Skip to main content

Secure and Harden WordPress

Published on
WordPress is a great piece of software supported by a large open source community. It is quick to deploy, easy to configure, and easy to use. When it comes to simple content management, WordPress is the way to go. However, some of us have had the unfortunate event of getting our WordPress site hacked or defaced. While there may never be a way to stop hackers from disrupting a website, there are ways to prevent it from happening to you. One thing to remember is that most exploits fall into two categories: zero-day exploits or known exploits. Zero-day exploits don't leave us much room for prevention, as the exploit was previously unknown. While zero-day exploits happen, most common a hacker is able to attack a site based on known exploits. Keep up with WordPress updates and plugin updates. Updates provide newer features, but most often updates will fix bugs in coding, hackers use these bugs in their attacks. Your WordPress dashboard alerts you to updates, so if you use your installation often it should not be hard to keep things up to date. However, what if you manage multiple WordPress sites for clients and do not visit the WordPress dashboard often? You can sign up to the WordPress Announcements mailing list, this way you are alerted when there is a new WordPress release. That is step one in setting up a secure WordPress install. Now, what if a hacker does deface your website or you lose post and page data? Database backups are your best friend. You can do this via your host's control panel via the MySQL management system (most likely phpMyAdmin), use the built in Export tool, or a third-party service. If you do not know about phpMyAdmin, contact your host or use the other two options. If you want to manually backup your Wordpress just go to your WordPress dashboard, to the Tools section, and select Export; choose to export All Content and then download the file. This is a backup of your WordPress data; check out the WordPress codex for more details. Manage multiple installations? Or just handle so much data this would not be a very practical option? Look into Amazon Web Services and this plugin that will automate your backups; it is a very cheap and reliable service. That's the basics to making a secure WordPress installation. Now that you have figured out your updates and how to keep up with them, set up your plan to backup your database, it is time to harden Wordpress. If you're logged into WordPress right now, chances are it is on an account with the username "admin", the default first account. Change this. When you set up WordPress either define a custom administrator login, or get into your phpMyAdmin and make the adjustments. Even with a secure password of numbers, uppercase, lowercase, and symbols can be broken with modern computers and brute force password cracking. By removing a known username from the hacker's arsenal you just boosted your WordPress security. Next, open up your favored FTP client and navigation to the root folder of your WordPress installation. You want to edit the .htaccess and add these lines. Note: Do not place it within the start/end tags for WordPress; place it either before or after.
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress
This code snippet was taken from the WordPress codex on hardening WordPress. It prevents direct access to the wp-includes folder and files, which are the working parts of your website. WordPress allows for file editing, which is great if you need to tweak your theme on the fly or edit your plugin a little. But, it is also great for a hacker to plug PHP code into your site if the hacker gains access to your administrator account. There is a way to disable file editing through the WordPress dashboard
define('DISALLOW_FILE_EDIT', true);
If you are concerned about hackers trying to gain access to your WordPress login, there is a way to add another layer of security. You can add server-side protection to your wp-admin folder, requiring one set of credentials just to access the folder, and then your normal WordPress login. This implementation does add enough security to deter possible brute force attacks, but can make management cumbersome for users not technology savvy; such as if you manage WordPress installs for multiple clients. If you're interested, check out this article or do a Google search on how to password protect a directory. There you go, those few steps will help secure Wordpress and harden it from attacks.
Note: I just wanted to touch on securing the wp-config.php file. Some suggest moving it into a layer above your WordPress installation. I honestly do not see any extra security from this. If the hacker is able to somehow include that file into a malicious script, there are some other serious issues at hand. Secondly, if the file is directly accessed it will only display a blank file since it is just PHP code. If the hacker gets the file display the contents, then your server has been compromised and isn't recognizing PHP files. In that case, again, you have serious issues beyond your WordPress site.