After getting bent out of shape by all the sites recommending you CHMOD files or directories to 777, I went off on a bit of a rant. After having collected my composure again, I decided it might be a good idea to point out some tips to help you secure your WordPress site.
File Permissions
Please check the permission settings on your WordPress installation. Nothing should have permissions set to 777. Nothing! Directories should be at 755 and individual files should be at 644, without exception. You lose the ability to edit core files from the WordPress Dashboard, but if your site has ever been cracked you will understand how simple it is to sacrifice convenience for security. So grab your favorite FTP program and start locking things down.
Using .htaccess
Here is a very simple .htaccess file you can install in your wp-admin directory, which will only allow the IP addresses you specify to access your WordPress Dashboard.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 123.456.789.012
Obviously, you will want to insert your own IP address in that last line. I generally add another line that will also allow me to access my Dashboard from my workplace IP address. And remember, this files goes in your wp-admin directory and not the root .htaccess file.
Here's another .htaccess trick anyone should be using on any Web site. Disable directory browsing, which will prevent people from viewing your directories to see what files are installed in each. One line, added to the bottom of your root .htaccess file will put an end to people viewing your directories.
Options All -Indexes
Another bit you can install in the root .htaccess file will only allow your .htaccess file to access yourwp-config.php file. Another powerful security measure.
<files wp-config.php>
order allow,deny
deny from all
</files>
Now, before we leave .htaccess behind, verify the permission settings on that file are set at 644.
wp-config Security
WordPress will always check the standard WordPress directory for the wp-config.php file. But were you aware you can also move this file up one directory? WordPress will also check that directory for wp-config.php.
Now it's time to open up your wp-config.php file. Yes, I know, you thought defining your database information was all you needed to do with this file. But now it's time to increase the security of your site a bit further. Locate these lines in your file -
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
Have you bothered to put your unique phrases there, as instructed? Why are you shaking your head from side to side? You ignored this, didn't you? Before you do anything else, visit this link and get a unique set of keys, which will look like this -
define('AUTH_KEY', 'y#;58(m*D7uv+6Z~U*pBCYU0|`[EU^+5@!+W3p,2 w nb[+gkV<2Fn1C)r%0Vze');
define('SECURE_AUTH_KEY', 'cM#|}W1c~$ aZ=ae_C1l87YF=K-!mi2CCQ=*NnSzne%iW_;07C0-_2SPhvC%-|?w');
define('LOGGED_IN_KEY', '[+FZP;UOcGMH_)2B}f~]6:kr%1*h%szo{,K-nG5Rs JugB4eg5,*:U0I@!LQXzpW');
define('NONCE_KEY', 'Z@+?3wIILDq0#{L/O~
NO, don't use those keys, visit the link I provided for you. Copy the keys on that page and paste them into your wp-config.php file and your passwords just became much more secure.
No, here's another trick, if you're setting up a new WordPress installation. Change the WordPress table prefix to something unique. By default, WordPress database tables have the prefix set at wp_. Use your imagination and put something unique there, like wp8319_. Now you have an additional layer of security.
General Security Tips
If you manually installed WordPress, dollars to doughnuts says your username is - admin
Which means a cracker already has 1/2 the information necessary to crack your WordPress install. Now all it takes is a brute force attack on your password and they are in.
WordPress says your username cannot be changed, but I am going to show you how to do it. Come back here after you are sure you have a current MySQL back-up in hand. Do not proceed without a back-up!
Access your database with phpMyAdmin. Now look for the wp_users table (or whatever prefix you've changed wp_ to) and click on the Browse icon. Locate the admin account and click on the Edit icon. Now, in the user_login field, change admin to whatever you like. Then click Go and your log-in username is changed and known only to you.
Here's a little tip to help you reduce the size of your database, whilst you are still in phpMyAdmin. Up at the top, click on Query and enter the following SQL query -
DELETE FROM wp_posts WHERE post_type = "revision";
and click on Submit Query and then Yes. You just removed a ton of post revisions entries and rows from your database. And you didn't even know they were there, did you? If you recorded the number in the Records column of the wp_posts table before running the query and checked it again after, you were doubtless surprised to see so much data being dropped. Keep that one in your WordPress toolbox, with my compliments.
Be sure to back up your WordPress database on a regular basis.
Be sure all of your themes and plugins are up to date, along with your WordPress installation.
If you have uninstalled a theme, then delete it and do the same with deactivated plugins. Get them off your site.
Change your password on a regular basis and do not use passwords common to your server account or other sites you frequent. And using your name spelled backwards, your birthdate or your telephone number does not constitute a strong password. Nearly 1% of all passwords contain the word 'password', if you can imagine. Use a string of letters, numbers and characters that others cannot easily sort.
Spend a bit of time looking over the WordPress Extend security-related plugins and you will see several that can help you lock down your site.
Hopefully, we have just added some security to your WordPress blog. What are your favorite security measures?
Related posts:
{ 1 comment… read it below or add one }
Great tips Mike!
First thing I always to is add a new account and delete the admin account. I haven’t bothered to .htaccess protect wp-admin yet but it’s probably something I’ll wind up doing.
My blog has been moved so many times that the file permissions are probably all wonky I really should do a double check and chmod everything properly. Someday when I get a few spare minutes.
Never realized that wp-config can be placed above public_html that’s a good idea
Big Dan recently posted..Just In From My Walk