Security has always been a major issue on self-hosted Wordpress blogs. Hackers look for vulnerable web sites whose security can easily be breached to exercise their evil intentions. With every new version, the core engine of Wordpress is getting more and more secure. Still some extra steps are needed to harden its security to the maximum. There's no silver bullet that can guarantee complete protection from hackers, but we can make sure they get a tough time while attempting any intrusion.
There are three sub-systems that needs your attention to secure it from potential threats viz., blogging CMS, back end database and web server. Normally we have complete control on blogging CMS and database, while web server administration is normally maintained by hosting service provider unless you own a VPS (virtual private server) or have your own dedicated server. Remember, your Wordpress installation is only as secure as your web server. If there is any weak link in the server, all the security measures discussed below will go in vain.
Securing Wordpress Directory Tree
The basic strategy to make your installation secure is to restrict public access to sensitive files and directories. Whenever any CMS is installed, the directory tree is assigned certain access permissions that may vary according to the their importance, functionality and usage to help protect them from unauthorized access. Following is the step-by-step method to protect your Wordpress files and directories.
Assigning directory permissions - Start with assigning correct permissions to your Wordpress installation tree. Here are some of the basic rules to follow.
1. No file or directory should have a permission of 777.
2. No file should have a permission of 666, except those theme files that are edited via built-in theme editor through Wordpress dashboard.
3. Ideally, all files should have permission of 644. Similarly, all directories should have permission of 755.
4. Some servers require permission of 'wp-content/uploads' folder to be 777.
Disabling public browsing of directory tree - Add the following code to .htaccess file to prevent any kind of direct browsing activity. This ensures no one can view the contents of directory by simply typing directory paths in their browsers.
Options All -Indexes
Although the same effect can be achieved by placing blank index.html files in every directory, but it is the most inefficient and least preferred method to disable directory browsing.
Securing wp-admin, wp-content, wp-includes and wp-config directories - Apart from disabling direct browsing of directory tree, some extra steps should be taken to restrict access to important directories.
Add the following lines to .htaccess to protect wp-config.php from unauthorized access. As the name implies, this file contains important Wordpress configuration settings needed to connect to your blog's database. It includes MySQL username and password.
deny from all
Adding following lines to .htaccess will protect wp-admin.php from unauthorized access. This will ensure your admin dashboard is protected from intruders.
AuthName "Access Control"
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
Here xx.xx.xx.xx are the static IP addresses used by you or other administrators/contributors of the blog. In case you get a dynamic IP address each time you connect to Internet, this method will not work at all. In that case, you can use AskApache Password Protect plugin to protect wp-admin, wp-includes and wp-content without any need to edit .htaccess yourself. This excellent plugin acts as a firewall and adds an extra layer of security protecting your sensitive files from automated spam bots and hackers.
Hackers often target Wordpress database to insert countless spam links within the posts. Whenever you install Wordpress, by default every table gets a prefix of wp_ regardless of the table type. Intruders use this information to launch certain type of SQL injection attacks on the database. For better security, you must change this default prefix to something unpredictable. There are 3 methods to change this prefix.
Changing table prefix at the time of installation- This is one of the easiest method to provide a random table prefix to your Wordpress database tables.
At the time of installation, you get a chance to edit the table prefix. Choose a random and unpredictable table prefix that cannot be easily guessed.
Changing table prefix manually - This method can be painful for technically challenged. It requires editing of more than one .php files along with execution of multiple SQL queries. However, if you are comfortable with basic blog maintenance (technical) skills, this excellent tutorial shows you how to change table prefix in Wordpress through direct file editing.
Changing table prefix via plugin - Fortunately, Wordpress has large repository of plugins available for almost every requirement. You can also use WordPress Table Prefix Rename Plugin to achieve the same effect.
Regular database backups - Backups are lifesavers in event of any catastrophe that may bring down your entire site. You can use WP-DB-Backup plugin to backup core as well as additional (plugin & 3rd party script tables) tables of your blog's database. Make the habit of taking backups at least once a week followed by saving of more than one copy in two different locations.
Securing User ID's & Login Procedure
Almost every CMS has built-in user access control mechanism that defines a hierarchy of user-types with each type having different set of privileges. Wordpress is no different and supports pretty good user access control mechanism. Hackers target this system to gain complete control of the CMS leaving no chance to recover from the disaster. Here are some methods and safe practices that can help you in strengthening Wordpress access control mechanism.
Delete default administrator account - As soon as Wordpress installation is completed, we get a default administrator account with user id admin and random system generated password. DO NOT use this account for maintaining your blog. Create a second account with administrative privilege and delete the default admin account.
Strengthen login procedure - With the help of these 2 plugins you can make your Wordpress logins more secure and safe. Chap Secure Login encrypts your password to prevent anyone stealing it while it's in transit to the web server. Login LockDown is an excellent plugin that helps prevent brute force attack to guess your passwords. It disables the login function after specified number of failed login attempts within a given time frame blocking an IP range for specified period of time.
Fine-tuning user access privileges - For multi-author Wordpress blogs,
Role Manager plugin is a boon. If you want to exercise greater control over user access permissions, this plugin can help you assign specific rights at granular level.
Role manager can create custom roles with tailor made access privileges that can be assigned to any Wordpress user on your blog. You can even change and tweak the default roles provided by Wordpress, although it is not recommended and should be avoided.
Miscellaneous Steps To Harden The Security
Hide Wordpress version - Older versions of Wordpress have several loopholes that can be easily breached by seasoned hackers. It is always advised to hide your Wordpress version to mask any vulnerabilities (if any) that may exist in the release you are using. The best way to hide this information is placing the following code in function.php file of your theme.
<?php remove_action('wp_head', 'wp_generator'); ?>
This ensures removal of Wordpress version information while generating html files for client side.
Keep search engines away from Wordpress folders - You'll never want your blog's entire directory tree to be indexed by search engines. This may expose the contents of sensitive directories making it easy for hackers to analyze and find the potential loopholes. Add the following line to robots.txt file, which is located in the root directory of your blog.
Adding this line will ensure none of the search engine bots are allowed to index the directory content.
General Safety Precautions
1. Create strong passwords and change them frequently.
2. Keep your plugins and Wordpress release updated.
3. Regularly backup files and database.
4. Create a disaster recovery plan and simulate it on a test blog.
5. Avoid using plugins from unknown sources (may include malicious code).
6. Use WP Security Scan plugin to find any vulnerabilities in your Wordpress installation.
7. If possible, avoid remote publishing via 3rd party publishing tools.
8. Use SSH or SFTP for secure editing of files and directories.
Image Credit: Peregrino Will Reign