If you work in online marketing, the chances are good that you've worked on, are working on, or will at some point work on a WordPress site. If you work with wordpress.org in any capacity, this post is for you (much of this post doesn't apply to *.wordpress.com hosted sites).
Script kiddies suck
In hacker lingo, a script kiddie is the lowliest form of hacker (using the term hacker loosely), and relies on common tools and scripts to find and take advantage of the weakest and most common security vulnerabilities: crappy passwords, use of public WiFi without a VPN, outdated plugins, low-security hosting, phishing attacks, and other things of this nature. Sadly, these issues alone grant access to a shocking number of sites.
Unless you're in charge of a WordPress site for a major brand, the majority of the security issues you're likely to face will be the result of script kiddies.
The good news is this: If you follow this guide, your site should be as close to invulnerable as you can reasonably get. (To be fair, nothing is truly invulnerable, but this will get you pretty close.) Abracadabra, vault-like security is yours.
Without further ado, let's dive in. I personally take a four-tiered approach to WordPress security:
Hosting and server level security
When it comes to securing WordPress, it's best to start from the ground up. When you host your website with a hosting company that isn't sufficiently security-conscious, if any site on a server is hacked, there's a chance that any other site on that same server could be vulnerable.
After a ton of research, I've determined that the most secure option for hosting Wordpress is WPEngine.com (and, conveniently, Moz has a PRO perk for them, 4 months of free hosting).
The effort they put into security is re-freaking-diculous (seriously). I'm in the process of moving all of my WordPress sites over to them as we speak. They aren't cheap, but you get quite a lot for what you pay. They even have a partnership with Sucuri Security, so if your site ever gets hacked, they'll fix it for free.
That said, they might not be a perfect fit for everyone. For example, there are quite a few plugins they don't allow (many for performance issues, not security issues). There are alternates to most plugins though, so hopefully that isn't a deal breaker.
If you HAVE to use another host for whatever reason, or need to host on your own servers, there are a few things to keep in mind (WP Engine does most, if not all, of this):
- Run secure, stable versions of your web server and any software on that server.
- Have a server-level firewall.
- Keep your server under lock and key. Only your IT team should have access.
- Never, ever access your server from an unsecure network.
- If you need to FTP in, use SFTP via a reputable program (I like FileZilla).
- Make sure your MySQL installation is as secure as possible.
- Always create a unique database for each blog installation, and make sure your database table DOES NOT begin with wp_.
- Backup your database and other files as often as possible, especially right before you make a change (there are plenty of options for this, such as CodeGuard and VaultPress).
- And, of course, make sure your passwords are both complex and not used elsewhere.
There's more to this, but those are the biggies. If you want a lot more detail, go here and here.
The next step in this process involves configuring some server rules. If you have access to the main server configuration file, it's best to do these things at that level, but not everyone is going to have that access. For that reason, I'm going to cover how to do this via the .htaccess file by walking you through a real .htaccess file (Note: edit your .htaccess file AFTER you install WP. It's server-centric though, so I'm covering it here).
BIG FAT WARNING: Be very, very careful when making changes to your .htaccess file. If you aren't extremely comfortable with code, it's best to let your developer do this. I've personally used all of this code, exactly as is, but I've seen bits work on some sites and break things on others (it totally depends on your server configuration, plugins installed, etc.). To be safe, get your developer to do this for you.
WordPress auto-creates a section in the .htaccess file. Don't put anything inside of the WordPress section of the .htaccess, as it will be overwritten. Some things will need to go before the WordPress .htaccess section, and some things after, to avoid breaking things. If you don't know what should go where, you probably shouldn't be editing your .htaccess file.
OK, here goes...
This first bit of code helps to prevent errors on some Apache servers, and activates the rewrite engine (which many of these commands require to function):
## Include this at the start of your .htaccess file ## Options +FollowSymlinks RewriteEngine On
This next bit turns off the server signature. This is a "security by obscurity" trick, as the less info a hacker has about your system, the harder it is to get in. The more they know, the easier it is to go out and hunt for known exploits:
## Disable the Server Signature ## ServerSignature Off
Sometimes spammers will append their own crappy query strings to the end of a URL, attempting to do all kinds of nasty things, and this next bit of code can negate it by 301 redirecting certain query strings back to the canonical URL.
Just edit the enter|query|strings|here bit to include the query strings you're having issues with, separated by pipes (a pipe is a separator in RegEx). This next bit of code also has uses beyond blocking spammers, and can sort out issues with ?replytocom and other common junk query strings:
## Remove Spammy Query Strings ##
<ifModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} enter|separated|query|strings|here [NC]
RewriteRule .* https://www.%{HTTP_HOST}/$1? [R=301,L]
</ifModule>
While not hacker-specific (though it certainly could be), this next bit of code will prevent bots with no user agent from hitting your site. Just change out yourwebsite.com with your actual URL before placing this in your .htaccess:
## Protect from spam bots ##
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^https://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>
A common hacking tactic is a SQL injection, and this bit of code can block the vast majority of attempts:
## SQL Injection Block ##
<IfModule mod_rewrite.c>
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]
</IfModule>
Now, there are plugins that can limit the number of login attempts from any one IP address, but that doesn't prevent hackers from using large blocks of IPs to brute-force your site (a la public proxy lists). I've experienced this first hand numerous times, so the following bit of code has been a lifesaver as it only allows my login pages to be reached from IP addresses I specify, and blocks access to those pages from all other IPs.
Just adjust the allow from lines to reflect your actual IP addresses (you can get your IP addresses by going to Google from each place you connect to the internet and searching "What is my IP"). If needed, change the login filenames as well (wp-login.php is default, and login is not, but my site uses both because of a plugin I use).
