Securing WordPress 101

There is no debating by now that the ten year old open source blogging platform, WordPress, is the most popular. With seventeen percent of the world's top one million websites using the Content Management System (CMS) to run their sites.

That popularity means it also has become a target for most malicious hackers and hacktivists with the most recent such attack happening to Forbes.com and having over one million of its user database details (including e-mail addresses and passwords) published online by the Syrian Electronic Army.

With this in mind it is imperative that anyone using WordPress for their webssite or blog, tighten the security so as to avoid the embarassment (at the least) of a hacked WordPress site.

Below are some tips to consider in hardening the security of your WordPress (self hosted) site or blog.

1. Delete the default Admin username

Why?
This is the first test for any brute force attack. It will use the default Admin username and try a variety of passwords against it until succesfully logged in.

How?
1. Create a new Admin user account with full access and control. NB: Don't name it anything involving Admin.

2. Log in with the new user and delete the original default Admin account.

2. Hide WordPress Version

Why?
If a potential attacker knows the version of WordPress you are running, then they know all the security flaws related to that version. This doesn't prevent an attacker, but makes it that little bit more harder.

How?
1. Insert the following code in your functions.php file:

// hide wordpress version
function hide_wp_version() {
return '';
}
add_filter('the_generator', 'hide_wp_version');

3. Disable Dashboard File Editing

Why?
By default, WordPress allows you to edit the theme files whilst logged into the dashboard by going to Appearance > Editor. This then allows a malicious hacker who manages to gain access to your Admin credentials to execute whatever code they want through your blog / website and potentially do so without raising an alarm.

How?
1. Insert the following code in your wp-config.php file:

// disable file editing through dashboard
define( ‘DISALLOW_FILE_EDIT’, true );

4. Disable User Registration

Why?
This tip only applies only if you don't require visitors to register before commenting on your site / blog and run a blog where only certain people are allowed access to the dashboard.

Disable registration of new users completely.

How?
1. Login into your WordPress dashboard.
2. Go to General Settings
3. Un-tick the box Membership: Anyone can register

5. Protect wp-config.php

Why?
The wp-config.php file contain some of the most important details about your WordPress installation, it is key to protect it by all means.

How?
1. Insert the following code in your .htaccess file on your server:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

6. Protect .htaccess

Why?
The .htaccess file is typically used to control access control to the web server folder it is placed in amongst many other uses. Also important to protect it from being compromised.

How?
1. Insert the following code in your .htaccess file on your server:

<Files .htaccess>
order allow,deny
deny from all
</Files>

7. Update to latest WordPress Version

Why?
This is a no brainer, apart from the latest version of WordPress containing all the new features, it also contains patches to known security flaws in previous versions.

How?
1. Login into your Dashboard regularly
2. Go to Plugins section and you see a notification if a new version of WordPress is available for updating

8. Hide usernames in the URL

Why?
Default configuration of WordPress allows the displaying of the username when on the author archive page, e.g. http://myURL.com/author/username . WordPress uses the user-nicename field in its database to created this URL for the author archives page. By default, user-nicename is set to be the same value as the username field.

This allows anyone intending on gainin access to your WordPress site the ability to initiate brute force attacks against all the usernames that they know are available your system, if succesful they gain access to your WordPress dashboard.

How?
1. You require admin access to your SQL database that WordPress uses (useful tool: phpMyAdmin)
2. Login to the database with the admin credentials
3. Now, for every user registered on WordPress, change user-nicename to something different to their actual username

9. Backup Regularly

Why?
Unforeseen things happen all the time and nothing could be worse for your WordPress website than losing all content.

Protect yourself against anything unforeseen by backing up on a regular basis.

How?
1. WordPress have many backup methods that they recommend. Click here to choose one that suits your needs.

10. Delete readme.html (and other unnecessary files)

Why?
WordPress' readme.html contains version info and as discussed above, it is best that your potential attacker doesn't know this. Also, other files that come with WordPress and some themes are of no functional use and can be used for fingerprinting and snooping.

How?
1. Login to the folder where your WordPress is installed.
2. Delete readme.html and any other files you can find that are of no functional use. (NB: Be careful though, double check you are not deleting files required for the functioning of your theme or WordPress installation).

This is by no means a comprehensive list of what you need to do to safeguard your WordPress installation but these tips should provide you with the basic protection necessary.

Image credit: Nikolay Bachiyski

Comments