Hardening WordPress: A Beginners Guide To WordPress Security
Have you ever had your website hacked?
If so you already understand the importance of the conversation we are going to have today.
If not, count your blessings and make sure you have everything in place so it does not happen.
It amazes me the number of businesses who have a WordPress site and have no hacking countermeasures in place.
Leaving their site, their business, their livelihood open to shady internet goons.
Yep, like this guy right here.
This fly by the seat of your pants mentality when it comes to your website security is nothing short of stupidity.
Or is it?
What do you think the major reason people don’t have any security in place for their WordPress website?
Amazingly it comes down to three things.
- It is confusing and I don’t know what to do.
- WordPress is safe out of the box. Right?
- My site is small no one is trying to hack my site.
Unfortunately, these are all false. Let’s chat about why.
Hackers do not care the size of your site. They are just trying to make a name for themselves or earn money. Yes, there is money in hacking websites and a lot of it.
WordPress is safe out the box but like anything else it can be hacked. Then add in that spiffy plugin or template you needed and if you were not careful it is less secure than it was 5 minutes ago.
And last but not least.
It is nerdy and confusing so let me stick my head in the sand and act like it doesn’t exist.
That is where I lived for many years. Until I actually started educating myself on what you need to do and found out how easy some of these steps to securing your website could be.
How Do WordPress Sites Get Hacked
Before we talk about some of the basic nerdy WordPress security items, let’s chat about why most sites get hacked. There are three major culprits.
WordPress Core: Update To The latest Version
The first one is not updating your WordPress core to the latest version. When WordPress updates to a new version, they explain what bugs they fixed. This, however, gives any self-respecting hacker a road map into all of the outdated versions of WordPress.
If you keep your core updated you are less vulnerable to attacks.
WordPress Themes: Update & Delete
That is right, you need to update your theme as new versions come out. Themes are not a “set it and forget it” item. If you let too many versions of your theme go by, it is almost impossible to update without breaking your site. So keep on this.
Also, please, by all that is holy, make sure your site is using a child theme. This will allow you to update your core theme without losing your added functionality and styles.
If you have additional themes in your WordPress themes area, delete them. You really only need your core theme and it’s child. WordPress puts themes in the theme area by default but less code equals less hackable opportunities.
WordPress Plugins: Less Is More
Just because you can add 100 plugins to your site does not mean you need to.
Each and every plugin you add is something you need to keep updated or else you could find yourself with huge hackable holes in your WordPress site.
As you pick out plugins to use, make sure they are making it past the sniff test.
Here are a couple things to look at when searching for WordPress Plugins.
- Make sure they are from the WordPress plugin directory
- Make sure they have a great description, screenshots, and support section
- Pay attention to the amount of downloads
- Look at the rating and reviews of the plugin
- See when the plugin was last updated
- Make sure it is compatible with your version of WordPress
Below is an example of what a great plugin looks like.
And below, well, a not so good example of a plugin I would never download.
The Basics: WordPress Security Does Not Have To Be Nerdy
In an effort to help make the web a more secure place, as well as to help you from being a victim of website hackers, I have tried to take what seems hard and nerdy and transform it into a beginners guide to WordPress security.
To start, I am going to go through the basics, the really easy items you can take care of.
Don’t Use Admin Ever
That’s right, when you are first setting up your WordPress site, do not use admin as a username. If you look in your WordPress users panel now and have a user named admin right now, remove it. By using the admin user you are giving hackers and bots 50% of what they need. Now they just need to try passwords until bang, your site is unlocked.
That’s Your Password
Really? Password123 or 123456 or even using your name? That is like opening your door and saying, “Hey Hacker, Come on in. Please go ahead and mess up my entire site and make me spend way too much money to put all the pieces back together again.” You need to use a strong password. Something with capital letters, symbols, and numbers. Something that no one could guess. In a perfect world, even you would not know your password. You could use a software like 1password to keep track of your heavy duty passwords.
Don’t want to do that?
Then start using passphrases vs passwords.
What do I mean? Use something like ILike54Bigredtrucks or Run2theStor4Bread. You see they are easy to remember but long enough that the automated hacking bot will have a hard time figuring it out and eventually give up.
Don’t Use Your Name
A couple sentences I said don’t use the admin as a username. I am going to take it one step further. You should not use your name and a username as well. If I am a savvy hacker, I will go to your blog, look for authors, then head over to the yourwebsite.com/wp-admin and start taking cracks at first names and simple passwords. Guess what happens most times. You get hacked. You can thank Fred for using:
Good job Fred!
