WordPress developers take security very seriously, and many security experts evaluate WordPress’s code for flaws. Security updates are made frequently to keep users safe. However, there are some extra steps you can take to make a fresh installation of WordPress more secure and protect against future attacks. Remember, no system can ever be completely secure, but taking preventative measures can be helpful. Much of this guide is based on the advice from the WordPress Codex article on hardening WordPress, but it is aimed at the WordPress beginner. In future articles, I’ll cover advanced security measures, hardening existing WordPress installs, and recovering hacked WordPress sites.
This guide should be relevant for both WordPress 2.92 (the most recent stable release as of this writing) as well as WordPress 3.0.
Overview:
-Preliminary steps for securing your WordPress install
-Changing defaults in WordPress to implement “security by obscurity”
-Choosing strong passwords
-Installing and configuring the Secure WordPress plugin
-Keeping WordPress updated and backed up
-And we’ll take a first look at some advanced security measures
Preliminary steps:
1. Secure your computer
As the WordPress codex says: “None of the following makes the slightest difference if there is a keylogger on your PC.” Make sure you are running anti-virus and anti-spyware software, and make sure said software is up to date. If you’re on Windows and don’t have any antivirus installed, I recommend AVG Free and Windows Defender.
2. Make sure you’re installing the latest stable version from WordPress.org.
3. If you already have another installation or WordPress or other database software on your server, and your host allows it, create completely new database and a brand new database user that only has access to the new database. This is to insulate your other sites in case someone compromises this installation of WordPress.
Installation:
We’ll follow the basic steps of the famed 10 minute install, but we’ll make a few changes to the default settings along the way.
1. First we’ll change the default table prefix (You won’t be able to change this if you’re installing using Fantastico):
If you’re installing manually you’ll see a screen that look like this:
Change the “Table Prefix” field to something else. Be sure to leave the underscore (_). You should have something that looks like this:
2. Next we’ll change administrator’s username. The default is “admin.” Change this to something secret. You’ll have the option later to set a “nickname” – that’s what your readers will see.
Be sure to use a strong password. Notice how WordPress helps let you know whether your password is weak or strong.
Some tips for creating a strong password:
You shouldn’t use any part of your name, username, or the site name in the password.
It should be at least 8 characters long
It should include numbers and symbols in addition to letters
You child’s first name and date of birth may be easy to remember, but is easy for anyone who knows anything about you to guess.
Here’s a strong password generator to help you out.
If you’re using Fantastico you’ll change the administrator username when you setup the new installation. Fantastico doesn’t help you create strong passwords, so you’ll be on your own. Follow the advice above and you should be ok.
3. Finish installing WordPress and login.
4. Next we’ll want to stop WordPress from displaying its verstion number anywhere on the site. I use the plugin Secure WordPress. It also provides some other security features we’ll look at in a moment.
On the dashboard, mouse over Plugins and click the arrow
Click Add New
In the search field, type “Secure WordPress” and click “Search Plugins”
Find Secure WordPress. To make sure you have the write plugin, verify that it is the one by Frank Bültge.”
Click “Install Now” and then click “OK.” On the next screen click “Activate Plugin.”
5. On the next screen, click “Settings” under “Secure WordPress”
You can leave all these settings alone, but if you’re not planning on using Windows Live Writer you should check “Remove Windows Live Writer link in wp_head of the frontend” and then click “Save Changes.”
Congratulations! You’re now ahead of the curve in terms of WordPress security.
Keep WordPress up-to-date, keep plugins up-to-date
The most important thing you can do now is keep WordPress up-to-date. When new versions of WordPress area available you’ll see a notice on the dashboard when you login:
Click the “Please update now” link to see your update choices. The easiest way is to just click “Upgrade Automatically.” If for whatever reason you can’t upgrade automatically, you can download the newest version and follow the included upgrade instructions.
You’ll also want to keep you plugins updated. You should frequently click on the Plugins link on the dashboard and check for notification that look like this:
Again, upgrading automatically is the easiest method. If you can’t upgrade automatically, follow each plugin’s upgrade instructions.
Backup often
Finally, you’ll want to backup your WordPress database frequently in case anything should ever happen to your WordPress install. WordPress Database Backup makes this a snap. We’ll cover database backups in a future article.
Advanced security
If you want to get your hands dirty with advanced security measures, you can lockdown your WP-Admin folder. We’ll look into the specifics of doing this in the future, but if you want to get started now check out the AskApache Password Protect plugin.
And for bonus paranoid points, you can use Open Source Tripwire to monitor your WordPress files for unexpected changes. In the comments, David pointed out that Open Source Tripwire is no longer maintained, and suggested some alternatives. But here’s a plugin specifically designed for monitoring your WordPress files. Works right out of the box!
