The easiest way to secure WordPress
Average Reading Time: about 7 minutes.
Because of WordPress’ popularity, the number of malware and other types of attacks are greater than on other platforms. There are five best practices that can reduce the risk, but site owners often don’t find out about them until well after they have an established website. Unfortunately, implementing some of these changes on a live site is difficult and, if done incorrectly, can crash the site.
The easiest way to secure WordPress is during the initial installation period and by not using a 1-click installer. Many webhosts have fast, convenient, “1-click” installers for WordPress, but they usually violate at least two of the recommended security measures, which creates extra work to change them later.
Prepping WordPress for installation
In your web host’s control panel for your site, you probably have all the tools you need to do your own installation of WordPress. It may be intimidating at first, but if your web host’s support is any good, they can help you through it (although they may recommend using the 1-click installer if they have one.)
The following example is based on using cPanel, a common web host backend management system.
Create the database
To start, create a new MySQL database using either phpMyAdmin or, in cPanel, the “MySQL Databases” section. Your host probably has a predefined string that ties the database to your account. For example, Hostgator uses “username_” while Mediatemple uses “db12345_”. Other hosts may vary.
Choose a name for the database that is easy to associate with your site. Often the auto-installers will assign names like “wps1″. That’s especially useless if you’re on a multiple-domain account with several WordPress installations. After your initial installation, trying to remember which of your ten databases — all named as “wps1″, “wps2″, etc — is associated with the site you want to make changes to is a waste of time. Choose a database name that is associated with the website.
Create a unique user for the database
Next, create a unique user for the database you just created. Be sure that the user is unique, especially if you’re on a multi-domain hosting package with multiple databases. If someone hacked into one database, and if you had the same user credentials for all of your sites, your entire network of websites could be compromised. For the same reason, use a strong, auto-generated password, not your dog’s name.
Similar to the default database name mentioned above, 1-click WordPress installs will often use a formulaic username like “wps1″. Again, if you’re on a multi-site hosting package with several sites, the generic username is little help in identifying what website and database that it’s associated with.
Transfer the WordPress files to your server
Using your FTP client, copy an uncompressed version of the WordPress files into the folder of the domain that you’re installing for. This is the longest part of the process, especially compared to a 1-click install that only takes a couple minutes. On an average internet connection, the file transfer will take about 15 minutes.
Securing the database
Edit wp-config.php
The wp-config.php file is the file that WordPress needs to connect to the MySQL database. In the unzipped WordPress files, there will be a file called “wp-config-sample.php”. Rename it to “wp-config.php” and open it up in your favorite text editor.
Inside wp-config.php, scroll down until you find the folowing four variables:
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
/** MySQL database username */
define('DB_USER', 'username_here');
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
/** MySQL hostname */
define('DB_HOST', 'localhost');
Change “database_name_here”, “username_here” and “password_here” to the credentials you just created in the steps above. You probably won’t have to change the “localhost” variable, but check with your web host to be sure. (You can leave it as “localhost” with Hostgator.)
Add some secret salts
No, this is not a cooking thing. To quote Brad Williams from StrangeWork, “A secret key is a hashing salt that is used against your password to make it even stronger.”
First, go to the WordPress salt generator. Copy everything that’s on the screen.
Second, go back to your wp-config.php file and find the following:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
Highlight the above code in your wp-config.php file, and paste the WordPress-generated salts over top. The names of the variables should be the same as above, but now you’ll have the hashing salts alongside them.
Change the table prefix
When WordPress creates its database tables, it does so with a generic “wp_” prefix. This is well-known and some attacks on WordPress sites are done with automated scripts that assume that the prefix is “wp”. If you change the prefix, it reduces the chances that these attacks will be successful.
Scroll further down in the wp-config.php file until you find:
$table_prefix = 'wp_';
Change the prefix to something other than “wp”. Note that you can only use letters, numbers and underscores.
Securely installing WordPress
Run the install script
Navigate to http://yourdomain.com/wp-admin/install.php. The WordPress install screen should appear.
Change the default username
When you see the install screen, you’ll notice that WordPress has auto-populated the username field with “admin”. Similar to the table prefix, this default is well-known, so if you’re using the admin account for your WordPress installation, it’s one less credential that someone needs to figure out in order to gain access to the CMS for your site. To make this more difficult, change the username from “admin” to something more personal. And always use a strong password.
Once you fill in all the fields on the install screen, click “Install WordPress”. Within a few seconds, your site will be ready to go with the default WordPress theme.
Isn’t the 1-click install easier than this?
Yes and no. It’s faster in the beginning, but then trying to change these security elements afterward is a pain. Trying to change these variables after installation, especially the table prefixes, involves messing around inside the database and has its own hazards to be wary of, including the possibility of crashing your site.
Modifying these WordPress elements before installation is much easier, smoother and, with practice, faster.
[hr]
The last pieces of the puzzle
The last two best practices for securing WordPress are quick and simple and don’t necessarily need to be done during the initial install. They are:
- Moving your wp-config.php file out of the root directory; and
- Restricting access to your wp-admin folder to certain IP addresses.
Moving your wp-config.php file
Wordpress is designed to look for your wp-config file in the root folder where you installed WordPress. If it doesn’t find it in the root folder, it’ll look for it one directory level up. Move your wp-config.php file up to the parent folder of where you have WordPress installed. So, for example, if you have WordPress installed in /yourdomain.com/blog/, move your wp-config file up one level and into the /yourdomain.com/ directory.
Note: If you’re on a multi-domain hosting plan where yourdomain1.com, yourdomain2.com, yourdomain3.com, etc are all hosted at the same directory level then moving all of those wp-config files up one level probably won’t work, because you can’t have multiple files with the same name in the same directory. There may be a way around this, but to be honest, I don’t know what it is…
Restricting access to /wp-admin/
Using your FTP client, create a file in the wp-admin directory called “.htaccess”. Copy and paste the following code into the file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
Where it says “allow from xxx.xxx.xxx.xxx”, replace the x’s with the IP address(es) from which you usually access your WordPress site. Create a new “allow from” line for each IP address. If you don’t know what your IP address is, next time your accessing your WordPress site, open a new tab and visit www.ipchicken.com. The IP address that appears on the screen is yours.
Note: if your on a dynamic IP (common for most ISPs), your IP address may change from time to time. If you ever try to access your WordPress control panel from the usual location and get a 404 not-found error, chances are your IP address has changed. Open up the .htaccess file you created in your wp-admin directory, visit IP Chicken again and update your “allow from” lines as required.