WordPress has such a comprehensive installation, that almost everybody can install it. However as simple it is to install, as easy it is to omit some essential (security) steps. The standard WordPress installation is not impermeable to hacks. You do not need to panic, just take your time to read and understand this article.
To sum up in this article we explain how to install WordPress, configure it, secure it and install the essential (secure) plug-ins.
Take the following steps and you’ll never miss anything again.
Foreword about security
Before we start keep the key points of securing your WordPress blog:
- Limiting access: Making smart choices that effectively lower the possible entry points available to a malicious person.
- Containment: If a weak point in your installation is found by a malicious person, your system should be configured to minimize the amount of damage that can be done once inside your system.
- Knowledge: Keeping backups, knowing the state of your WordPress installation at regular time intervals, documenting your modifications all help you understand your WordPress installation.
Part 1: Install WordPress
First you need to download WordPress at WordPress.org. For those who do not have an FTP program try Filezilla it is good, open-source and free! Some hosting companies allow you to install WordPress in one click with Fantastico. Personally I do not recommend it. We will assume that you know how to extract WordPress and upload it to your server.
Even if there are tons of tutorial on how to install WordPress we made a quick one for you!
Download WordPress: http://wordpress.org/download/
Now visit wp-admin/install.php in your browser and follow the instructions. You should see something like the picture above. If you did not modify the wp-config-sample.php file WordPress will create one for you.
Now it’s time to search! Check your database name, username and password.
Enter database name, username, password and Table Prefix! Your Table Prefix should not be wp_ ! Try to find something unique with characters and numbers. This will make it harder for hackers.
Now let’s run the install!
Here 2 very important points:
- Username: Avoid admin! Put everything else
- Password: Make a strong password! Do not use words, put lower and upper case and special symbols. For special symbols just put it at the beginning or end of your password for example.
Put a gmail or another email that is not related to your blog. Keep in mind that his e-mail password should be different than your blog password.
Confirmation that everything went fine. Which is always good for the heart 😉 You should also receive an email with your login and password. If not check your spam mail. Keep this email safe if you are unsure or delete it forever if you want no traces.
Now just log-in in your newly created blog.
Part 2: Configure WordPress
You installed it now you remove it! Remove install.php
This will take you one second or two 😉 Go to wp-admin/install.php and remove install.php! Easy one.
Generate an Authentication Keys
Remember the wp-config.php file (or the file WordPress setup created for you)? We need to generate some authentication keys to protect our blog. To do so it is very easy! Just visit https://api.wordpress.org/secret-key/1.1/salt/ and copy-paste the randomly-created keys into the wp-config.php file.
Some WordPress configuration (optional)
Login to the Dashboard and click your username in the top-right corner, and complete your user profile. Edit also your Timezome which you will find under Settings > General tab. Under Settings > Writing disable remote publishing. Unless you use an external blog editor I would recommend disabling both Atom and SML-PRC publishing.
Change Permalink Structure
This is a hot topic! Maybe some SEO Gurus that read this blog will have better permalink structure. As you may know a default WordPress installation comes with query-string permalinks that look like http://www.myblog.com/?p=1 for each article. Not only is a link like this not search-engine friendly, but even less human-friendly.
Here are two good choices:
- Change the permalink structure to contains the title of the post using custom configuration: %postname%
- Another possibility is to use the category and title: /%category%/%postname%/
One more point, if your domain name contains your main keyword then there is no need to repeat it in your URL. The domain name, directory name and URL will have your keywords. This might look like over optimization for Google.
Change your File permissions
For Directories
find [your path here] -type d -exec chmod 755 {} \;
For Files
find [your path here] -type f -exec chmod 644 {} \;
You have to omit to use this command for /wp-includes/
In Apache
Not allowing directories to be available for browsing is easy with Apache, just add the following line of code to the .htaccess file in the root directory (In the same place as the wp-config.php file).
Options All -Indexes
Hide WordPress Version in the Header
Hiding the WordPress version from the header is a good practice. First check if your theme header if it displays the WordPress version meta data, still it could be possible that WordPress displays it.