Or, to make it easier on yourself, go to ProxyBonanza and pay $10/mo for one exclusive proxy IP of your own, and then allow that IP and use that IP whenever you want to access your sites. (ProxyBonanza has plugins for Firefox and Chrome, which make this step really easy.) Just swap out the fake IPs below with your actual IPs. If your IP changes, you can always go in and fix this via FTP later.
## Restrict WordPress Login Pages to Your Own IPs ## <Files wp-login.php> order deny,allow deny from all allow from 192.168.1.1 allow from 192.168.1.2 </Files> <Files login> order deny,allow deny from all allow from 192.168.1.1 allow from 192.168.1.1 </Files>
There are a number of files that nobody but you should ever be accessing, and this bit of code will block them from being accessed via a browser:
## Block Sensitive Files ## Options All -Indexes <files .htaccess> Order allow,deny Deny from all </files> <files readme.html> Order allow,deny Deny from all </files> <files license.txt> Order allow,deny Deny from all </files> <files install.php> Order allow,deny Deny from all </files> <files wp-config.php> Order allow,deny Deny from all </files> <files error_log> Order allow,deny Deny from all </files> <files fantastico_fileslist.txt> Order allow,deny Deny from all </files> <files fantversion.php> Order allow,deny Deny from all </files>
If you find your site being hit repeatedly with attack attempts from certain IP addresses, you can manually block certain IPs with the following bit of code. Just edit the deny from bit to include the offending IP, with one IP per line as follows:
## Malicious IP Blocking ## order allow,deny deny from 1.1.1.1 deny from 2.2.2.2 allow from all
If you have people hitting you really often from the same IP or IP block, you can redirect that IP/IP block to a nice rickroll video (just change the IP below to reflect the one that's hitting you). :) I've done this on my sites for a few repeat offenders:
## Redirect Recurring Spammer IPs to a Rickroll Video ##
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.1$
RewriteRule .* https://www.youtube.com/watch?v=oHg5SJYRHA0 [R=302,L]
If you have certain websites that are hitting you with referral traffic you don't want (it can happen for various reasons), you can block those referring domains with this code:
## Block Certain Referring Domains ##
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]
You can also use your .htaccess file to secure wp-includes (this can cause real issues, especially with Multisite, so I'll have you go here for the specifics). You can also do some other pretty advanced things, like blocking certain countries and browser languages, if you so choose.
With all of that in place, your .htaccess file is just about as hardened as it can get. An .htaccess file can exist for each directory on a site, and is applied to everything in and under that directory. I've compiled this list from a number of different articles, with a few bits of my own sprinkled in. For further reading on these and other similar points, check out these five links.
The last step is to lock down your file permissions so that only those who should have access to certain files have that access. You can read how to change file permissions here (be careful with this one too, as it can break things, particularly plugins.) This is something you should test very carefully as you implement it, ideally in a sandbox or dev environment.
And that's it for WordPress server-level security (not really — you could fill a book with this stuff — but this should be sufficient for your needs). Next up, WordPress itself!
Your WordPress installation
Once you have your hosting and server security sorted out, it's time to get WordPress installed, along with the necessary security plugins. Even if you already have an existing WordPress site, don't skip this section!
You'll want to download the WordPress install files directly from wordpress.org, and go through the install process via secure FTP (SFTP). Many hosts offer a one-touch WP install, which is also fine. As you do this, make sure you pick secure passwords (outlined in the next section), and don't use the same password for more than one site/thing (separate passwords for your database, FTP, WordPress admin, etc.)
With WordPress installed, the next step will be to pick a theme — and not just any theme will do. As any black-hat SEO knows, themes and plugins have long been a great way to get links, albeit in a shady and unethical way (remember MozCon 2011, when Richard Baxter gave a live demonstration of pointing millions of links with anchor text of his choice from a set of WordPress sites running a theme/plugin he'd created? Yeah.)
Because a lot of potentially dangerous things can be hidden inside of themes, it's a good idea to use or buy a secure, clean theme. The themes that come with wordpress.org by default are pretty safe, but here are a few other options for clean themes: Option 1 and Option 2. To get a better feel for why this is so important, there's a great video here.
If you already have a theme installed, you might want to run a security scan, or have a security-minded developer look through the theme code. Ditto for any plugins you might have.
After you've selected your theme, the next step is to start picking plugins. When it comes to plugins, you need to be just as careful as you were with picking a theme. Even popular plugins can contain vulnerabilities, and developers can sometimes be slow to fix them (or perhaps put them there themselves). For that reason, I recommend using as few plugins as possible to get the job done. That said, from a security perspective, here are the plugins I highly recommend:
- Better WP Security - This is sort of an all-in-one security option. It handles a variety of tactics covered in this post. Can overlap with other plugins, so be careful. Free.
- Limit Login Attempts - Exactly what it says, and a phenomenal way to deter brute-force hacking attempts on a site. Free.
- Akismet - Great way to filter out a lot of crap before it ever touches your site. If your site is easy to spam, it might also be easy to hack, so make it a hardened target on all fronts. Paid.
- Sucuri Security - When you pay for this service, you get a plugin to install on your site that helps with the monitoring and hardening process. It has overlap with other plugins though, such as Limit Login Attempts and Better WP Security, so you don't want to use all of them at once. Paid.
- CodeGuard - Great backup service that lets you easily roll back if you ever do get hacked. Also, people don't back things up nearly as often as they should, so doing it automatically is handy. Paid.
- CloudFlare - CloudFlare is a CDN, but also so much more. It has some great security features built in, and comes in both free and paid versions.
- Google Authenticator - Enables two-factor authentication on WordPress, which is awesome. I use two-factor wherever it's offered, because it rocks. Free.
- Stealth Login Page - You can't crack what you can't find. This plugin hides your login page without needing to edit .htaccess files. Free.
