WordPress security tips

Many people avoid using WordPress because they believe it has weak security.  This is true, as it’s hard being the most popular and used CMS without being target by hackers. In this post I’ll write about plugins that can enhance your web site security, wp-config tricks and other configurations.


1. Semisecure Login Reimagined /plugin/Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in.” The plugin hasn’t been updated for the past 3 years, but it still keeps it’s high rating. The last WordPress version it was tested on was 3.1.4. It doesn’t work on servers using php 5.4. but there is a fix for that. Read this post by Chad Warner, where he writes about an alternative plugin that is up to date.


2. Block Bad Queries (BBQ) /plugin/BBQ checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. These sorts of nefarious requests were implicated in the September 2009 WordPress attacks. ” Shortly said, this plugin will protect you from SQL injection-type of attacks. There are no settings to touch, you just install and it works out of the box.


3. Obfuscate E-mail /plugin/ You can do many things, in order to protect your e-mails from being harvested by spam bots. Some solutions include images, css tricks and so on that might decrease your site’s usability. Yet, the perfect solution, according to me and many other people is Obfuscate E-mail. It gives you high sense of control over how exactly to protect the e-mail. It does everything automatically – no need of short codes around email addresses like [email]youremail@mail.com[/email]. The e-mail address can still be copied and read without problem by real users.


4. Protect folder listing Some Hosts allow listing of folders. This means, that if you type in the browser websiteurl.com/wp-content/uploads/ you can see all files in there, the same way you see them in Windows. Clever hosts protect your folders by giving “Forbidden You don’t have permission to access folderName on this server”. However, you can do something simple if your hosting doesn’t protect you by default. Having an empty index.html or index.php file in each folder solves the problem. Uninvited visitors to those folders will stumble on the empty index files instead of list of folders and files. This is already implemented in WordPress, but it’s no pain to double check for it.


5. Admin user Never use the default username admin for your user. That’s gonna be the first user I’ll look for, if I’m a hacker and I want to break your site. It’s not just the name, but it’s also the userId. The first user in the database always has userID of 1. You can do few things to fill those security holes. Use a different user name for your admin user; create a new user and make him admin, than delete the first one or edit the userID through phpMyAdmin; don’t use your admin user as author of posts. How about we fool around the hackers?! Create a user named admin, but change it’s privileges to subscriber. As addition, use some password generator and hit 16+ symbols. Now, the hackers will see that there is a user with name admin, but won’t know that actually this is going to be a huge waste of time for them to deal with it (credit goes to @disastacre from Shtrak.eu).


6. Wp-config.php Secret Keys Your wp-config.php files should have a section defining Secret Keys. Sometimes when making an install those keys might be missing and you need to add them manually. Look up for the following lines:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');

If you see “put your unique phrase here”, than visit http://api.wordpress.org/secret-key/1.1/ and get some.


7. Version of WordPress Each WordPress version has a security holes which are known to the hackers. Displaying what version is your WP install seems unnecessary  exposure. You just need an one line code in your functions.php file to hide that meta code.

remove_action('wp_head', 'wp_generator');

Don't forget to re-add it if you change themes!

8. Proudly powered by… This gives the same security risk as the previous point, but the solution is different. This text is generated from code in your footer.php – go and delete it. You can help the WordPress community by creating a free theme or plugin if your conscious starts torturing you.


9. Hide WordPress install directory Typing /wp-admin after the domain name of a web site can show if it uses WordPress, by displaying the log in page. Let’s say you want to change this. It’s very simple:

  • Create the new folder where you want to move your WordPress install (let’s call it secure).
  • Go to Settings – > General and change WordPress address (URL) to point to the new folder. Save changes.
  • Move all files to the new folder except for index.php and .htaccess. If you don’t see .htaccess you need to find an option in your FTP Client for displaying hidden files (If you are using FileZilla navigate to Server – > Force showing hidden files).
  • Open and edit index.php. Where it says require(‘./wp-blog-header.php’); change it to require(‘./secure/wp-blog-header.php’);
  • Some people advice on making an update of Permalinks from Settings.
  • Now all links to images will be broken. We need to fix this. But, here is the place when you can change the default wp-content/uploads folder to something else. Create a folder called something on the same level as wp-content, wp-admin, wp-admins.
  • Go to Settings – > Media – > Store uploads in this folder and write the name of the newly created folder.
  • Grab all your previous files from uploads and move them to the new folder.
  • You are almost there. Things here doesn’t happen automatically just by changing the folder name from Settings. You need to change every instance where you point to an image.
  • Install Velvet Blues Update URLs. Go to Settings – > Update URLs and write the old and new urls. The update happens very fast. Ex. for old and new url: old (example.com/wp-content/updates) to new (example.com/something)
  • That was it!

Now you have a WordPress install in one folder, and the actual website shows in another (the root). Cool, isn’t it?! Note: Do some localhost testing, switches, changes before rushing into such changes on your on-line site. It’s also good to disable all plugins before moving things to new folder. Moving WordPress within your web site – wp codex Giving WordPress its own directory – wp codex


10. Passwords Write long passwords, which don’t make any sense. Put symbols like !~%^&&**, numbers, capital letters. This might sound pointless to mention, but some people still use short easy to guess by brute force passwords.


11. Limit Login Attempts /plugin/ This plugin is perfection! You can lockout a user who reaches a customized number of attempts to log in. The default settings are 4 attempts and after this lockout for 20minutes. Limit Login Attempts protects from brute-force breaking of passwords. You can read more about it on the wordpress plugin page: Limit Login Attempts


12. Wrong password error message When you try to log in, and you type a wrong username you got an error message “Invalid username.”. But if you write a correct username and wrong password – the error message will say “The password you entered for the username is incorrect”. You don’t want to let hackers know, that they’ve guessed an existing username. Those error messages need to be changed. And what a surprise – Limit Login Attempts does exactly this for you. Instead of showing “Wrong password for username” it always displays “Incorrect username or password”. If you want to write a different message, just open limit-login-attempts.php from the plugin folder of Limit Login Attempts – look for the error message and change it to whatever you like. Sources

  1. The idea of admin username with subscriber rights is from Vladimir /Shtrak.eu/
  2. Smashing WordPress beyond the blog – a good place to read about WordPress security tips and more

There might be many more ways of making your WordPress install more secure. I’d be glad if you can share some of you preferences and favorite plugins in the comments area, so we can make this post a useful place for WordPress Beginners. Have a save WordPressing!

Leave a Reply

Your email address will not be published. Required fields are marked *