The Ultimate Wordpress Security Guide

by Thomas Frank 4 replies
Hi Warriors,

I just joined the Warrior Forum and already I've gained a ton of great information. One thing I noticed in a few searches is that some people are worried about the security of their Wordpress sites. To help you all out, here's all my accumulated knowledge about Wordpress security.

As with any good CMS, Wordpress has some security features built into its core. However, the default installation is still vulnerable to certain attacks. Fortunately, there are several easy steps you can take to harden Wordpress against these attacks.

Common Wordpress Attacks

Here is a listing of the most common types of Wordpress attacks:
  • Brute-force login attempts - This is an attack where a bot or script continuously tries to login to your Wordpress Dashboard as the admin in order to gain Administrator access to your blog.
  • SQL injection attacks - Attacks like these use input boxes on your site (login forms, comment forms, etc) to try to inject malicious SQL code into your Wordpress database.
  • Spam comments - Many bots simply come to your website and post spam comments to build backlinks to their owners' spam sites. Most of these comments are obviously spam, but some can be surprisingly legit-looking. Usually, though, you can tell spam comments apart from others by their very general nature and suspicious-looking username, even if the spelling is good.
  • Attacks against old versions of Wordpress - As Wordpress is open-source, its code is available for anyone to view. One downside of this is that hackers can easily exploit bugs in the code. The result of this situation is that old versions of Wordpress are constantly under attack by scripts design to exploit bugs or flaws.
  • Attacks against vulnerabilities in plugins - Even if your Wordpress installation is up to date, plugins can be a security issue as well. Many Wordpress attacks are crafted specifically to exploit bugs or known vulnerabilities in plugins, so having a lot of plugins can potentially open up your site.

Protecting Wordpress

Fortunately, protecting Wordpress against these attacks isn't terribly difficult. Here is a listing of things you should do:

Keep Wordpress and related files updated

Keep your Wordpress installations updated to the latest version. As of right now (3/1/2011), the latest version is 3.1. 3.2 is set to release sometime this year.

Make sure to update plugins as well. As noted above, out-of-date plugins can pose security risks. If you have a bunch of plugins that are deactivated or unused, it's best to delete them. Each plugin you have can pose a security risk if there is a flaw in it. If you have a plugin you plan on using later, store it outside of your Wordpress installation until you need it.

Create security through obscurity

This security concept is based around the fact that most automated attacks will target default Wordpress parameters. Therefore, make sure your installation doesn't have these default parameters.

Delete the user 'admin'. Brute force attacks will almost ALWAYS try to login with this username.
  • If you're just setting up your Wordpress installation, you should be able to change this name from the get-go when going through the configuration process.
  • If you already have an established installation, you can simply change the admin username via the command line. Find your installation's database and enter the following SQL statement:

Code:
// Note that you should replace 'prefix' with your table prefix and 'newusername' with your desired admin username.
update table prefix_users set user_login='newusername' where user_login='admin';
Do not use the "wp_" table prefix for the tables in your MySQL database.
  • The database linked to your Wordpress installation has a number of tables that drive the installation's functions. For continuity's sake, all the tables have the same prefix; some examples under the default prefix are wp_posts and wp_comments.
  • You should change the prefix to something other than "wp_" when first installing Wordpress. Almost all SQL injection scripts out there will attempt to access tables with this prefix, so you're unfathomably more well-protected by doing this.
  • Access your associated MySQL database (always good to make a backup first), and start renaming all the tables. If you haven't installed Wordpress yet and are on first time setup, you can skip this step. Example:

Rename table wp_comments to wangchung_comments;
  • You'll also need to change the table prefix in wp-config.php, as shown here:

Code:
/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
 */
  = 'wangchung_';
You may notice that doing this locks you out of you Administrator account. No worries! There's just a couple more commands to issue at the MySQL command prompt:
  • UPDATE newPrefix_options SET option_name = REPLACE (option_name, ‘oldPrefix_’, ‘newPrefix_’);
  • UPDATE newPreifix_usermeta SET meta_key = REPLACE(meta_key, ‘oldPrefix_’, ‘newPrefix_’);

Blocking access to unneeded information

Wordpress can give away too much information. Here's a couple ways to prevent it from doing that:

Prevent Wordpress from giving specific error messages upon unsuccessful login attempts.
  • Wordpress, by default, will tell you when you've entered a wrong username or password. If someone is trying to guess these things, these error messages can sure help them narrow down their choices! It's best to make Wordpress throw a generic error instead. Open up the functions.php file, which is in wp-content/themes/yourtheme and add this line to it (somewhere outside of a function):

Code:
// code to hide feedback upon unsuccessful logins
add_filter('login_errors',create_function('', "return 'Please try again.';"));
Move wp-config.php up one directory

Moving this file out of your public folder makes it less accessible. Wordpress is built to check for this file one directory up if it can't find it in the default location.

