 in Security & Privacy WordPress

Out the box, WordPress is a pretty secure platform, but there are several things you can do to harden WordPress security and protect your website.

One of the most vital steps you must take for WordPress Security is to keep your WordPress installation up to date. If a new security vulnerability is found in WordPress it is usually fixed pretty quickly and a new version released. In addition to this there are several other steps that you can take to improve WordPress security.

Database Table Prefix

When installing WordPress you have the option to specify a database table prefix. By default this is 'wp_' and it is an easy guess for would be attackers. By Changing this to something only you know you can harden the database from potential attacks.

Keep Wp-Admin Directory Protected

Although you need to enter a username and password to enter the WordPress administration pages, there are still respurces within the wp-admin folder that an attacker could use to gain control of your website. You should enable server level password protection on this folder, which gives you an extra layer of protection over all the administration content. The following tutorial shows you how to do it in 7 easy steps.

Keep Backups of your Database and Files

Keeping a backup of your WordPress database and files is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert back to. Many hosting companies provide options to backup database and files, or there are a few plugins for WordPress that will backup your database and email it to you.

Disable XMLRPC

If you do not publish posts from an external application, you should disable XMLRPC which is a method for remotely logging in and publishing using desktop or mobile applications such as Windows Live Writer.

Disable or Remove Unused Plugins and Themes

If you have downloaded a few plugins or themes and decided not to use them, did you deactivate them? Did you delete the files? There is always a possibility that a vulnerability can be found in a plugin, or code that the plugin or theme uses. It's always best to remove any unused plugins or themes you have installed.

Remove or Rename the Admin User Account

A typical installation of WordPress comes with a default user account with the login nane admin. If that's what you are using to access your site, then you have just made a hackers job 50% easier. Now all he has to do is guess the password...

Here is how to change the admin login name:

  1. Login to WordPress admin panel
  2. Go to Users -> Add New
  3. Add a new user with Administrator role, make sure you use a strong password.
  4. Log out of WordPress, re-login with your new admin user.
  5. Go to Users
  6. Remove "admin" user
  7. If "admin" has written post or pages, remember to attribute all posts and links back to the new user.

Use a Strong Password

A strong password is one that you can remember easy enough, but very difficult for somebody else to guess. It should also be as long as you can make it. You should also try and avoid using common letter replacements in standard words, such as changing an o to a 0, a with an @ and so on.

Good passwords are often made up using phrases, for example think of a common phrase and use the first letter of each word. "The Quick Brown Fox Jumps Over The Lazy Dog". The password becomes 'tqbfjotld', which seems like a good password, but would only take the average desktop computer about 22 minutes to crack. You should also add a numbers as well as symbols to a password, again something which you can remember, but not something anybody else would know. And not your pin number either. A simple change to the password '1tqbfjotld!' (adding a ! and the number 1) takes the cracking time to 48 years. By adding another number to the end '1tqbfjotld!4462', should take cracking time to several hundred million years.

You can check how strong your current password is with howsecureismypassword.net.

Bad Password Examples
Easily guessed words, some numbers but still guessable.

april1
1223334444
admin
password

Better Password Examples
Random letter generators are secure, but can you remember these? Chances are you would have to write this down somewhere. Random strings are also crackable using a brute force technique

usuengoidlnpwxean
g1sJOj1Oo3bp3cyvLr63

Best Password Examples
Combinations of letters, numbers and symbols.

n[4[(x%I0RC|
MRPeSF;{MAYm
Y5^-x]njQh3Qk32

Plugins to help improve security

Akismet

Akismet checks your comments against the Akismet web service to see if they look like spam or not. If a comment looks like spam it is automatically moved to the junk folder. Spam comments may contain script or other codes that can compromise your WordPress security.

Better WP Security

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

My website and its content are free to use without the clutter of adverts, tracking cookies, marketing messages or anything else like that. If you enjoyed reading this article, or it helped you in some way, all I ask in return is you leave a comment below or share this page with your friends. Thank you.

About the Author

Tim Trott

Tim is a professional software engineer, designer, photographer and astronomer from the United Kingdom. You can follow him on Twitter to get the latest updates.