Don’t feel bad if you are reading this and realize wait, I used my name. Don’t worry, your not the only one.
Just go create yourself a new user account and this time you will be a little bit smarter about it.
Be cool and come up with a super secret code name for yourself like Maverick, Goose, or Iceman.
See what I did there?
Then use that as your username.
Just don’t make your password TopGun if you do.
The Intermediate: WordPress Security Can Get A Little Nerdy
The next couple items we are going to chat about get a little nerdy, but I will do my best to explain them along the way. Hang in there, it is important for you to have a secure WordPress website.
Hide Your Wp-Config File
Some of you right now are like, what the crap is a wp-config file. Well, at its simplest form, your wp-config file is the heart of your WordPress site. It holds all the database information like username and password as well as your unique keys & salts and other sensitive information.
Let’s turn to our friends over at WP Learning Labs to help explain how to use your, htaccess file to hide your wp-config and why it is important.
One thing our friends at WP Learning Labs forgot to mention is that your .htaccess file might also be hidden. Before you create a new one, make sure you go to your file manager settings and enable hidden files.
Then when you edit the .htaccess file you can use the code below.
deny from all
What Are Unique Keys & Salts
In an effort to pay attention to nerd terms and help you understand them, I will explain unique keys and salts in your wp-config file.
The major thing you should know is that a new WordPress install does not have any unique keys & salts added to it. One of the ways you can generate your own set of keys & salts is by visiting WordPress’ own generator by going to https://api.wordpress.org/secret-key/1.1/salt/.
Here is the more technical description given by Google.
In a couple seconds, you will be able to watch a video that explains how to add or change these keys & salts. But, before we do that let’s talk about a second wp-config file change you can make.
What Is A Table Prefix
Simply put, a table prefix is the beginning letters of each table in your SQL database. By default WordPress adds the prefix wp_ to your tables.
One of the terms you might hear from me a couple times, as well as others who talk about hardening WordPress, is security by obscurity.
If a hacker knows to look for wp_ then it is easy to find. However, if you change that default prefix to something different, you have officially slowed down, if not stopped, the hack.
For those of you that enjoy the more technical side of this, google defines a WordPress table prefix as the following.
Database Table Prefix. In the wp-config.php file, a WordPress site owner can define a database table prefix. By default, the prefix is “wp_”, but you’ll need to check on the actual value and use it to define your database table name.
Let’s help you implement both of these security measures. To do this, we are turning to our friends at WP Learning Lab once again.
If you have implemented these first several WordPress security items, you can sleep better tonight. However, we are just getting started on hardening your WordPress website.
However, we are just getting started on hardening your WordPress website.
Permissions Are Important
This one is simple. Have you or someone who has access to your file permissions made any files or folders 777.
Okay, let’s back up and explain that there is something called CHMOD and it allows you to set different read & write permissions for your website files and folders.
What is chmod?
In Unix-like operating systems, chmod is the system and system call which may change the access permissions to file system objects (files and directories). It may also alter special mode flags. The request is filtered by the umask. The name is an abbreviation of change mode.
What does this mean to you and what do you need to do. It’s simple but could be time-consuming.
Make sure your folders are set to 755 and that your files are set to 644. This will keep those pesky hackers from writing to files or folders that they should not be writing to.
Prevent Directory Listings
You do not want anyone to go to your site and see a list of every folder and file. That, my friends, is just asking for trouble. Especially if it is the default WordPress directory. So how can we keep this from happening?
Once again, one would think that this is super nerdy, but not really. You just need to add a bit of code to your .htaccess and robots.txt files.
If you do this, then hackers can not see your plugins and in return match up any know plugins with vulnerabilities. WP Learning labs did another great video tutorial on this so let’s take a look at how you can prevent directory listings on your website.
Have you completed all the security tweaks in this post? If not, now is the time to go implement them for your own site.
I will be creating a few more articles on the topic of hardening your WordPress website in the near future. Unfortunately, this beginners guide to WordPress security has just scratched the surface. But hey, you have to start somewhere.
Keep your eyes and ears open for future hardening WordPress interviews and articles in the coming weeks. One of the most exciting articles I will be writing is about some awesome plugins that help you be a WordPress security ninja.
If you have any security tips, tricks or questions, let me know in the comments below.
Latest posts by George Thomas (see all)
- Hubcast 159: Make #INBOUND18 Better, Marketing Revenue, & Crappy Copy - December 5, 2017