WordPress is not inherently insecure – what makes it insecure are the people who use it. There are upwards of a million WordPress blogs on the internet as we speak and a large percentage of them will have the default admin user account present, with a simple password. Out of the box, WordPress has no mechanism for preventing repeated password tries, allowing a hacker to use brute force techniques to run through all possible combinations in seconds. Put that together with the fact that many people use names or objects as their password, plus those that use obvious key sequences like ‘qwerty’ or ‘asdfg’, and many passwords will be cracked in milliseconds rather than seconds. We’ve scoured the web for the latest news and advice on WordPress security and here it is.
There are lots of simple steps that you can take to secure WordPress.
1. Prevent Malicious Login Attempts with a simple free plugin
The most common way for even casual hackers to attempt to get through your security is to use brute force. This simple means that they will set up an application which will repeatedly submit login details to your web site – the details they use will come from a dictionary of common names and words. The automated attempts will be made hundreds, or thousands of time per second. If you have set your password to the name of your dog, for example, then my guess would be that your password will last no more than a second or two before being correctly ‘guessed’.
You can install a very easy to use plugin called ‘Limit Logins’ – download it from wordpress.org here – it can be configured to lock the user out after 3 or 4 bad guesses, and it can send an email to the admin to let you know what’s going on. Without getting too complicated, its a really good bit of protection to put in place, even if you do nothing else. here’s what the admin interface looks like …
[IMAGE OF LIMIT LOGINS ADMIN SCREEN]
Limit Login Attempts has not been updated since June 2012 and at first glance it looks like a plugin which should be avoided. However, it is compatible with WP 3.8.1 (the current release at the time of writing), probably because the bits of the WP core that it uses, hasn’t been changed in the time since it was last updated.
2. Start by Checking File Permissions
This might sound obvious but there is no guarantee that your host has configured your web space correctly. At the end of the day, it is your responsibility to check. So, how do you do that? The easiest way is by using Filezilla, a free FTP client which has an easy to use interface to allow you to check and update your file and folder permissions. But, first of all you need to know what they should be, right? Ideally, different permissions should be set on your .htaccess and config.php files, different permissions again on the other files and again on folders. Note that you may need different permissions on the wp-content folder, depending on the plugins that you have installed. It’s not straightforward because it may also vary from host to host if you use shared hosting (you might like to read our post on choosing WordPress hosting), but you can get the low-down from http://codex.wordpress.org/Changing_File_Permissions
Here’s the view in Filezilla …
[IMAGE OF FILEZILLA PERMISSIONS CHANGE]
3. Use htaccess Security
Unfortunately, WordPress has a very distinctive ‘footprint’. Anyone who has worked with WP just has to have a quick look at the page source in a browser and a WP installation is immediately recognizable. Another, effective approach to WP security is to “hide stuff”. If hackers can’t find the files and folders they need in order to break in, they will go somewhere else. If you are an experienced Unix / Linux admin, you will be able to write .htaccess entries to do this. If you are not, then ‘Hide My WP‘ is a good way to go. Available from Codecanyon, it is a WP plugin which is easy to install and hides most things from prying eyes with a couple of mouse clicks.
4. Use an Online Malware Scanner to check your web site
Although not exactly a security improvement it is always a good idea to check a site, especially a large one, for malware signs, or blacklisted mail domains. There are a number of websites which provide a remote scanning service. These sites will check your configuration passively for any basic errors in setup, by looking at your source code. I’m going to suggest the scanner provided by Securi, simply because they are a well established company. If you have a better suggestion, or one which is as good, then jump in on the comments and let me know.
5. Install a Proxy Firewall to filter out malicious requests
Securi sell their “Web Application Firewall (WAF) Intrusion Detection System (IDS) For Websites” called CloudProxy. This not an advert, or an affiliate link, by the way – it’s just a good (in my experience) and very affordable service which is well worth looking at.
The CloudProxy is a Web Application Firewall (WAF) Intrusion Detection System (IDS) for websites. In short, it’s a cloud-based protective perimeter that any website owner can configure to repel hackers from exploiting the various website vulnerabilities. The technology is platform agnostic, it will support any type of web site platform (i.e., WordPress, Joomla, vBulletin, Magento, custom HTML, etc) and will work with any web server technology (i.e., Apache, Ruby, IIS, etc.. ).At a cost of $9.99 per month, it may give you a degree of peace of mind if you are running a ‘money site’ or other business critical web site which you depend on. It has a number of nice features such a limiting access to named directories, to fixed, white-listed IP addresses, for example.
There you have it 5 simple steps you can take to make your WordPress installation just a bit more secure. Have a look at them, read these articles, watch the video below and put all that advice to good use.