I have new Wordpress .... now what?
WordPress is notorious for two things:
1. Being very easy to use with tons of plugins and themes
2. Every now and then a new exploit is found that affects millions of users
The latter is caused (primarily) because people assume the guys that created WordPress are taking under account every possible scenario. However it does not work that way and the installation needs some taking care of after initial install to make sure you cover all bases. WordPress security is kinda like bicycle locks – it is not gonna stop a good thief, but will be enough to force him move his effort to the next bike instead of yours.
I am not a security expert but I know few things how to harden your WordPress installation.
0. Do not use wp_ as prefix for tables.
That is number 0 because it has to be done during the installation process. Wordpress is an Open Source platform and everybody knows its database structure. It is very easy for someone to target the exact table name like wp_posts or wp_options to obtain valuable information. That is why is best if you change your table prefix from wp_ to something else like “starwars_” or “drupal_” 🙂
1. Remove admin user
WordPress comes by default with only one user which is “admin” and it has full administrative privileges. Which means that by default everyone will try to attack this user. Create a new Administrative account and delete the “admin” one as soon as you login for the first time.
2. Change “wp-admin”
Pretty much same as the point before. /wp-admin or /wp-login.php has long been the entry point to your WordPress admin area. Everybody knows that. A potential hacker needs three things to penetrate: a) A place to start b) Username c) Password. Usually with WordPress installations a hacker knows a) and b) right from the start and he only has to focus on gaining your password. So why give him all the three options? We already removed the “admin” account with point 2, now we need to remove the entry point. You can use plugin like WPS Hide Login to change your /wp-admin to something only you wound know. Be creative. Login from /i-know-bretney-spears or /taccos-are_great. Just don’t use “wp-admin” anymore.
3. Limit login attempts
Unless your potential hacker knows your password he has to make several (or hundreds) attempts before figure out your password. If you set a limit to how many attempts a person can do before his IP address is banned, then you have got yourself yet another tool against hackers. Use plugin like: WP Limit Login Attempt.
4. Install security plugin
Another thing you can do to harden your WordPress installation is to install a broad scale security plugin like Wordfence Security. WS protects your site in several ways: It will scan your files and compare them agains the official ones to make sure they are not altered, it will share information between all sites that have it installed and if some of them is under attack, the plugin will block that IP for everyone.
5. Hide WordPress at all
If the hacker does not know you use WordPress in a first place that will be great. That way they will not have a clue where to start from at all (well .. some hackers are pretty well educated so they will find out eventually). There is create premium plugin called “Hide My WP – No one can know you use WordPress!” that will hide all possible clues that you might be using a WordPress. Worth the investment.
6. Install and force SSL
You never know who is “listening” and even with all the above options installed and configured, someone could “sniff” your network and get your plain password … just like that. If you buy and setup an SSL certificate and then force WordPress (WordPress Force HTTPS) to always use it (even in the admin area), that way all data between your browser and the server will be encrypted. You can buy RapidSSL or Comodo Essentials for as low as 15 EUR. Small price to pay if you are paranoid about your WordPress security.
7. Add/Change security keys
WordPress uses security keys to ensure your cookies/sessions are secure and no one can steal them and pose as you. If you are using a fairly new WordPress installation you already have them but it won’t hurt if you change them from time to time. You can use WordPress official generator and replace them in your wp-config.php file.
8. Install Akismet
Spam is the most annoying thing in the world when it comes to managing a website. Nobody cares about enlargement pills or the Nigerian prince. Usually WordPress doesn’t care who posts on your blog but that leaves a door wide open for spam bots. Fortunately there is a .. hold your breath … plugin for that. Akismet provides probably the best industry level protection against spam. Although it has a free option I’d recommend to pay just a tiny little bit to make this great company keeps working.
9. Install captcha plugin
Although we covered the entry point area in the points so that your attacker does not know where there are, it will never hurt if you just add another level of protection to it. Just add a captcha to the standard username and password. Use a plugin like: Captcha by BestWebSoft and you will make your WordPress login area as strong as concrete.
10. Disable file editing from WP
Sometimes the problem comes from within. Imagine you have everything covered, nobody can login to your WordPress installation – only you. Then you leave your computer for a brief moment and at that time somebody puts some nasty code within your files … because WordPress allows you to edit your source files from the editor. That’s not wise. You can disable it! You should disable it!
Security is all great when done right but as I stated in the beginning of this article all these tricks are good to a point. If you are a target of someone skilful master hacker the chance is that he will win. After he finishes with your website, no matter what he did, you probably don’t want it. So it is worth having a backup to restore your data/files to a safe point. UpdraftPlus Backup and Restoration is a very popular and good working plugin that will give you all kinds of options to backup your files including using a Cloud storage (Dropbox, Google Drive, Microsoft Azure).
Gaining access to your blog is not always the target of your attackers. They just might want your site not available. They can launch a DoS/DDoS attack and keep you out of the picture. Although these kind of attacks are hard to stop unless your hosting provider helps you, you can at least have your site cached so that it keeps working as much as possible. A typical WordPress installation can make up to 100 SQL queries per request. Multiply that to your number of visitors and your server has to deal with thousands of requests per second. That is not a problem. Servers are made to handle millions and billions of requests. However if you have your pages cached as static pages your server will do 0 requests. This is hardly a bulletproof solution but it will helps. Also it will make your site run smoother during normal days. Some great cache plugins are: W3 Total Cache and WP Super Cache.
13. Don’t post from the same account as the administrative one.
Even if you have deleted your default “admin” profile it is not a good idea to post from your new one. That is an obvious way for your attackers to understand your account (remember they need 3 things). Always create one administrative account and another one for your posting purposes. Give the posting account lowest role as possible – editor or author. That way even if someone gains access to that account they will only be able to change that accounts posts and not harm anything else.
14. Install activity log plugin
Speaking of gaining access and changing stuff you can install a tool to monitor that activity. That way will know what was actually changed. If it harmless you can just reverse a post change or delete a simple file. Some good activity log plugins are: Activity Log.
15. Install login notifications – who tried to login and from where
If you really want to be paranoiac about security you should look from within as well. If you have more then one account or if you give your only account’s login details to other people (which you shoudn’t do), you should have a way to see what they were doing – installed new plugin, deleted a post, changed a setting …