The Ultimate Wordpress Security Guide
Hi Warriors,
I just joined the Warrior Forum and already I've gained a ton of great information. One thing I noticed in a few searches is that some people are worried about the security of their Wordpress sites. To help you all out, here's all my accumulated knowledge about Wordpress security.
As with any good CMS, Wordpress has some security features built into its core. However, the default installation is still vulnerable to certain attacks. Fortunately, there are several easy steps you can take to harden Wordpress against these attacks.
Common Wordpress Attacks
Here is a listing of the most common types of Wordpress attacks:
Protecting Wordpress
Fortunately, protecting Wordpress against these attacks isn't terribly difficult. Here is a listing of things you should do:
Keep Wordpress and related files updated
Keep your Wordpress installations updated to the latest version. As of right now (3/1/2011), the latest version is 3.1. 3.2 is set to release sometime this year.
Make sure to update plugins as well. As noted above, out-of-date plugins can pose security risks. If you have a bunch of plugins that are deactivated or unused, it's best to delete them. Each plugin you have can pose a security risk if there is a flaw in it. If you have a plugin you plan on using later, store it outside of your Wordpress installation until you need it.
Create security through obscurity
This security concept is based around the fact that most automated attacks will target default Wordpress parameters. Therefore, make sure your installation doesn't have these default parameters.
Delete the user 'admin'. Brute force attacks will almost ALWAYS try to login with this username.
Do not use the "wp_" table prefix for the tables in your MySQL database.
Rename table wp_comments to wangchung_comments;
You may notice that doing this locks you out of you Administrator account. No worries! There's just a couple more commands to issue at the MySQL command prompt:
Blocking access to unneeded information
Wordpress can give away too much information. Here's a couple ways to prevent it from doing that:
Prevent Wordpress from giving specific error messages upon unsuccessful login attempts.
Move wp-config.php up one directory
Moving this file out of your public folder makes it less accessible. Wordpress is built to check for this file one directory up if it can't find it in the default location.
Prevent malicious modification of the GlOBALS and $_REQUEST variables
Many attacks will attempt to inject malicious scripts into your database. Prevent this by adding the following code to your .htaccess file:
Backup, backup, backup
Regularly back up both your Wordpress files and your database. The more you post content to your site, the more you should back up. This is not only to protect you from the bad guys, but also from yourself when you try new things
Essential security plugins
That's all I have for now. I'll continue to update this thread as I learn more!
I just joined the Warrior Forum and already I've gained a ton of great information. One thing I noticed in a few searches is that some people are worried about the security of their Wordpress sites. To help you all out, here's all my accumulated knowledge about Wordpress security.
As with any good CMS, Wordpress has some security features built into its core. However, the default installation is still vulnerable to certain attacks. Fortunately, there are several easy steps you can take to harden Wordpress against these attacks.
Common Wordpress Attacks
Here is a listing of the most common types of Wordpress attacks:
- Brute-force login attempts - This is an attack where a bot or script continuously tries to login to your Wordpress Dashboard as the admin in order to gain Administrator access to your blog.
- SQL injection attacks - Attacks like these use input boxes on your site (login forms, comment forms, etc) to try to inject malicious SQL code into your Wordpress database.
- Spam comments - Many bots simply come to your website and post spam comments to build backlinks to their owners' spam sites. Most of these comments are obviously spam, but some can be surprisingly legit-looking. Usually, though, you can tell spam comments apart from others by their very general nature and suspicious-looking username, even if the spelling is good.
- Attacks against old versions of Wordpress - As Wordpress is open-source, its code is available for anyone to view. One downside of this is that hackers can easily exploit bugs in the code. The result of this situation is that old versions of Wordpress are constantly under attack by scripts design to exploit bugs or flaws.
- Attacks against vulnerabilities in plugins - Even if your Wordpress installation is up to date, plugins can be a security issue as well. Many Wordpress attacks are crafted specifically to exploit bugs or known vulnerabilities in plugins, so having a lot of plugins can potentially open up your site.
Protecting Wordpress
Fortunately, protecting Wordpress against these attacks isn't terribly difficult. Here is a listing of things you should do:
Keep Wordpress and related files updated
Keep your Wordpress installations updated to the latest version. As of right now (3/1/2011), the latest version is 3.1. 3.2 is set to release sometime this year.
Make sure to update plugins as well. As noted above, out-of-date plugins can pose security risks. If you have a bunch of plugins that are deactivated or unused, it's best to delete them. Each plugin you have can pose a security risk if there is a flaw in it. If you have a plugin you plan on using later, store it outside of your Wordpress installation until you need it.