- WordPress SEO by Yoast - Not only does this have great SEO benefits, but it allows you to easily edit your .htaccess file from within the WordPress admin, which is very handy. Free.
If you opt to use WP-Engine for your hosting, be aware that they are very strict on what plugins they do and don't permit. I find this pretty annoying, and while I understand their reasons, I really like some of the plugins they don't permit.
If you have unused themes or plugins installed, I'd recommend deleting them. Just having them installed on your site, even if they aren't active, can potentially pose problems. You should also make sure that you keep WordPress, your plugins and your themes up-to-date. Updates often fix known security issues, and one of the first things a smart hacker looks for is out-of-date plugins and themes they can exploit.
As you build out your site, you should also pay very close attention to what is and isn't reachable by crawlers, and how your site handles things like login info, passwords, lost passwords/password resets, security questions, etc. There's an entire sub-set of hacking called Google hacking, dedicated to surfacing information Google has found and indexed that it probably shouldn't have (great article here). Making effective use of your robots.txt file to block things that should be blocked is highly recommended.
While site security is never finished, this will sort out the vast majority of problems you're likely to encounter. Remember, nothing is unhackable, so the goal is simply to make your site more way trouble than it's worth to the majority of hackers.
Personal security
As any half-decent hacker knows, the human element of security is usually the weakest link in the chain. The most security-conscious web admin or host can be foiled by a common password (Love, Sex, Secret, God, Hack the Planet!).
The human brain likes routines, patterns, and comfort zones; and hackers exploit that with glee! If you want a fascinating yet frightening read on this topic, check out Kevin Mitnick's book The Art of Deception.
Here are my seven personal best practices for locking down the human element:
- Never access a WiFi hotspot through anything other than a secure VPN. I personally use Cloak as my VPN (iOS and Mac only at this point), but there are lots of options. You'd be shocked at what can be found with simple packet sniffing (Firesheep is a great example, and will probably make you quite uncomfortable). When you use a WiFi network, secured or unsecured, anyone else on that network can get access to your traffic (if all your traffic is encrypted, you're MUCH safer, which is why you should use a secure VPN on any shared network, even if it's a "secure" shared network). If you have WiFi at home or work, make the password a strong one, use WPA2, and set your router to NOT display the SSID (this is a "security by obscurity" tactic).
- Get a firewall. A good firewall is an excellent defensive tool. In a perfect world, I'd recommend having both a software and a hardware firewall, but that may not be feasible for everyone. At the very least, you need a software firewall (Comodo, ZoneAlarm, etc.). It can be a bit intrusive, depending on your settings, but it's easy to customize and does a very good job. You should have a firewall on every desktop/laptop/server.
See, there you go, a good firewall. Not much is getting past that... - Get an antivirus program. Viruses and malware are a dime a dozen, and the chances are REALLY good that you've got at least one on your machine already. If a hacker has access to your computer, no amount of security anywhere else can protect your WordPress installation (not to mention your email, bank account, etc.) I've tried quite a few over the years, and I'm partial to Avast. It's one of the least resource-intensive AV programs on the market (won't bog down your machine), but it's also extremely thorough (there's a free version, but I pay for the full suite for a variety of reasons).
- Keep your hardware physically secure. If someone can get to your machine, it's a cinch to hook up a keylogger. If you don't password protect your machine, there are all kinds of other quick and dirty things they could do as well. If you use a desktop in particular, and it's in a common area at work, periodically check your USB ports and all cords running into the machine for anything unusual. It's uncommon, but it happens. Seriously, you should see the type of security Google has at its server farms!
- Use really good passwords, and don't ever reuse passwords on multiple sites. Here's where the lazy human element really comes into play. We're not really good at remembering obscure passwords, so we tend to stick with things we'll remember (asdf, 12345678, qwerty12345, etc.). This is bad, because common passwords make things REALLY easy for hackers, especially if you use the same password for multiple sites (don't do that, ever).
Operating system passwords are notoriously easy to crack with rainbow tables, so make sure your OS password is long (at least 15 characters) and complex (uppercase and lowercase letters, numbers and symbols, avoiding common substitutions like @ for A or 8 for B, etc.). Here's a cool article that explains why complex passwords make things SO much harder for hackers.
Thanks to some pretty serious security blunders over the years, it's easy to find massive lists of passwords used on pretty major sites (RockYou is a great example, with 32 million passwords leaked). With a list like that, you can just pick a WordPress site and try random passwords at will until you get a hit. While far from efficient, script kiddies in particular love this brute-force approach.
I've found the easiest way to have virtually unbreakable passwords is to use a tool like LastPass, 1Password or Roboform. They allow you to generate a random, long, extremely complex password for each site, and then encrypt and store them all with one master password. There are desktop and mobile apps available (some of which even contain a secure browsing environment), so you can easily login from your various devices, and all you have to remember is one password to access them all (for the love of all that is holy, at least make that one password complex).
Don't write down, print, or store your passwords in plain text on your computer. Just don't. - Protect your email accounts with two-factor authentication (and then protect your phone too). If a hacker can't get into your site via the password, their next trick is usually trying to crack your email account so they can just do a reset. If your email provider offers two-factor authentication, USE IT.
If you do this, make sure you lock your phone (use a real password, not the 4 digit variety) and try really hard not to lose it, since that is now the key to your accounts (and, in a perfect world, don't put that phone number up online, just to be safe. If a website ever needs a phone number, get a Google Voice number that you use just for that.) You should probably also set your phone to wipe after a certain number of failed tries, and configure a remote wipe option as well, if possible, as your phone is now the key to your accounts.
