WordPress Security Basics: now available in presentation form!
Each year thousands of websites are hacked. Sometimes it’s by way of a crafty social engineer (someone who tricks someone into giving up information without realizing it) conning some unsuspecting user out of his/her login. Other times it’s a backdoor in some code that grants a malcontent access to a site.
If your site is running on WordPress you can rest easy – WordPress core is considered to be a very secure application. The downside to WordPress core being secure is that if someone breaks into your site you likely have nobody but yourself to blame. Never fear: these tips will help keep your site safe and sound.
The easiest step you can take towards a more secure WordPress site is using strong, unique passwords. Database passwords should be different than your SSH and/or FTP passwords which should in turn be different than your user login credentials. With the number of good, secure password vaults out there (I prefer 1Password synced via Dropbox for my laptop and phone and we use LastPass at work) there’s no absolutely no good reason to re-use passwords. For generating user passwords in WordPress there’s WP Password Generator, a free plugin that will generate a strong password with one-click.
If you don’t want to deal with a password manager (though I highly recommend it) another approach is to use a number of disconnected words (example: “piano garden table labrador”). Obviously it’s important to use different words for each site, meaning your mileage with this technique may vary.
Keeping WordPress up to date
WordPress core development is led by a team of highly skilled developers with hundreds of other developers contributing code. Thousands of developers across the globe work with WordPress on a daily basis. Generally speaking, the WordPress point releases (for example, 3.5.2 is the second point release in the 3.5 release family) are security updates and considered safe to install (major releases, like the upcoming version 3.6, require more thoughtful upgrade as these are more likely to break existing code).
Unlike WordPress core third-party plugins do not go through stringent security audits. Often they’re released and maintained by a single or small team of developers, typically have little or no formal testing in place, and are more likely to break on upgrade. It’s important to research a new plugin before installing it and always test it in a staging environment before promoting it to production.
Remember that every plugin you install carries with it a certain level of technical debt. For every widget, slider, or photo gallery you introduce a greater risk of plugin conflicts and/or security holes. Backup your site before installing a new plugin, test it thoroughly before deploying, and stick to plugins from trusted developers. The WordPress.org forums offer users the ability to write reviews for and rate plugins; if you find a plugin that works well (or one that doesn’t), please take the time to write a quick review covering your experience with the plugin. It means the world to developers of good plugins and helps other site owners avoid broken, buggy, or insecure plugins.
If you have multiple users on your WordPress site it’s important to remember that your site is only as strong as its weakest user. Perhaps it’s the product manager who needs to update the product catalog but hands out his password to her subordinates. Maybe it’s the C.E.O. that keeps her password on a post-it note stuck to her monitor. It’s important that everyone with access to the site understands the importance of password security and never revealing login credentials to people who shouldn’t have access.
Your site is only as strong as its weakest user.
Avoid the “admin” username
Recently there has been a botnet (a network of hijacked computers) attack on WordPress sites attempting to brute-force access, typically using the default “admin” username. You can reduce your risk by changing the “admin” username (more advanced users can change the username directly in the database).
Avoiding the default username is an example of a practice referred to as “security through obscurity“; if your site isn’t doing what everyone else’s is that means more time/effort required by the attacker and a higher chance that they will move onto the next target.
Restrict user capabilities
Depending on your organizational structure you may want to read up on WordPress roles and capabilities. Rather than defaulting every user to administrator access you can limit the actions that can be taken by a specific user. Besides making it easier to moderate content before it’s published restricting user capabilities also reduces the pool of privileged user accounts that could be compromised. If any account were to compromised wouldn’t you rather it be one that can’t edit site settings, install plugins, or publish anything without editor approval?
Limit login attempts
If you took my advice and have started using a password manager then chances are you’re not having to actually type your WordPress password very often and, as a result, will be unlikely to mis-type your password (both of the password managers I mentioned earlier can fill in forms for you). You can help block botnets and other scripted attempts to brute-force your WordPress site by installing a plugin like Limit Login Attempts to lock-out an IP address after a number of failed login attempts. An enterprising hacker could still spoof his IP address in order to try again but the lock-out is just another hurdle to overcome in order to break in.
Hardening your wp-config.php
Your wp-config.php file should be treated as the most sensitive file in your WordPress installation. After all, it contains your database credentials (which, as we’ve already discussed, should be strong and unique). Beyond the database passwords there’s a section that looks like this:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
If your wp-config.php looks like this you should visit https://api.wordpress.org/secret-key/1.1/salt/ right away and replace the defaults in wp-config.php. These items are used in the encryption of cookies, passwords, and forms in your WordPress site. You can learn more about the keys and salts in the WordPress Codex.
Relocating WordPress directories (advanced)
A little known feature of WordPress is that it allows you to relocate the wp-content directory. While this isn’t enough in itself to consider your site secure it is another example of security by obscurity. By moving wp-content (which contains your theme, plugin, and uploads, among other items) out of the default WordPress location your site is less at-risk from “dumb” scripts probing for common vulnerabilities related to that directory. Opinions vary on whether or not this is an effective strategy but it may be worth evaluating for your site.
A final note on WordPress security
If a hacker is skilled, motivated, and has reason to target you then the steps above may not be enough. In most cases hacking a WordPress site is a crime of opportunity – somebody sees a vulnerability and exploits it. Anything you do to make it harder for an unauthorized user to access your site reduces your risk and makes it that more likely that the hacker/botnet will move on to the next, more vulnerable site.
- Hardening WordPress from the WordPress Codex
- The Definitive Guide to WordPress Security from Moz Blog (extensive and somewhat advanced)
- Three Tips to Fight WordPress Hacks from Van Patten Media
- How to Cope with a Hacked Site from WordPress core contributor Otto
Great minds think alike Steve! I came across your post AFTER I had written mine, which was written in light of a very stressful few days dealing with the aftermath. FOLKS – listen to this good man and take heed of his advice. And if you want to read one woman’s tale of what happens when you don’t, you can here: http://brightspark-consulting.com/how-to-keep-your-wordpress-site-secure/
Very thoughtful and useful information. You really helped answer a few questions that have been nagging me. Definitely one of the better blog posts about WordPress security and password use.