Create security through obscurity
This security concept is based around the fact that most automated attacks will target default Wordpress parameters. Therefore, make sure your installation doesn't have these default parameters.
Delete the user 'admin'. Brute force attacks will almost ALWAYS try to login with this username.
- If you're just setting up your Wordpress installation, you should be able to change this name from the get-go when going through the configuration process.
- If you already have an established installation, you can simply change the admin username via the command line. Find your installation's database and enter the following SQL statement:
Code:
// Note that you should replace 'prefix' with your table prefix and 'newusername' with your desired admin username. update table prefix_users set user_login='newusername' where user_login='admin';
- The database linked to your Wordpress installation has a number of tables that drive the installation's functions. For continuity's sake, all the tables have the same prefix; some examples under the default prefix are wp_posts and wp_comments.
- You should change the prefix to something other than "wp_" when first installing Wordpress. Almost all SQL injection scripts out there will attempt to access tables with this prefix, so you're unfathomably more well-protected by doing this.
- Access your associated MySQL database (always good to make a backup first), and start renaming all the tables. If you haven't installed Wordpress yet and are on first time setup, you can skip this step. Example:
Rename table wp_comments to wangchung_comments;
- You'll also need to change the table prefix in wp-config.php, as shown here:
Code:
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ = 'wangchung_';
- UPDATE newPrefix_options SET option_name = REPLACE (option_name, ‘oldPrefix_’, ‘newPrefix_’);
- UPDATE newPreifix_usermeta SET meta_key = REPLACE(meta_key, ‘oldPrefix_’, ‘newPrefix_’);
Blocking access to unneeded information
Wordpress can give away too much information. Here's a couple ways to prevent it from doing that:
Prevent Wordpress from giving specific error messages upon unsuccessful login attempts.
- Wordpress, by default, will tell you when you've entered a wrong username or password. If someone is trying to guess these things, these error messages can sure help them narrow down their choices! It's best to make Wordpress throw a generic error instead. Open up the functions.php file, which is in wp-content/themes/yourtheme and add this line to it (somewhere outside of a function):
Code:
// code to hide feedback upon unsuccessful logins
add_filter('login_errors',create_function('', "return 'Please try again.';")); Moving this file out of your public folder makes it less accessible. Wordpress is built to check for this file one directory up if it can't find it in the default location.
Prevent malicious modification of the GlOBALS and $_REQUEST variables
Many attacks will attempt to inject malicious scripts into your database. Prevent this by adding the following code to your .htaccess file:
Code:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L] Regularly back up both your Wordpress files and your database. The more you post content to your site, the more you should back up. This is not only to protect you from the bad guys, but also from yourself when you try new things
- You can use an FTP program such as FileZilla to back up your files to your local computer.
- Refer to the plugin list below for a great plugin that will help you regularly back up your database.
Essential security plugins
- Akismet - Comes pre-installed with Wordpress, although you'll need to apply for an API key to use it. You can do this through Akismet's options panel in the Dashboard.
- AntiVirus - keeps your blog protected from spam and malicious scripts.
- Capability Manager - Allows you to fine-tune the capabilities of each user role. For example, you could give Contributors the ability to publish posts.
- IP Ban - Allows you to ban IPs from seeing your site. This can be useful, but I don't recommend simply banning every IP that tries to log in as admin. Most of these are spoofed, and DHCP will make them change anyway.
- Limit Login Attempts - limits the amount of times an IP can try to log in before locking it out for a specified amount of time. You can also configure it to lock out that IP for a much, much longer time upon a certain number of lockouts.
- SI CAPTCHA Anti-Spam - places a CAPTCHA on your login page. This, coupled with Limit Login Attempts, should keep out brute force bots forever.
- WP-DBManager - part of good security is having backups, and this plugin does backups really well. It'll back up your database upon schedule intervals, and you can even set it to email you the resulting .sql file.
- WP Security Scan - scans your Wordpress installation for vulnerabilities and alerts you to them. It can, in some cases, even fix them. I DO NOT recommend using this plugin to change your table prefix, however. That's something you should do manually.
That's all I have for now. I'll continue to update this thread as I learn more!
-
Dr Jan Simpson -
Thanks
{{ DiscussionBoard.errors[3455121].message }} -
-
Thomas Frank -
Thanks
{{ DiscussionBoard.errors[3455157].message }} -
-
Abledragon -
Thanks
SignatureWealthyDragon - Earning My Living Online{{ DiscussionBoard.errors[3455695].message }} -
-
WorkitSmart -
Thanks
{{ DiscussionBoard.errors[3895042].message }} -