<meta name="generator" content="WordPress <?php bloginfo(’version’); ?>" />
To be sure just add the following line to the functions.php (if the files does not exist, create a blank PHP file with this name) file in your theme directory:
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Block WP- folders from the search engines
Search engines such as Google or Bing do not need to have all of your WordPress files indexed, so block wp files from being indexed in your robots.txt file. Add the following line in your robots.txt file:
Disallow: /wp-*
Use secured connections (SLL over https) to access WordPress Admin pages
You can login to the WordPress Admin Panel through encrypted SSL connections. Before you do it you need to see if your web host service gives you access to an SSL certificate. In most cases they you will have to pay a small amount.
Once you have an SSL connection, you can run your sessions on https:// instead of http:// protocols by forcing SSL connections on admin-related pages and functions. Open you wp-config file and add the following line. By doing this WordPress will automatically run a session on https:
define('FORCE_SSL_ADMIN', true);
Part 3: Plug-ins to improve WordPress security
AskApache Password Protect
Advanced Security: Password Protection, Anti-Spam, Anti-Exploits. This plugin uses true built-in Security features to add multiple layers of security to your blog. Furthermore it it is regularly updated to stop attackers to exploit vulnerabilities on your blog.
Secure WordPress
Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
Login LockDown
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
WordPress Ultimate Security
Our plugin identifies security problems with your WordPress Installation. It scans your blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself.
WP Security Scan
Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
- passwords
- file permissions
- database security
- version hiding
- WordPress admin protection/security
- removes WP Generator META tag from core code
WP-Sentinel
A wordpress security system plugin which will check every HTTP request against a given set of rules to filter out malicious requests.
This plugin is able to block those kind of attacks :
- Cross Site Scriptings
- HTML Injections
- Remote File Inclusions
- Local File Inclusions
- SQL Injections
- Cross Site Request Forgery
- Login bruteforcing
- Flooding
WP-Sentinel will NOT check requests from the user logged in as administrator, so if you want to check the installation you have to log out first.
NoSpamNX
To protect your Blog from automated spambots, this plugin adds additional formfields (hidden to human-users) to your comment form.
BackUpWordPress
BackUpWordPress is a Backup & Recovery Suite for your WordPress website. This Plugin allows you to backup database as well as files and comes with
Anonymous WordPress Plugin Updates
Anonymizes the data transmitted during plugin update check. The plugin prevents WordPress from transmitting a list of active plugins, the blog url and WordPress version. Ideal for privacy-aware administrators of WordPress installations.
Admin Log
Need to see who is accessing what in your admin section? This Plugin logs admin activity, and shows the page, user information, and time of access.
Semisecure Login Reimagined
“Re-imagined” version of Semisecure Login that uses public and secret-key encryption to encrypt passwords when logging in.
Part 4: Good practices for a save blog
Upgrade WordPress regularly
You need to keep your WordPress blog uptodate. Update plugins, themes and WordPress versions regularly. Do not update directly on the first day as sometimes error occurs. Wait a few days and subscribe to the plugin/theme Author’s RSS feeds to know the bugfixes and if the new version is not buggy.
Take regular backups of your Database and Website
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
Create an editor User (optional)
Create a editor user that has no adminstrative privileges. By doing this you will have less rights but you do not always needs all rights. Keep it simple and stay focus on your articles. Quick view of the user rights:
- Super Admin – User with access to the blog network administration features controlling the entire network.
- Administrator – User who has access to all the administration features.
- Editor – User who can publish and manage posts and pages as well as manage other users’ posts.
- Author – User who can publish and manage their own posts
- Contributor – User who can write and manage their posts but not publish them
- Subscriber – User who can only manage their profile
Use SSH/Shell Access instead of FTP
One of the weakest points is probably the way you upload your files to your sever. A normal FTP connection sends your login information not encrypted. A hacker who sniffs your network can easily get this information and manipulate your files and add spam to your site without you even knowing about it! A good practice is to disable FTP if you can. Use SSH as everything is encrypted (including the transfer of files).
Sources
http://speckyboy.com/2008/04/08/top-10-security-and-protection-plugins-for-wordpress/
http://aext.net/2010/05/wordpress-security-plugins/
Hey, thanks for the plugin list. I dind’t know some of them
Very interesting! Thank you for sharing!
This was really helpful! Thank you.
Super useful and practical. Thanks for all of the effort.
Thanks for the checklist! I particularly liked the section on Plug-ins to improve WordPress security. This will save me a lot of time and frustration on my next wordpress install!