This is a continuation of the previous article – WordPress Security Tips – Part 1. This article explains some ways to keep WordPress secure while improving the overall security of your WordPress-powered site.
Don’t Hack the Core
Plain and simple: do not hack any WordPress core files. Doing so on production sites is a recipe for disaster. Same is true for plugins and themes — do not modify their core files. Instead, if you want to change default functionality, do so via prescribed channels, such as:
- Modify or customize core functionality via plugin
- Modify or customize theme appearance or functionality via child theme
- Make changes to your theme via functions.php
Also important to good security: when making changes via any of these methods make sure to use the WP API whenever possible.
Ensure Proper File Permissions
If your server is configured correctly, all WordPress files and folders should be created with proper permissions. The general rule is that the permission level of files should be set at
644 and folders set at
755. Of course, it’s not always that simple, various configurations are possible3. If upon examination you discover that file and folder permissions are not correct (or don’t look quite right), consult the WP Codex and ask your web host for help.
Disable Error Display
During development, displaying errors on the front-end of your site is perectly fine. But during production, when your site is live online, displaying information about errors is a bad idea. Doing so could reveal sensitive information about your server configuration, PHP setup, and any potential vulnerabilities. Broadcasting that kind of information for the entire world to see is just not a good move. Why risk it?
Instead, once development is complete and you’re ready to go live, take a moment to disable error display on your site. WordPress errors are easy to disable by opening
wp-config.php and adding the following line:
If a similar line already exists with a value of
true, just change it to
false and you’re good to go. Likewise you want to make sure that display of PHP-generated errors is disabled. Here are some articles that explain how to do so:
- Advanced PHP Error Handling via PHP
- Advanced PHP Error Handling via htaccess
- How to Enable PHP Error Logging via htaccess
If in doubt about PHP errors, ask your developer or web host for more infos.
Keep Spammers at Bay
One thing you don’t want is a bunch of spammers leaving comments on your posts. Spam comments send a signal that your site may be of poor quality, neglected, and possibly insecure. SEO implications aside, such signals tend to repel legitimate visitors and attract malicious behavior. To help control spam, you can install a plugin (there are many), or just use WordPress’ built-in spam-control features. Eliminating spam helps improve your site’s reputation, ranking, value, and security.
Run a Clean Machine
Another critical security step is to make sure that your local machine and devices are free of spyware, viruses, and any other malware. Even if your server and site are squeaky clean and super secure, it’s all for nothing if you’re working from an infected machine. As stated at the WordPress Codex1:
No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.
A complete discussion on this topic is beyond the scope of this article, but there is much information available online. Hopefully you already are familiar with the importance of running a clean machine; if not, take the time to read up and protect your computers and devices from security vulnerabilities. This includes doing things such as:
- Connecting to the Web via secure router
- Running behind a trusted, reliable firewall
- Staying current with all software and updates
- Don’t allow access to untrusted networks or devices
- Stay aways from shady sites, pirated warez and so forth
Of course, there is much more to the art of securing your personal work environment (computer and devices). Unless you’re already savvy, do the research and take proper steps to secure your work setup.
Monitoring and Logging
Logging and monitoring are your best friends when it comes to troubleshooting errors and investigating security issues. Most servers record detailed access and error logs that contain a wealth of information about every request and error, including valuable data such as date/time, IP address, requested URI, response codes, and much more. Examining access and error logs may be a little overwhelming for the uninitiated, but once you’re familiar with the basic syntax of your log files, you can use them to help resolve all sorts of issues. If you’re not sure how to access these files, ask your web host.
Up to this point, we’ve covered steps that most anyone can do to help keep WordPress secure. Most of the techniques we’ve seen so far require little to no modification to any files or code. Going much further with security typically requires making changes to your site, its files, code, and so forth.
For security techniques that require making changes to your site, it is important to consider the return on investment. A good example is the practice of protecting the
/wp-admin/ directory with .htaccess. Sure it sounds like a good idea, and may even provide some extra bit of security, but the potential for problems with plugins and themes makes it something that you may want to avoid. The headaches just aren’t worth it, IMO.
There are many examples like this, where the promised security benefit simply is not worth the potential risk. So my best advice is to stick with techniques that:
- Are easy to implement
- Are not overly invasive
- Introduce no additional risk
With these things in mind, here are some additional security techniques that are aimed at providing additional layers of security with minimal risk, minimal effort, and minimal amount of changes required to your site.
Inside of the WordPress wp-config.php file, make sure to add some strong, random security keys to the section, “Authentication Unique Keys and Salts”. Adding these authentication keys helps to improve the security of WordPress login routines and is highly recommended.
Note that you can add, change, or edit these keys at any time with no harm done other than invalidating any existing cookies. So basically the worst that can happen if/when you change the keys is that any logged-in users will have to log in again. No biggie.
To generate a strong, random set of salts, visit the official page at https://api.wordpress.org/secret-key/1.1/salt/. Then copy and paste into your configuration file, upload to the server, and done.
Disable Directory Views
Directory views are what happen when no index file exists in a directory. In such cases, it is possible to view all files in sort of a generic list display. In some cases directory views can be useful (like when sharing photos or videos), but in general they should be disabled.
