Being the most popular CMS on the block comes at a price. Unfortunately, WordPress sites are the most sought after by hackers for many reasons. First, its the most used CMS and is used by millions of popular sites. Secondly, these sites are usually ranked high and generate a good amount of traffic. Lets take your site and lock it down.
1. Use SFTP or SSH
SFTP, or Secure File Transfer Protocol uses port 22 instead of the usual port 21. If you are using port 21, then your files are transfered across the internet in plain text and anyone can intercept the file and have a look. If your hosting server supports SFTP (most do), by all means use it.
SFTP provides a few security features that are important
- FTP Password is encrypted
- Your file transfer is encrypted
The information you transfer to your hosting server will now be encrypted, meaning, only your computer and the hosting server can read and understand the jumbled up information. It’s like a secret code now that only 2 computers understand.
Almost all FTP programs support SFTP. Personally, I use Filezilla, which is free and does a great job.
2. Change the admin account name
Before WordPress 3.0 came around, users were stuck with the default account username of admin. Changing this required going into the database using phpMyAdmin, and changing the name.
Now a fresh install of WordPress 3.0 lets you choose the administrator name by default. Change this to something other than admin. Please!!
How do we fix this?
- Login to phpMyAdmin
- Find the wp_users (or whatever your prefix is _users)
- Edit the user_login field to whatever you want the new administrator user name to be
3. Pick a secure password
When you choose your password during installation, or post installation, make sure it is secure. I like to use a random password generator to ensure any database or user account passwords cannot be cracked. Using a mix of uppercase, lowercase letters, numbers, and symbols would take someone a lifetime to circumvent. Make sure it is over 8 characters long.
4. Create a random cookie hash salt
How do we fix this?
- Go to the WordPress secret key salt generator site, and copy the generated code
- Open your wp-config.php file and find the 4 lines of code that begin with define('AUTH_KEY'
- Remove the old code, and paste your new code into the wp-config.php file
- Save the file on your server
5. Remove the WordPress version generator meta reference
If you open your website and view the source, you will find a tell-all of what version of WordPress you are using. This is an easy way for hackers and bots to quickly identify any vulnerbilities and take advantage to gain access.
How do we fix this?
- Login to your administration area.
- Click on the Appearance heading, and click on Editor
- Open the functions.php file
- Add the following code: remove_action('wp_head', 'wp_generator'); somewhere in the file, and click Save.
Now when you view your homepage, you will not see the generator tag. An even easier option is to install the Secure WordPress plugin which will remove this for you without any code editing.
6. Keep up to date
Make sure your WordPress version is up to date, and all of the plugins are up to date as well.
Beginning in WordPress 2.7, a notification will show in the administration area if your version is not up to date. For WordPress, this warning will be along the header once you login. The plugins warning will show next to the Plugins menu heading. It will show a number with the number of plugin updates. Be sure to do a complete backup (files and database) before you do any upgrades!!
7. Correct wp-config
The wp-config file is what stores you database information such as login, password, table prefix, and the secret cookie salt we generated above. This would be the holy grail for hackers looking to takeover your site. Lets get you protected.
The first thing we will do is correct the permissions. WordPress.org Codes suggests a 750 file permission so that the public group cannot read it.
The second thing we will do is add some more security to our .htaccess file so that it cannot be directly edited.
You can edit the .htacces by adding the following…
<files wp-config.php> Order deny,allow deny from all </files>
If you dont already have an .htaccess file, now is the time to create one. Simply, create a file and name it htaccess.txt. Edit the file with the above code, and place it in your root directory. Bam!
One last thing we can do is move the wp-config.php file out of our root directory. WordPress allows us to move this file up one directory and into our “private” directory. That is…if your root is /sites/useracct/domainname/, we can move it to /sites/useraccount/ and we dont have to make any changes. This is a much more secure practice. Go ahead and move it out of the root directory.
That is enough WordPress security to keep you busy for today. I have more to come, so check back for Part 2 of this series, and let me know what you think so far…