If your account provider asks you for security questions, use a mnemonic to come up with a totally separate answer (for example: for the question "What was your high school mascot?", I might think, I really hated my CS teacher in high school, and then use that teacher's name as the answer.) This will effectively neutralize attempts to mine your social profiles for data hackers can use to guess your security questions. - Learn to recognize and avoid phishing attacks. Whether by email or website, phishing attacks are one of the most common causes of security breaches (you might have heard about the hacked AP Twitter account fiasco that caused a massive stock drop — yeah, that was due to a phishing attack).
When it comes to avoiding these sorts of attacks, I live by three rules:
If I have to log in to a site, I only navigate to that site through my password manager (this prevents me from accidentally falling for a misspelling URL phishing attack, like if I were to type Facebool.com instead of Facebook.com).
Never, ever click on a link in an email and then login to whatever page pops up (see last rule). In fact, I don't click on links in email anymore. I right-click, copy link location, and then paste it into Google, just to be safe. If it doesn't look right, or the results include spammy stuff, I stop there.
Never, ever open an attachment from someone you don't know and trust (and even if you know and trust them, drop it in a folder and run a virus check on it before opening it, or open it in a sandbox program first just to be safe). If someone who has you in their contact list gets their email hacked, the hackers start by blasting out emails to that person's contact list to expand their phishing pond.
Last but not least, exercise constant diligence
When it comes to WordPress security, you can't just set it and forget it.
If you put all of this in place, and then fail to monitor and update and change things as time goes by, you'll be in just as bad of shape as if you'd never done any of this to begin with.
To make sure that all of your hard work doesn't go to waste, I recommend a seven-step checklist to maintain constant vigilance for your WordPress sites:
- Keep WordPress updated. I'm in my sites daily, so I keep an eye on this daily. WordPress doesn't update the core too terribly often, so I'd recommend checking this at least monthly to be safe. You might want to have your dev team do this, as updates sometimes break things.
- Keep your plugins updated. Plugins are one of the most vulnerable parts of WordPress, not only to external hackers, but to malicious or greedy programmers. While we already covered only using reputable plugins, also make sure you keep these plugins updated, just in case a vulnerability is being addressed in the update. Again, you might want to have your dev team do this, as updates can sometimes break things.
- Monitor your server log files. This might be overkill for most folks, unless you've spotted something suspicious. Your server logs will give you the details of everything that has hit your site, human or bot, and when and from what IP address. You can find some awesome stuff in here, so keep an eye on it from time to time. (AWStats is a good free tool for this.)
- Monitor WP access. You can use a plugin like Simple Login Log to monitor the details of logins to your site. DO THIS.
- Monitor for file changes. A plugin like CodeGuard will send you emails whenever your WordPress files are changed. This can be an early-warning system for a hack, and is worth the investment. It also allows you to roll back changes if needed.
- Change your password periodically. I'd recommend every 3-6 months, but once per year is probably sufficient if you're using a sufficiently complex and unique password.
- Keep Your Firewall and Antivirus Software Updated - New threats are discovered constantly, so it's important to keep everything updated. Out-of-date security software is a vulnerability.
Awesome guide! I've known some of these things but I'm definitely going to be implementing some I'd never heard or thought of, you can never have too many layers of security!
Just a couple of cautionary points... I would not recommend limiting your log-in page to your IP addresses UNLESS you have a static IP. Many businesses do but the average residential consumer gets constantly updated IPs from their ISP, and it may get updated frequently enough to be too annoying to keep changing the file. Of course, YMMV.
Secondly, while it's cool to know how to completely deny specific IPs, I would caution against it for the same reason; it's hard to ensure that the IP isn't going to eventually be handed to a legitimate user who now can't visit your website. The (simple and excellent!) "Limit Login Attempts" plug-in should handle all of that, anyway.
Finally, while you link to resources that mention this, I just want to highlight a "security through obscurity" database tip that I think is just as important as avoiding wp_ prefixes - renaming the administrator account from the default "admin" to something else. Guessing the password to your account is one thing (especially if you're limiting login attempts), but if they don't even know the username, it's going to be exponentially harder.
All excellent points! I can't believe I left out the admin bit :) Definitely don't use admin as your username, and if it already exists, create a different account with admin rights and delete the old Admin login. One cool thing with the Limit Login Attempts plugin is it shows you what username someone attempted to use, and 99% of the time it's Admin.
Nice and useful post. Thanks a lot!
Maybe avoiding "administrator" username is a good idea. I saw many people renaming default "admin" to "administrator".
Another thing I would suggest is avoiding passwords like "p@$$w0rd". They're very common among users and hackers are familiar with them.
Ditto avoiding admin password, as this is a biggie, I am surprised it was not highlighted a bit more in this article
Very informative post! Choosing the right themes and plugins is very important when going with Wordpress because most of them can create a security disaster. This article on SEW is also a very interesting read https://searchenginewatch.com/article/2277422/How-to-Choose-Trustworthy-WordPress-Themes-Plugins
Recently i read a report published by checkmarx.com on security of top 50 general wordpress plugin and top 10 eCommerce wordpress plugin.
I strongly recommend checking this report as we used to think that the plugins are secure, especially the popular one. but it is not true!! More than 70% top plugins are vulnerable to web attacks.
The most important part in wordpress security is to check the third party tools and plugins we have installed. They can provide back-door to hacker.
Here's that report, if anyone is still interested: https://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins3.pdf
Nice! There are some pretty good tips here that you cannot easily find elsewhere.
Good job.
Sam - you are seriously the man. This is an excellent guide and I think too many times we get too excited about site speed/performance that we overlook this.
If you've been around long enough, you've probably had a site compromised. This is not fun and can put a huge damper on organic SEO as well as any other type of marketing you are doing.
Definitely going to share this and keep it handy as a resource. Thank you so much for the solid contribution!
Thanks! It was a fun one to write :)
I'd planned to do this post as an infographic as there was no complete guide anywhere. Oh well! Good post.
