Steps To Securing a WordPress Site – Basics
WordPress is a brilliant content management system, but due to its popularity, it’s become one of the most targeted platforms on the internet. WordPress core files and folder systems are structured in such a way as to give users the most flexibility possible. But with flexibility comes a few security constraints; which is why we’re going to give you a few tips and tricks to secure your WordPress website even more by focusing on the basics, we’ve also created an “Advanced Security” section for users who are more familiar with editing certain files and adding snippets of code to their configurations. Even if you are new to WordPress and configuration files, take a look at the “Advanced Security” section and see what you can do further to securing your valuable WordPress website.
So you have installed, or want to install WordPress on your server; where do you start. Firstly, identify your own restrictions on your server as you may not have the permissions required to perform some actions. If you don’t have certain access to your server to certain functions, you can always ask your host company or server administrator to do things you can’t.
- Take regular backups of your website and database. Good hosts provide daily backups and one-click re-install procedures. If your host doesn’t offer this solution, use a plugin like “BackupBuddy” to create a full backup on the day your website goes live, as well as at any time you may think it vital to make a backup. Remember, the most important part of any backup is the Uploads folder and your database. Everything else can be reinstalled and activated; like plugins etc.
- Use VERY strong passwords, and NEVER use the same password twice. Having a Database Password and WordPress admin password the same is VERY risky. Especially if the username for the database is the same as your username to log into WordPress.
- Use 2 step factor Authentication. If you’re the only one who controls the backend and content of your website, then 2 step authentication is ideal for you. It’s easy to setup, and even if someone manages to get hold of your login password unless they have your phone too, they won’t be able to get past the security question of what your authentication password is for those 30 seconds.
- Limit login attempts. You can use a plugin and set this up on your server itself if you have the knowledge. Using WPMUDEV Defender works just as well.
- Keep plugins, themes and core WordPress files up to date. This can be done server side (IE through Plesk) or by using The Easy Updates Manager
If you can do everything on this list, then you are well on your way to keeping your website safe and secure. Maintaining automatic daily or weekly backups is crucial, as there’s literally no excuse to not be doing this. Keeping plugins and themes up to date reduces your risks significantly and using a good security scanning/defending plugin is key. We cannot recommend Defender more as it really is just so powerful, and offers you a mountain of configuration options that will cater to your specific use.
Steps To Securing a WordPress Site – Advanced
Prefix your WordPress database when you’re installing WordPress for the first time. By default, WordPress assigns wp_ to the start of all the database table names. This makes it a lot easier for someone who may get into your database through dubious means to cause any harm. I usually create obscure database names for our websites using both numbers and characters and prefix all databases with just as obscure prefixes. An example of this would be:
- Database name: DB62857_data_3
- Database User: data3admin
- Database Password: 90$KGTQ9@5NUA9j
- WordPress Prefix: db6HW_wp_
Restrict PHP execution within certain folders within WordPress. There is absolutely no reason PHP execution should occur within the uploads folder (which is a hotspot folder for hackers to target.) One way to prevent them from executing malicious code in the uploads folder is to create a .htaccess file with the following in it and put this file into your uploads folder.
<Files *.php> deny from all </Files>
Disable Theme and Plugin Editors. If a person can edit any file through the wp-admin section using the default WordPress file editor, then that person can hack a site from within to grant access to more of your system. You can remove editing permission by pasting this into your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
Password protect wp-admin.php and wp-login.php. You can either create a password to protect both these files (requires a little server knowledge), or you can do it manually (requires a little coding.) Alternatively you could use WPMUDEV defender to solve this issue.
- Create .htpasswds file, you can use This Generator which will allow you to enter the username and the encrypted password you want to use to allow access to whatever this file is protecting.
- Place this new .htpasswds file OUTSIDE of the public directory. An example of this would be: “home/user/.htpasswds/public_html/wp-admin/passwd”
- Create .htaccess file and place it within your wp-admin directory, and add the following code to that .htaccess file.
AuthName “Admins Only” AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile /dev/null AuthType basic require user putyourusernamehere
- Remember to update the username and password to whatever you chose when you used the Generator as discussed in point (1.) as well as the path that matches your installation.
- Place the following within your MAIN .htaccess file before the WordPress Rules Start:
ErrorDocument 401 default
Locate your .htaccess file located within the wp-admin folder. This is NOT the default .htaccess file within the main WordPress folder and paste the following code:
<Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
This will fix the Admin Ajax issue you may receive.
Some would argue that if there are such a plethora of “security” fixes, why should anyone use WordPress then? Well, the short answer is it makes no difference if you use Joomla, Drupal, Concrete 5 or any other CMS on the market, you’re going to have the same problems. The difference lies in WordPress being the most used, and highest support community out of all the Content Management Systems. This means more people are finding new ways to make both the system safe, as well as find exploits. WordPress has an amazingly large community and marketplace so there’s pretty much everything for anything. If you can follow the basics and maintain a proactive approach to your security, then WordPress will NEVER let you down.
A .htaccess file is a very very powerful tool in your arsenal of protecting your WordPress website. Whatever folder within your WordPress installation you want to protect, or create rules for access to; a .htaccess file can literally be the make or break of someone getting in. Knowing when to use them, and where to put them will save you a lot of time in the future. They’re dead simple to create and implement so there’s absolutely no reason you shouldn’t be using them, or at the very least inserting rules within your main public directory to limit certain access to files or folders.