As many users are probably aware, WordPress is one of the premier open source blog software available on the internet. It has gone far beyond the standard weblog and is now an excellent foundation for just about any type of website. However, the internet itself is fraught with inherent dangers which leave users open to attack by unscrupulous hackers.
It must be understood that it is impossible to prevent every attack, but there are many steps that can be taken to protect WordPress users and their websites. WordPress users have found the program to be highly configurable with an excellent support community available. Because of these features, users can expect considerable levels of security by adhering to the following recommendations outlined below.
How Your WordPress Blog is Affected
In the past, the goal of web hackers was simply to disable websites. These criminals, however, discovered that taking a website down did not produce any benefits. Today, their new mode of attack is to hijack websites for their own gain. WordPress hackers accomplish this primarily through link injection. They hack into the user's web files and insert lines of code that attach unwanted links to practically every web page. The two primary negative effects of link injection are:
- Time and resources involved in cleaning up the attack
- Decrease of search engine page rank
WordPress users invest a significant amount of time, energy, and financial resources to set-up and maintain their blog. A blog may be used to generate substantial income for the WordPress user. Page rank is affected when search engines notice excessive links and flag a website. When search engine page rank is adversely impacted by an unwanted link injection, a user may face lost web traffic and, in turn, income.
How to Protect Your WordPress Blog
The goal of protecting a WordPress blog is to prevent outsiders from accessing a user's web files. By taking the following measures, users can be proactive in the fight against hackers.
Standard Blog Maintenance
An essential component of proper blog maintenance is to make certain that plugins and themes come from a trusted source. The best way to ensure this is to choose only those found in the WordPress.org plugins and themes directories.
Additionally, regular updates of plugins, themes, and the WordPress installation are also necessary for effective blog maintenance. These updates repair bugs and security vulnerabilities that have been discovered in the programs. It is best to update plugins and themes before updating the installation as compatibility issues may arise otherwise.
WordPress users should be aware that it is extremely important to backup the entire installation on a regular basis. Users should make themselves familiar with the process of restoring backup data in order to minimize down time if a problem occurs. The ideal backup system will be off the primary server and include redundancy.
A strong password is one of the first lines of defense against hacker attacks. A strong password may be defined as a password that is not easily guessed and contains both numbers and letters. The most secure passwords are random strings of letters and numbers, which may require the WordPress user to store this password in a secure location. There are internet sites that generate these random strong passwords at no charge.
To further maximize password security, WordPress has included the option of using secret keys. A secret key is a hashing salt that adds random elements to the user's password. To initiate the use of secret keys, go to WordPress API. Copy the information found at this website, and replace the appropriate portion of the user's
wp-config.php file. For existing installations, this will invalidate cookies already stored on the computer and force users that are already logged in to log in again.
Creating a Secure User Name
The default administrator account for WordPress installations is given the user name “admin.” Most hackers are aware of this, and as a result, have half of the information necessary to access a user's data. The only other piece of information hackers need is the user's password. To protect a user's account, this username should be changed to something unique. This can be accomplished in one of two ways depending on the user's familiarity with MySQL.
Those familiar with MySQL can use a frontend program like phpMyAdmin or the following command:
UPDATE wp_user_login='new user' WHERE user_login='admin'.
For those that are unfamiliar with MySQL, the following steps should be taken:
- Create a new user with a unique username
- Assign an account to admin role
- Log out and then log back in using the new user account
- Delete the admin account
Recommended Security Plugins
There are several plugins available to WordPress users that can assist with blog security. The following are recommended security plugins for WordPress users:
WP Security Scan
This plugin searches the user's installation for weaknesses that enable hackers to gain access to the user's files. It also suggests the actions that will correct these weaknesses. The WP Security Scan may be initiated occasionally and need not be active at all times.
WordPress Exploit Scanner
By scanning a user's files for evidence of a hacker intrusion, WordPress Exploit Scanner can alert the user to problem areas. Similar to the WP Security Scan, this plugin may be initiated occasionally and does not need to be active at all times.
WordPress File Monitor
This plugin constantly monitors a user's files and alerts the user to any changes that are made. The user should be able to easily identify changes that are the result of attacks by hackers. To work effectively, WordPress File Monitor should remain activated at all times.
Limiting the number of times a login may be attempted, this plugin prevents hackers from guessing a user's password through multiple efforts. The lockdown time can be set to the user's personal preference. The Login Lockdown feature should be activated at all times.
Another method by which hacker attacks can be thwarted is to make sure the user's folder permissions are set properly. Many blog hosts allow folder permissions to be set through the control panel. If not, stand alone ftp programs offer users the ability to change these permissions. A good rule of thumb for folder permissions is to set files at 644 and folder at 755. This should provide most plugins and themes the access they require. If the user finds that there are folder access problems, permissions may be increased as needed.
Change WordPress Table Prefix
The default installation of WordPress sets the database tables with the prefix
wp_. This is another bit of information that hackers know well. Database files may be hidden by making the table prefix unique. This is accomplished by changing the
wp-config.php file. Prior to installing WordPress on the user's server, the
wp-config.php should be changed. Changing existing tables can be quite complicated if these adjustments do not occur before WordPress installation.
Move wp-config.php File
With the release of WordPress 2.6, users now have the option of moving the
wp-config.php file. The ability to move the wp-config.php file prevents hackers from finding the file and making unwanted changes. The file can only be moved to the parent directory of the WordPress installation. For example, if the file is installed in:
it may be moved to:
It must be noted, however, that WordPress is programmed to only search the parent directory. If the configuration file is moved anywhere else, an error message will result.
While this method of security can become somewhat tricky, it is very effective at preventing a hacker attack. The goal is to specify the IP address or range of IP addresses that can access the administration section of WordPress. To do this, create a .htaccess file in the wp-admin directory on the user's wordpress web hosting account. The file should contain the following information:
AuthUserFile/dev/null AuthGroupFile/dev/null AuthName “Access Control” AuthType Basic order deny, allow deny from all #IP address to Whitelist allow from xxx.xxx.xxx.xxx
Users may specify as many IP addresses as they like, and change the IP addresses easily. There is a drawback to this type of security measure, however. If there are many computers accessing the administration portion of WordPress, there will be many IP addresses to coordinate. For some users, this could present a substantial difficulty.
Force SSL Encryption
WordPress users can force their installation to use SSL encryption at the login or administration pages. This can be accomplished by modifying the
wp-config.php file. In the file, add the following lines:
- For the login in page –
- For the administration page –
In order to use this security function, users must ensure that their server is set-up and configured for SSL encryption.
You Can Protect Yourself From Attack
The threats of hacker attacks on a WordPress blog are real, but there are ways to prevent nuisances such as these. With diligent maintenance and judicious preventative steps, a user can head off all but the most virulent hacks. Following the aforementioned recommendations will provide a high level of security for any WordPress user.