Yea we use wpengine - it's awesome. We get a lot of traffic - so it's pricy but worth it for US based support and just that its awesome. You couldnt ask for more.
What about securing file uploads? Sure it is nice to just leave that off forever, but not always possible. For instance, how about turning the php_flag off in the file uploads?
@bickerstoff, Turning file_uploads off will make creating new posts hell for you. Image upload etc., wont work. You can instead ask your hosting provider to enable upload time scanning. Here's something to pass on to them:
https://bobcares.com/blog/how-to-secure-wordpress-a-definitive-checklist-for-webmasters-and-wordpress-hosting-providers/#securing-wordpress-hosting-environment
WP PRO HOST is super secure with FireHost back end secure servers optimized for WordPress. All installs are only accessible through (SSH) Secure SHell.... if you have had your sites hacked on all other hosting providers give WP PRO HOST a try....
After adding the ## SQL Injection Block ## code I receive the following error:
Forbidden
You don't have permission to access / on this server.
****
What am I missing here?
Thanks for this brilliant, concise article Sam.
I'm having this same issue (it's a 403 Forbidden error) after adding the ## SQL Injection Blockk ##.
Is there something in the code we're supposed to edit?
I am having the same problem, but only when the site is directed to *www.website.com*, it's connecting fine to *website.com* - I isolated it to the SQL Injection block code, although not sure which line. Any ideas?
Great Post.
Definitely one of the most comprehensive list I ever saw for WP.
I want to suggest adding "modify xmlrpc.php", to prevent Pingback DDoS exploits.
https://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos
Also, it worth pointing out that most WP attacks target small or medium sites and are actually automated (executed by bots, originating from malicious software). Before paying for any security service, your readers might consider combining your excellent code and .htaccess modification suggestion with free bot filtering solution.
Finally, I would argue that hardening and monitoring is not as good as actual proactive protection which will block the threat, not only track back its origin. As I see it, that many code modifications are out-of-reach for average WP user (myself included) and others can time consuming and costly.
In my mind WAF (Web Application Firewall) provides a better solution... I think that Sucuri recognized this and this is why they recently introduced their own version of WAF, which joins the rank of Incapsula, Mod_Security, Barracuda, etc.
Good points! I hadn't heard about the xmlrpc.php issue, so good to know. I know WPEngine partners with Sucuri, so you get the best of both worlds, so I'll be interested to see how they really pan out after I've had my sites hosted there for a while.
My WP Sites were hacked soon after going live. I then installed Better WP Security, changed the standard username and choose a really good password. Since then I never had any issues again.
I have had great success with Better WP Security. Very easy to use.
Awesome. We had a site get exploited a few weeks back we have recommended the changes to our clients.
I make use of computer generated passwords, like 'fhbg67sfdbsdhgv'. Impossible to guess. Safe till now. :)
Very informative post on WordPress security. Lot of the .htaccess tips you shared are very nice. You can add those .htaccess rules just by checking some checkboxes using the following free WordPress plugin:
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Secure hosting is cheap, unless $3 a month is too expensive for you. Near instant WP support and free daily malware scanning, and super fast SSD drives, tvc dot net. At least worth checking out if you are getting tired of the forty buck a month managed hosting pitches.
PLEASE Feel free to delete if this is not appropriate.
Wonderful article. This type of knowledge is very vital. I think however the basic/new type of user, we are hosting a free webinar covering the seven steps you can take to improve your website security right now (covers joomla, wordpress, drupal), on Sept 17, 2013.
I won't post the link - if you're interested please PM me for the link.
Woww!! Amazing guide to wordpress security!! Thanks for sharing... Really good tips for security..
A comprehensive must do list and I always say it is not if you will be hacked, it is when. You have provided all of us with great tools and I have incorporated many but need to step it up a notch! Excellent share!
I've read a lot about WP security this is definitely one of the most well thought pieces. Thanks Sam!
Really good article - probably the best I've read on the subject. Couple of Q's
When adding the ## SQL Injection Block ## - my site just goes 10 times slower (running on hostgator btw). Anyone else experiencing this?
Also regarding ## Remove Spammy Query Strings ## does anyone have a list of the most common spammy strings?
And to throw my 2 cents worth in - Theres a free plugin call 'Anti Malware' which checks for Malware in plugins. But poss. when it's too late. Their site is https://gotmls.net/ - would be good to get an 'expert' opinion on ut.
I haven't experienced the site slowing deal with the SQL Injection Block...my business site consistently loads in under 1 second, and I have that on there.
The spammy query strings bit I tend to fill out by looking at log files. If someone has attempted to point links to your site with spammy query strings appended to the URLs, you can see it in the log file and then block accordingly.
I haven't heard of that plugin before, but Sucuri Security does basically the same thing, as does WP Engine if you host on there.
Sam thx for the great WP security write-up :o)
I've got a very simple question that's been bugging my for a while. You mention to make sure that the database table does NOT begin with wp_. I've always changed it to, e.g. wp_1yKcGjbhMa_. Is this less secure than 1yKcGjbhMa_ ?
Could you also give a short explanation why that is the case.
(my first post didnt make it live - so second time lucky?)
awesome post - the best I've read on the subject. Quick question regarding the .htaccess file. When adding ## SQL Injection Block ## to a WP site it slows the site down (my hoster is hostgator). Just wondering if anyone else experienced something similar?
Secondly, in the ## Remove Spammy Query Strings ## part would there be generic query strings??
Thanks Sam,
Thank you for the article. It is frustrating when you discover Word Press security issues the hard way.
Great work, Sam! Very impressive!
I had no idea you could edit the .htaccess file within Yoast's SEO plugin. I have it installed on my blog but made changes to the .htaccess file directly in FTP. However Yoast's 'version' doesn't coincide. Should they be syncing, or is it a case that one replaces and/or takes precedence over the other (e.g. even though I've edited the one via FTP, Yoast's version is in charge)? If you happen to know and can shed some light then that'd be awesome. Thanks!