Prevent malicious modification of the GlOBALS and $_REQUEST variables

Many attacks will attempt to inject malicious scripts into your database. Prevent this by adding the following code to your .htaccess file:

Code:
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Backup, backup, backup

Regularly back up both your Wordpress files and your database. The more you post content to your site, the more you should back up. This is not only to protect you from the bad guys, but also from yourself when you try new things
  • You can use an FTP program such as FileZilla to back up your files to your local computer.
  • Refer to the plugin list below for a great plugin that will help you regularly back up your database.

Essential security plugins
  • Akismet - Comes pre-installed with Wordpress, although you'll need to apply for an API key to use it. You can do this through Akismet's options panel in the Dashboard.
  • AntiVirus - keeps your blog protected from spam and malicious scripts.
  • Capability Manager - Allows you to fine-tune the capabilities of each user role. For example, you could give Contributors the ability to publish posts.
  • IP Ban - Allows you to ban IPs from seeing your site. This can be useful, but I don't recommend simply banning every IP that tries to log in as admin. Most of these are spoofed, and DHCP will make them change anyway.
  • Limit Login Attempts - limits the amount of times an IP can try to log in before locking it out for a specified amount of time. You can also configure it to lock out that IP for a much, much longer time upon a certain number of lockouts.
  • SI CAPTCHA Anti-Spam - places a CAPTCHA on your login page. This, coupled with Limit Login Attempts, should keep out brute force bots forever.
  • WP-DBManager - part of good security is having backups, and this plugin does backups really well. It'll back up your database upon schedule intervals, and you can even set it to email you the resulting .sql file.
  • WP Security Scan - scans your Wordpress installation for vulnerabilities and alerts you to them. It can, in some cases, even fix them. I DO NOT recommend using this plugin to change your table prefix, however. That's something you should do manually.

That's all I have for now. I'll continue to update this thread as I learn more!
#website design #guide #security #ultimate #wordpress
Avatar of Unregistered
  • Profile picture of the author Dr Jan Simpson
    Hello Thomas,

    Welcome to the WF. I too am a new member and have gained so much valuable knowledge. Since you obviously know WP well, can you please recommend some way for me to learn this program. I'm more than happy to purchase a tutorial program, or whatever. It all seems overwhelming and that's why I was leaning towards Xsite Pro 2.5

    Any thoughts?

    Thanks so much,
    Jan
    {{ DiscussionBoard.errors[3455121].message }}
  • Profile picture of the author Thomas Frank
    Wordpress is a fantastic platform to use as a CMS because users of all skill levels can get functionality out of it. What exactly are your goals with Wordpress?

    If you're just diving in, but want to become an expert, I'd recommend a stepladder of three books:

    1: Wordpress 24-Hour Trainer - this is a great book to get you familiar with how Wordpress works.

    2: Smashing Wordpress - a designer/developer's book on Wordpress. It shows you how to design themes and create plugins, among other things

    3: Professional Wordpress - more in depth on how Wordpress works, IMO. It teaches some of the same things that the second book does, but it gets deeper into the Core, Loop, and other things

    After you've gone through those, you should have the knowledge to start using the Codex efficiently, as well as gaining knowledge by reading Core code directly.

    In the meantime, there are plenty of great blogs on Wordpress out there. WPCookbook is a good one.

    Still, the best way to get to know Wordpress is to play with it! This is, by far, the best way that I learned
    {{ DiscussionBoard.errors[3455157].message }}
  • Profile picture of the author Abledragon
    Thomas, hi,

    Excellent round-up - many thanks!

    Cheers,

    Martin.
    Signature
    How to Start Your Own Business Online - a Free eBook from WealthyDragon
    {{ DiscussionBoard.errors[3455695].message }}
  • Profile picture of the author WorkitSmart
    Wow! Good info.

    My question may be a tad off subject but this thread is as close as I can find.

    I want my virtual assistant to have access to parts of WP but not all. Ideally only to the Pending Posts. I really don't like anyone (aside from my programmer) to have complete control over my livelihood.

    To date, I've managed to outsource practically everything except getting my posts 'live'. I just realized today as I've done everything except get my posts out, that I don't like that part.

    thanks for any input. dee
    {{ DiscussionBoard.errors[3895042].message }}
Avatar of Unregistered

Trending Topics