By default, WordPress includes blank
index.php files in various directories throughout the WP core, and some plugin and themes include them as well. That’s a good start to disable directory views, but there may be some plugins or themes that do not include any index file. And that may leave your files exposed and potentially vulnerable.
On a properly configured server, directory views already should be disabled, but if not or if you just want to make double-sure, you can include the following line in your site’s root .htaccess file:
For more information, check out this in-depth article on disabling and customizing directory views over at Perishable Press.
Change the Default Database Prefix
When you install WordPress, it sets up the database tables using the default prefix,
wp_. This value is set in the
wp-config.php file, and easily may be customized before installing WordPress. Doing so after WordPress has been installed is possible, but requires some extra fiddling that you may find tedious and not worth the effort.
Changing the database prefix to anything other than the default adds another thin layer of protection against SQL-related attacks, which typically target the database via the default prefix,
wp_. Thus by changing that value to anything else, even something as simple as
wp__ (adding another underscore), you’ll thwart 99.9% of attacks that are targeting via the default prefix value.
So for any future WordPress installs, crack open
wp-config.php and locate the variable,
$table_prefix. Then change it to something different, random, like
_wp_ or whatever works for you. For more information and some useful tips, check out Change Your Database Prefix to Improve Securityhere at DigWP.com.
Protect the Login Page
Out of the box, the WordPress Login Page enables anyone with access to enter credentials and attempt to log in. This openness is great for legit users, but it also invites the inevitable brute-force login attack4. As discussed previously, if you and all registered users have chosen strong passwords, then there is no reason to worry about anything. But if you’re not 100% sure about all of the passwords used on your site, you may want to take some steps to protect the Login Page from future attacks. There are numerous strategies for doing so:
- Use a plugin to protect the login page
- Implement two-factor authentication
- Implement HTTP authentication
- Whitelist IP addresses (see below)
Any of these techniques will help to protect your WordPress Login Page, so do some research and find the best solution for your needs. Personally, for sites at which I am the only author, I like to add a slice of .htaccess to lock things down:
<Files wp-login.php> Order Deny,Allow Deny from all Allow from 123.456.789 </Files>
That simple code snippet will allow you to access the Login Page while denying access to everyone else. You can whitelist additional IP addresses by repeating the
Allow from line as many times as needed. The key to using this snippet is that it must be added to the .htaccess file that’s located in the same directory as
wp-login.php (i.e., the root WordPress directory). That’s either gonna be located in the root of your site, or in a subdirectory that contains all of your WordPress files.
One of the most sensitive files included in your WordPress installation is
wp-config.php. That’s because the config file contains your database connection credentials, which would enable an attacker literally to own and/or destroy your entire site. On a properly configured server, the
wp-config.php file should already be inaccessible to any outside access.
But if you are not sure, or just want to add another layer of protection to be extra safe, here is a quick .htaccess snippet that will protect your configuration file from all external access:
<Files wp-config.php> Order Allow,Deny Deny from all </Files>
As a bonus, I like to also like to lock down the xmlrpc.php file:
<Files xmlrpc.php> Order Allow,Deny Deny from all </Files>
Either of these code snippets should be placed in the .htaccess file that is located in the root WordPress directory (i.e., the same directory that contains the
xmlrpc.php files). You may also want to check out our tutorial on xmlrpc.php and site security for more info on securing xmlrpc.php.Note: while it is fine for all sites to protect the wp-config.php file, you should only protect the xmlrpc.php file if you are sure that you’re not using it for anything.
Disable File Editing
By default, WordPress enables admin-level users to edit plugin and theme files from within the WP Admin Area (under Appearance > Editor). I like to disable this functionality to help contain any security breach, and also because I never use it. To disable file editing from within the Admin Area, add this line to your site’s
Placing this line in
wp-config.php is equivalent to removing the
edit_files capabilities for all users.
Remember to make a backup of your
wp-config.php before editing 🙂
Add a Strong Firewall
In case you can’t tell, one of my passions is web security. I wrote a plugin called Block Bad Queries (BBQ) that is 100% free and used by over 50,000 users to help protect their WordPress site. The free BBQ plugin is powerful and dead-simple, but it there is no UI to make changes and fine-tune things. So I developed BBQ Pro, which features advanced protection and is fullycustomizable. BBQ Pro is lightweight, flexible, and fast.
Of course, I am biased as this is my own plugin, but it’s worth mentioning here because it fits in perfectly with the sort of holistic security strategy advocated in this article.
Even More Security
If you’ve made it this far, congratulations. We’ve covered many awesome security techniques to help keep your WordPress site secure. Going further I would recommend checking out some choice .htaccess techniques. .htaccess techniques are great because they operate at the server level without requiring PHP or MySQL, so you can add specific layers of security while maintaining an optimal level of performance.
To learn more about using .htaccess to secure and optimize your website, check out my book .htaccess made easy. There you’ll find a complete guide to .htaccess and a treasure trove of awesome .htaccess techniques.
And for even more in-depth tutorials on WordPress security techniques, check out my video screencast series over at Lynda.com on Securing WordPress Sites.