I'm not sure exactly how Yoast's editor is handling it, but mine syncs perfectly. I see the same thing via FTP that I see via the Wordpress SEO interface.
Technically each directory can have it's own htaccess file...are you sure you're editing the same one?
There are just so many things it could be, server settings, Wordpress version, plugin version, other plugins installed, etc. Debugging Wordpress plugin related strangeness can be tricky :)
Great article and definitely some more stuff for me to add to my Wordpress Security Hardening Arsenal. I wrote a blog post about the latest Wordpress security issues aimed largely at customers and what they need to do or make sure their web developer does to help make their website less likely to be hacked: https://www.areoff.com/insurance-and-financial-wordpress-websites-are-under-attack/
Awesome post Sam..!! Lots of thing are in the post which didn't know and they must need to know..
I just put in practice some tips from the article, which is a vote in favor. As often as possible, I prefer to perform manual actions rather than using plugins. The problem is that they give access to the root directory through the WordPress admin interface.
One intrusion enough to read the WP-Config , knowing your password or perform all actions that plugins are allowed to ( a greater risk for Multi-User websites). I always prefer my database, wp- config . Htaccess or even robots.txt, are not editable from the Wordpress dashboard. The intermediate solution is to uninstall these plugins just after maintenance. Paranoid ? As someone said, "even paranoids have enemies "
Thank you for your article! I just use webproxy like this https://whoer.net/ru from time to time. But now I'm thinkink about other options.
Thank you very much for this article. I just use webproxy like this https://whoer.net/ru from time to time, but now i;m thinking of other options
Can I use 2 security plugin like itheme and wordfence or wordfence and all in one security in same time in same wp site?
If I use then what problem i will face?
Awesome info. Helpful.
impressive. I am using Google two way authentications. its best way to prevent from hacking. all things got lock
Thanks for this helpful article. All of the above ideas are useful. You helped me a lot.
Amazing guide Sam! Thanks for explaining the htaccess tricks, we're going to play around with those.
Thank you for this informative Guide.
First is to change "admin" to something else. Also good is to have firewall on Your server for complete security.
Agreed. These are both mentioned either in the post, or in several comments.
WordPress security is so important, we can't have it drilled into our heads enough. :)
We included this in our Monthly Resource Round up
https://blog.nexcess.net/2014/01/03/the-yearly-round-up-2013s-best-expressionengine-wordpress-and-magento-content/
Cheers! Great article!
Regarding the htaccess file: You mentioned that some of your additions need to go above or below the section that WordPress creates. I wonder if anyone has, or knows of, an example htaccess that has those additions.
all of my sites can b logged in with ADMIN :(
hv to change all of emm Now :P
THANKU
I'm really behind on my WP security, but the closest I know of of having a break in was constant user registrations. I ended up changing my default username from admin to something a bit less lazy as well. Not much to add here, but thank you. Do you have any experience with Hostgator at all? They're my host and I really like them, but I'd be curious to hear if there's anything specific I can do to safeguard my sites on their shared hosting.
I haven't used Hostgator, so I'm not sure what their server set-up is like. Most major hosts though adhere to at least the basics of server security, so if you take care of the parts that are in your control, you should be OK.
After a really long frustration I've decided moving my website from Joomla to Wordpress,
so I found this post right on time.
Thanks for this through and profound information.
Truly fantastic post, the information here is so valuable I cant thank you enough really and will defiantly be implementing the recommendations you have listed, in my experience the most common attack is via outdated plugins and have been hit by that type of attack before but hopefully after putting your recommendations in place and keeping everything updated my wordpress installation will be like safe, thank you.
This is the most complete and useful free guide to WordPress security on the Internet. I guarantee it.
Thanks!
Good writeup, Sam. I have a question though.
Avast and Comodo. Which versions do you use so that they're compatible with one another, but still effective protection? Do you use the basic versions of both?
Basic version of Comodo, and the paid version of Avast with the firewall portion disabled.
Cheers, Sam. Avast have two paid versions, Premier and Internet Security. Are you talking about the former or latter?
First of all , I'd like to thank you for sharing this post Sam as I am currently handling a lot of WordPress base sites from WP Installation /Setup to Plugins to WP Template Customization & SEO. I really found your post useful!
Regarding the hosting, are you aware of any HongKong or China based hosting services that are secure enough to host WP based sites? I have done some research on hosting services in China & HK but never found anything definitive. So in case you have anything that can help me move in the right direction, please share.
Unfortunately I don't know of any China or HK based hosting providers that are super secure. That said, the location of your hosting isn't terribly important if you make use of a good global CDN, so I'd consider options outside of those locations.
I really enjoyed this piece! I recently spent a few hours auditing a handful of sites that were having issues, and the culprit each time was out-of-date WordPress plugins and poor security that led to malware. This is a veritable bible of WordPress security, and a great, well-written blog! Thanks!
Thanks!
Great article and one that needs to be widely spread so people understand the importance of the issues here. The challenge is often educating clients as well as to the issues and importance of security. I wrote a security and hacking blog article which has been useful for clients to understand about script kiddies and why their sites get targeted, often they think it is personal which is rarely the case. Using reputable and well supported plugins is an absolute must and as developers we have a duty to understand and implement proper security to keep client websites as safe as possible.
https://www.flowinteractive.com.au/security-hacking-and-your-website-your-questions-answered
This is a great security resource! I'm definitely bookmarking for later reference. I only recently started using WordPress, so this is all great to keep in mind.
Great tips for ensuring the security of your WordPress site! Your timing is great after the recent checkmarx report on WordPress Plugins and their vulnerabilities.
https://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf
Good tips thanks. Most of the sites I see that are hacked, especially in really spammy spaces such as Payday Loans, are generally running WP and have no idea they have even been hacked.
