How to Harden Your WordPress Blog Security
WordPress is the world’s most popular platform for self-hosted blogs.
Unfortunately, that makes it prone to attack from viruses, spammers, identity thieves and hackers.
Automattic has published a great guide about ‘hardening’ WordPress – in other words, making it more difficult to hack. In this article, we’ll look at some easier routes and alternative methods.
Is Your Server Software Up to Date?
Shared hosting customers, and those on a managed server, don’t need to worry about updating server software.
Unmanaged hosting customers need to update the software themselves to protect against hacks and patch vulnerabilities.
What About WordPress and Your Plugins?
WordPress should also be regularly updated, as should any plugins you have installed. Most of the time, updating is as easy as clicking a link and waiting a few seconds for the update to complete.
If something’s out of date, you’ll be notified from the WordPress admin area.
Password and Account Etiquette
Make sure the passwords you use for WordPress are very secure. Use a mix of letters, numbers and upper/ lower case.
For an extra layer of security, create a second Super Admin and delete the account with the ‘admin’ username.
Block the wp-admin Directory
If you use CPanel, you can stop anyone from accessing the wp-admin folder by adding a password. Alternatively, use the AskApache Password Protect plugin.
If you need more robust protection, limit access to the folder by IP address. Note: this could be restrictive if you administrate WordPress from different connections or locations.
Move Your Config File
The wp-config file can be moved to a directory above the WordPress install where it can’t be seen by the public.
However, you may need to keep moving the file back and forth for plugin changes and updates, so weigh up the potential inconvenience.
Change Your Folder Permissions
Check your permissions using the CHMOD command in your FTP application, or check the file list – sometimes they’re displayed there.
All folder permssions for WordPress should be 755 and all files should be 644. Theme or plugin editors require 666 permissions.
If your permissions are wrong, it could present a security problems.
Change Your Table Prefix
In pypmyadmin, you’ll notice WordPress uses a prefix of wp_ when setting up its tables. You can change the prefix to something else for added security.
Note: this isn’t an easy change.
Add Security Plugins
The easiest way to improve security is with plugins.
- WP Security Scan runs several checks and alerts you to potential problems.
- Secure WordPress checks for flaws (many of them minor).
Both are free and worth a try.
Is it Worth Hardening WordPress?
Yes, yes yes! All WordPress blogs are unfortunately vulnerable to attack. The more precautions you take, the less likely it is that you’ll be affected. Beyond the above DIY tips, here are some commercial WP-specific services:
Managed WordPress hosts – See our guide and comparison of premium WordPress services. These hosts take care of hardening and keeping your site up and running so you never have to touch a wp_config file again. Another option would be to looking at hosts focusing on security, or 3rd-party hack monitoring and fixing like Sucuri.
Remember: no website is ever entirely safe, so always back up your content.