Who Is Hosting This

WordPress is far and away the most popular blogging platform for self-hosted blogs and, as such, frequently comes under attack from a variety of source. This includes malware authors looking for an easy way to distribute viruses, spammers wanting to insert garbage links and identity thieves wanting to place tracking tools on your visitor’s computers.

This says nothing about the hackers who just want to delete your data or destroy your site for no reason or viruses that are often unleashed on the Web for the sole purpose of infecting and defacing as many sites/servers as possible.

Given that WordPress is such a huge target, and essentially a program running on a publicly-accessible computer, it is worthwhile to take a moment and make sure that you’ve taken all the right steps to protect it against intrusion.

On that front, Automattic has a great guide on the basics of hardening WordPress but it might be a bit intimidating for average users and omits a few good options.

With that in mind, here are some tips for hardening your WordPress installation against attack.

Step 1: Ensure Server Software is Current

If you are on a shared host, a managed VPS/grid host or any other managed solution, this responsibility actually falls to your Web host. However, if you are on an unmanaged solution, you need to make sure that your operating system, Web server, PHP, MySQL and other server components are up to date.

Ensuring that this “lowest layer” of software is secure is critical to avoiding hacks on your server. These elements are the most dangerous if breached and the most common elements used on the Web in general, making them even more popular targets for hacking than WordPress.

Step 2: Update WordPress and Plugins

Make sure that your WordPress and its plugins are up-to-date. Every recent version of WordPress has the ability to automatically update plugins and core files from within the WordPress backend. In fact, you should get clear notifications if either is out of date (core notifications are displayed at the top of every page in the backend and plugin updates are highlighted by a number next to the plugins menu).

You can upgrade either by going to Tools -> Upgrade and choosing whether to update your plugins or your main install. You can also update plugins one at a time using the Plugins menu.

Staying on top of WordPress and plugin updates will help keep your site free of known security flaws and help prevent any intrusion.

Step 3: Use Good Passwords and Delete “Admin” Account

Next, make sure that your password for the administration are of your site is solid, containing letters, numbers, characters and capitalization. If you want you can use a password generator to help you out.

Also, make sure that you’ve deleted your “admin” account and changed the username for your administrator to something else. The reason is that, even though your password is your main line of defense, a difficult-to-guess username can also help.

Step 4: Restrict Access to wp-admin

If you use CPanel, you can protect the wp-admin folder at the server level, adding an extra layer of protection. This means, for anyone to access the administration area of your site, they will have to know BOTH the server login for the folder AND the WordPress login.

You can also use the AskApache Password Protect plugin for this purpose.

As another alternative, if you only access your site from one computer or a small number of machines and IP addresses, you can also limit access to the folder by IP address, ensuring that only you can access it. However, this will require updating every time your IP address changes.

Step 5: Move Your Config File

It’s a little-known fact that your wp-config file can be moved to a directory above your WordPress install, ensuring that it is not viewable or accessible to anyone but you and your server.

This may prevent plugins and others from manipulating the file, but it can always be moved back temporarily to allow those changes to take place and then move it back when done.

Considering this file houses your database username and password, it’s probably a good idea to take every precaution possible.

Step 6: Check Folder Permissions

Theoretically, all folder permssions for WordPress should be 0755 and all files should be 644. unless you wish to use the theme or plugin editors, in which case the relevant files should be 666.

However, for various reasons, those permissions often get changed or set incorrectly. As such, it pays to take a moment and go through the permissions and make sure that everything is set correctly.

Step 6: Change Your Table Prefix

WordPress, by default, uses a prefix of wp_ when setting up a new table. While this is fine and makes it possible to host multiple blogs in the same database, it can also make it easier to attack the site.

Thus, it is a good idea to change the prefix to something else, just to make it more difficult to execute an attack against your database. The process can be a bit complicated, but is usually well worth the time and effort.

Step 7: Consider Plugins

Finally, there are several plugins that offer to handle much of the security for you. One example is WP Security Scan, which runs several checks against your site and alerts you to potential problems, including table prefix issues, and helps you correct them.

Another is Secure WordPress, which actually checks for some 20+ different things, some of which are very minor, and can also submit your site for a scan at free SiteSecurityMonitor.com.

Either of these plugins can help alert ou to potential problems and make hardening your installation much easier. Considering that they are both free, they are well worth the time and energy to install.

Bottom Line

In the end, security is not about being secure or insecure, but about being more or less so. There is no such thing as complete security and, even if you take every step in this guide or every other WordPress hardening guide, you can still be hacked, especially by a determined attacker.

However, taking these steps makes it much more difficult and that, in turn, ratchets up the skill, luck and determination required to hack a site. No site is impervious, but some are definitely harder targets than others.

So while it may not make your site invincible, it certainly makes it less likely to get hit.

(Thanks to fazong for the image).