Nice info, thanks for the post, i'll be checking my blogs against this list....
Thanks, and you're welcome :)
Very thorough Sam. I've read a lot of blogs about WP security, but it's nice to see Moz publish one.
While it's not really a security tip, I'd like to suggest adding BackWPup to your arsenal (just in case).
A great way to create a strong password that you can remember is to change all vowels to numbers & special chars. Ex: Str0ngP@ssw0rd
Stay awesome!
While it's helpful for remembering passwords, it's generally best to avoid basic number/character substitutions like Str0ngP@ssw0rd. Most password crackers and brute force tools account for common substitutions like that. The only exception to this rule would be if your password begins and ends with odd sequences.
!@Str0ngP@ssw0rd#$ would be better, because you can't use a standard dictionary attack with character substitutions to crack it. Each additional random character you add to the beginning or end increases the difficulty of cracking the password exponentially.
Thank you for the article, timely for me. As managing a website of a fast growing company, security is starting to become more and more an issue that I would to learn before something bad happens.
I have CloudFlare setup on our site and wondering if you know how that plays into having a more secure site. From what I understand it creates a layer between your site server and someone trying to gain access or information.
In my opinion the biggest security benefit to CloudFlare is that it detects and stops DDoS attacks. Here's their detailed list of security features: https://www.cloudflare.com/features-security
Thanks for this outstanding post. I guess the problem with WP is that it is designed to bring a fancy coding inside every hand and make every one feels like a super cool webmaster. Unfortunately, one click away, we trust a "plugin" coming from somewhere we know nothing about...
Yup, you trade security for convenience. I love WP, but it's exceptionally NOT secure out of the box. And considering WP powers many millions of websites...well, it's a field ripe for plucking. I hope this guide helps to curb some of that.
Damn good post here, SamAntics! We've been developing in WP for years and, yes, have been susceptible to hacks and malware uploads, so this post and the detailed information will help us become more secure and, like you said, aware of what is out there and what could happen, if left unprotected. Many thanks from our team to you!
You're welcome!
Wow, a very exhaustive list. Though some parts are a bit complex for a non techie like me, but I think the second half of the post that gives simple steps are very useful for any body serious about their website.
Mind... BLOWN!!!
Thanks for making me stay up late tonight Sam
You're welcome Greg! Are you going to be at MozCon this year?
Recently, Malware hit my site and I don't understand why Malware hit me then I review my webmaster tool then over there Google also showing similar error. At last I removed my all plugins then Malware ride up. What that mean?
It's possible for a plugin to contain malware, and it's also possible for a plugin to behave in a way that can be seen as malware even if it isn't. This is just one reason why you need to be very careful when picking which plugins you're going to install. Only use reputable plugins, and use the fewest possible plugins to get the functionality you need.
Great round-up Sam, thanks, I will definitely be adding a few of those steps & plugins to my standard install procedure from now on.
This is an excellent and thorough guide to WordPress security.
In my experience, it's the obvious things that catch a lot of webmasters. Leaving the admin account with the default username "admin", not changing the password from time to time, not updating WordPress or plugins when new versions are released, and so on. These are all great tips, but let's not also forget the basics!
Very useful article - some great htaccess tips there.
Some users might also consider using htaccess to password protect the wp-admin directory and wp-login.php file. There's some instructions on doing this here: https://www.primaryimage.com/2013/07/protecting-wp-admin-via-htaccess/
Interesting points about firewalls, but I’ve seen many organisations not understand how to
use them. Most firewalls aren’t too complicated and only block traffic so there are a few good practice tips that
you could undertake:
· Always set your firewall to automatically deny all traffic without a rule
· Disable any unused ports
· Close ports when they are no longer needed
· Where possible, try to use an external firewall and host public facing servers in a DMZ which is controlled by the firewall
· Try to permit and initiate console connections (e.g. RDP) over a VPN only
· Try to avoid using unsecure protocols for the transfer of sensitive data (e.g. FTP)
· Always backup your firewall rule base to file whenever it’s changed (and don't leave a copy of this file in the DMZ)
· Ensure your firewalls cannot be remotely administered from their internet interfaces
· Turn on firewall logging (if your device supports it)
· If you can afford it, use different brands of firewall between the internet and the DMZ and DMZ and internal network.
· If possible host your SQL content database servers in a different DMZ
· Block any unneeded outbound internet access from the web servers
· Use strong passwords on the firewall interfaces and VPN.
On the web servers themselves, make sure there are no unencrypted database connection strings that are used by systems like Wordpress.
Excellent list :) If only all admins were that security conscious, we'd have fewer issues.
"outdated plugins" for me it is a big problem for Wordpress. Thanks for the nice article
Hi,
Thank you for the advice but this sound like it is for advanced users. Do you recommend any article that provides guides for beginner-average users?
Preventing hackers from hacking your WP site isn't really basic. I mean, you could host your site on WPEngine and they'd sort most of this out for you. That would probably be my recommendation for those who aren't technical enough to implement all of the above recommendations.
To directly answer your question though, I don't know of a basic, beginner-centric guide to this.
Great to do list. Especially the last 7 points. I've got a few changes to do and a few habits I need to adopt. Many thanks
That's the key :) Security really comes down to habits.
4 months later and I can safely say I've adopted all security you've recommended (and some).Thanks again.
Sam@
The last 7 point mentioned are very effective, even i realized that where i am lacking and 7 points helped me to findout the loop holes. Better WP Security is one of the most effective Plugin in WordPress from security point of view, i have also installed it ans it is working up to the mark.
Malware attack and hacking is very common, Sam thanks for bringing the Plugin to all of us.
