WordPress is one of the most popular blog software packages on the internet and it’s definitely a powerful piece of software! However, with anything that is popular comes hackers and those that would love to see your site come falling down.
You can be proactive though and save yourself a few headaches by installing a few plugins and making a few tweaks. Mind you, there is no such thing as hacker proof, but you can at least make it a little more difficult.
First things first, make sure you are running the latest version of WordPress. As of this article’s writing, WordPress 3.9.1 is the latest version of WordPress.
Now, that you have upgraded your WordPress, make sure that all of your themes and plugins are also updated to the latest versions. Remember, many of these releases contain patches to protect you from vulnerabilities.
That wasn’t so hard! Now we can move on to hardening WordPress.
The first plugin that you will want to get is WordFence. WordFence provides a number of great features, but namely it compares your core WordPress files (optionally plugins and themes) to the official WordPress repos. This is a great feature when you are impacted by an injection that adds malicious code to your core files. WordFence is free, but with limited features (enough to help you out though.) You can optionally purchase the premium API version for additional options. Let’s search for “WordFence” in WordPress and install it.
Time to use it! We are going to focus on the “Scan” feature for the purposes of this article.
Simply click on “Start WordFence Scan” to get started. This process will take a few minutes and you will notice the yellow boxes scrolling with information as it completes it’s process. Be patient it is worth it!
If any issues are found you will see them underneath the above screenshot with either a red “X” or a yellow triangle. You can view the differences between the current file and the original file and opt to restore to the original or ignore. This is especially useful if you are fighting with a hack and need to find the files that are infected.
WordFence has a number of other useful features, but my personal preference is to have overkill to make sure that I keep as much out as I can. On to our next plugin!
Let’s search for “All In One WP Security & Firewall” and install it. Once you have installed it, you can simply click on “WP Security” on the left navigation menu and then click “Dashboard.” You will see the following screen:
Now all you have to do is start tweaking! The “Security Strength Meter” will change as you make changes and will be your gauge of how secure your WordPress installation is.
A few important suggestions that I would advise you to do immediately are edit “Brute Force”, “Database Security”, “Filesystem Security” and “Firewall.” Obviously, you will want to set more than just these settings, but I simply want to cover the basics for now. Let’s get started with Brute Force (click on Brute Force on the left navigation menu):
Check the box next to “Enable Rename Login Page Feature” to change the name of the default admin URL (/wp-admin.) This is a huge security risk as it is the default location for the admin login page (everyone knows this.) Enter a unique name that will be hard for others to guess in the box and click “Save Settings.” You will now login to WordPress at this URL.
Now, let’s setup Database Security. Click on Database security on the left navigation menu.
Click on the “DB Backup” tab first and click the “Create DB Backup Now” button. This is VERY important. Once you see the message that your database has been backed up, click on the “DB Prefix” tab.
Check the checkbox and then click on “Change DB Prefix” to have a random 6 digit prefix set for your database. This will replace the default wp_ prefix which is the default and again known by everyone!
Next, click on “Filesystem Security” on the left navigation menu and check the table for any buttons that read “Change to Recommended Permissions.” Click this button until they are all gone. This will repair any unsafe permissions on your files.
Click the “PHP File Editing” tab and check the checkbox:
This will disable web based editing of your PHP files, which will help protect you if your admin login details are compromised.
Now, click on “Firewall” and check all of the boxes on the first tab. Click on the “Additional Firewall Rules” and check all of the boxes there as well.
You now have a more secure WordPress! Remember, secure doesn’t mean bulletproof!
The very last steps that you should take are creating a new administrator account for yourself (do not use “admin”) and create a secure password. Once you have this created, delete your “admin” username.
If you really want to take extra precautions, you can edit your wp-config.php and change your secret key information block. You can generate a new block for yourself at: https://api.wordpress.org/secret-key/1.1/salt/
Again, this is not a sure fix for all things attack, but it will definitely help you out!