WordPress is the most popular used blogging/CMS software which is why I guess it is used by millions of websites around the world. Unfortunately, there are some very bad people out there that will try their hardest to exploit any weaknesses in your blog. If you look through your logs you can guarantee that someone, or something, like bots, for example, has tried to gain access to your site by attempting to access your login page, registration page or even your forgotten password page. Of course, you can never completely eradicate the bad boys but with a good knowledge of WordPress security can help you protect your site as much as possible.
Basic WordPress Security
We will start off with some WordPress Security basics that should be adhered to by default or wherever possible, in some cases.
Keep updated! Make sure that your WordPress, themes and plugins are up-to-date. Bots will exploit vulnerabilities with older versions of files.
Usernames and Passwords – Never use admin as your username and always use a strong password as this is your first line of security.
Remove WP version info – Here is a tutorial on WP beginner to remove the version info of your WP installation. You can also rename or remove the readme.html file in the root of your installation.
Database Prefix – Change the default database prefix to something random. If you are using WP for the first time you can easily change it in the file wp-config.php. If WordPress is already installed then follow the tutorial How to Change the WordPress Database Prefix to Improve Security, but always make a backup first.
Check your file and folder permissions – Files should usually be set at 644 and folders should be 755. If you are unsure the plugin File Permissions & Size Check will be able to help you out.
More information can be found on the WordPress Codex – Changing File Permissions.
If you have SSL with your hosting then you can force login or the entire admin area to use it, this will encrypt any sensitive data. Yoast have covered this in the tutorial WordPress SSL setup tips & tricks
Wordfence – WordPress Plugin
Wordfence is a firewall and site blocker plugin. You can set it to email you when someone tries to access your login, forgotten password and registration pages and block access to those for a given time.
You can also block these IP addresses permanently, although bear in mind dynamic IP addresses change periodically so it’s not a permanent solution but can be used effectively to block multiple attacks. The firewall option allows you to throttle (limit) web traffic. There is also a live traffic view which is now compatible with the popular caching plugin Total Cache.
5G Firewall – Htaccess Hack
Have you heard of .htaccess? The 5G firewall isn’t a WordPress plugin but a snippet that you place into your .htaccess file in the root of your WordPress installation.
It blocks and redirects malicious URL requests that are used to attempt to gain access to your site. It is designed for WordPress users in mind and has been tested out with lots of plugins. It’s also worth checking out the WordPress Addon that will work along the 5G firewall which will protect your site from bad URL requests.
Harden WP – WordPress Plugin
Harden WP is a relatively new plugin that changes certain pages of your site like wp-login.php and wp-admin which are normally targeted by hackers. It also adds a list of bad bots to your .htaccess to block access.
CloudFlare – Service
Using CloudFlare DNS servers help protect your site from cross site scripting, SQL injection, comment spam, excessive bot crawling, email harvesters. Not only that it accelerates the speed and preserves bandwidth. Unfortunately, CloudFlare isn’t compatible with every web host but if it is something that you are interested in then check to see if your web host supports it.
Google Authenticator – WordPress Plugin
Two-factor authentication is a very popular method of logging in. Typically a normal login will consist of a username or email and a password combination. With this extra feature, you still have these features but there will be an extra field where you enter a code or some plugins will even send you a text message. Website such as Google, Dropbox, Yahoo has an option to enable it.
Here is a good tutorial on how to get google authenticator up and running. To make it simpler use 2 browsers, if available, stay signed in on 1 and use another to make sure it works.
Conclusion
You have probably got more chance of winning the lotto jackpot than you have of totally eliminating your blog from being attacked in some way, but by making small changes and installing a couple of plugins you can make it a lot more difficult! Please feel free to add more tips in the comments section below.
Further Useful Reading
- Ongoing WordPress Security Attacks, The Details and Solutions
- How to Password Protect WordPress Admin (or Any) Apache Directory
- Hardening WordPress
- The Bloggers Guide to WordPress Security