In regards to hosting with WPEngine, apart from security (in which it sounds like they excell in) how have you found their reliability, and site speed?
I'm just in the process of moving sites over to them, so I don't yet have data on reliability. Speed-wise though, I've heard they are excellent. I'll soon see :)
Great post, lots to consider to secure WP sites even further. Have you had any experience with Wordfence? It's quite feature rich, and free. You can check it out here: https://wordpress.org/plugins/wordfence/
I've not tried Wordfence, but I'll check it out!
I am always surprised Wordfence is not mentioned in posts like this, maybe because it is still very recent. But this is my main go to security plugin. Reading this at-least check it out its free!
I think you are right about hosting being first line of defence. I installed Better WP Security to one of my WP websites and again it is being hacked. Besides thatI have problem with this plugin, because some other plugins stopped working since I installed this one.
I read some articles which claim that just hiding WP version is a lot of help since robots know which exploit to use for a different versions of Wordpress.
Yup, good example of security by obscurity. You can think of WP security kind of like surviving a zombie horde...you don't need to be faster than the zombies, you just need to be able to outrun someone else in your group :) Because it's impossible to make a site 100% secure, your goal should be to make your site more trouble than it's worth, and security by obscurity tricks are the first step in accomplishing that.
Wordpress is a great content management system to host a website and/or blog but for sure, the classic tradeoff of convenience versus security cannot be ignored without consequences. Excellent post with great advice for anyone with a websites or clients with a website on Wordpress. It never ceases to amaze me the number of attempts to hack into a Wordpress site on any given day. Several dozen attacks per day is common based on my experience. Backup up often, change admin username, strong passwords, stay away from public networks, keep Wordpress and plugins up to date at a minimum is what I currently tell clients with Wordpress installations. How important do you think SSL is for at least admin? Otherwise, I assume username/password gets transported over the Internet encrypted assuming that you are accessing from outside a VPN. Thanks for sharing.
Using SSL for the admin panel is a good idea, and there are plugins that make that pretty easy to implement.
Great post Sam. Lots in here I'm going to look at but I wonder how long it'll be before much of this comes within the WordPress core? Surely they can remove/block the wp_ prefix from tables, block 'admin' as being a username, remove the generator meta tag (or is that already done in the latest version?), limit login attempts, etc. That wouldn't be huge work and it would add some extra protection for the people who never come anywhere near sites likes Moz.com or venture out to find WordPress security tips.
It would be really nice to see Automattic actually do that, fix a few of those core things that make WP such an easy target. Fingers crossed!
More cheerleading for WPEngine? And W3 Total Cache is not allowed on their servers? So Chris Pearson, CopyBlogger, and Mashable use this exemplary solution, but WPEngine knows better. Hmmn..."We're from WPEngine and we're here to help you."
If I understand correctly, WPEngine disallows the use of W3 Total Cache not for security reasons, but because it conflicts with functionality that WPEngine provides. That said, W3 Total Cache did have a big security issue recently, and while promptly fixed, it goes to show that you have to be careful even with well supported plugins.
I've been hearing a lot of good things about WPEngine recently, however, their list of disallowed plugins is concerning as there are a bunch I rely on for optimisation/marketing, including: W3 Total Cache, WPSmush it (awesome), Pippity, Similar Posts, etc.
WPE & all the other manage WordPress solutions other than synthesis offer a proprietary caching layer. For instance
pantheon offers Redis, varnish, mondoDB
Pagely offers HHVM, Redis, varnish, it faster AWS database
Kinsta offers HHVM, Redis, the latest Nginx
WP engine offers everything from shared hosting which is very fast to a new HHVM stack
The list goes on presslabs rocks as well
Web synthesis is unfortunately running a caching plug-in that I'm not knocking they just have not built their own caching things like fragment caching which are offered through the pro W3Total cash or free with Synthesis simply exists on other hosting companies named above already. The reason copy blogger/synthesis uses W3TC is to save money and I know that's the case it's not rocket science here they took an existing plug-in modified it with their settings and it works very well.
Why do you think new rainmaker there new platform that they hope everyone migrates to essentially has a proprietary cashing layer
Why would you want to have a caching layer on top of a caching layer?
Full disclosure I run combination of the companies listed above in addition to primarily running FireHost / now armor.com
Security is a flaming nightmare with WP especially when people in general are so Slack-Alice about it. I was surprised not to see Bullet Proof Security not mentioned. Unless I missed it with post midnight eyes. Are there issues that people have found?
Tony Treacy's Secure Wordpress plugin is looking promising here (this is an aff link - but I am still a pauper and it's easy to knock the offensive bit off if you like.)
https://www.wordpresssecuritylab.com
The hosting issue really is a big one. I lost virtually everything last September when my little US hosting company fell apart and began feuding (or so I am led to believe) Here it was a case of thank God for backups. So important as part of the plan. I've been very impressed by Backup Buddy , but I haven't tried the suggestions you offer "Sam".
I have found a brilliant hosting company here in the UK who are incredibly proactive and helpful and seem to be very conscious of the issues. Freethought are worth a look if you are UK based. They have helped me solve some very difficult recovery problems since September.
Passwords! Currently I have over 200 online password protected accounts to manage and I am just a very small fish. I find Roboform to be an absolute godsend. Remembering 1 nasty horrible password lets me put a nasty horrible password on all the accounts I open. I'm knackered if anyone ever manages to hack Robbo! But the amount of extra security that provides compared with the half dozen passwords I used to use for everything is well worth the modest cost.
Please forgive or truncate the aff link above, but I think Tony's plugin is really worth a look. It carries out a scan which seems to be at the same level of intensity as Sucuri, automates some fixes, sets up for manual fixes and offers guidance on the rest.
Thanks for the article Sam it's getting a post on FB Page.
[affiliate link removed by editor]