If your WordPress site has ever been hacked, or you'd like to prevent it from being hacked, here are a few tips on how to secure your WordPress based blog. Please contact me if you require assistance with any of the tips below.
1. Use Secure Passwords
I hope this is obvious to most of you, but passwords like "password" or your pet's name are not secure. You should be using a password that's at least 10 characters long, and it should contain uppercase and lowercase letters, numbers, and special symbols. The more characters there are in your password, the less chance you have of getting hacked.
One of the best ways to get a secure password is to use an online password generator.
2. Don't Use Admin As Your Username!
If you are using admin as your username, change it immediately! If your username is admin, hackers already know half of what they need to log in.
Create a new account for yourself in the Users panel of WordPress. Log in to that new account, then delete the admin account. When you delete the account, make sure to attribute the posts to your new account!
3. Keep Up To Date
If you're using an old version of WordPress, there are likely many security vulnerabilities that could result in your site getting hacked. The same is true for plugins, so keep those up to date!
4. Change Permissions
Generally, permissions for files and folders should be set as follows. Use a FTP client like FileZilla to make these changes.
- Folders: 755
- Files: 644
5. Hide WordPress Version
Your WordPress version gives hackers ideas about how to best attack your site. Place this code in your themeβs functions.php file to hide the WordPress version.
<?php remove_action('wp_head', 'wp_generator'); ?>6. Add Authentication Keys
Take a peek at your wp-config.php file and see if it includes authentication keys. If it doesn't, visit the WordPress API and grab your random keys. Here's what an example file would look like:
define('AUTH_KEY', 'N4 <I0 ~l70/=<y>BTvm9m.zX^N+4L@OK~;=,JqXZb58V6exiR_R^QSm|z0-Ts+N');
define('SECURE_AUTH_KEY', '=j+({-GRWxYbAU[-|tfU@_2[p>:Yl(VV3uq}ZdM) h)cG+/anf}c,}{@oVD8 kzl');
define('LOGGED_IN_KEY', 'wK:WK:)[0.d`5k;r&[~8.3DcuOee?:W9!b$]odZ^v/(IiMdb0O?<IB?mdHf3`VCC');
define('NONCE_KEY', 'mG-VUfq/A4:?3}a|B<*NdGyk^wE*_`zRJX[VVfvm&y/B;%9O[bX/A5j3rkW*d.jA');
define('AUTH_SALT', '2>N6igpu*Idk+%=&6]Z4Vc)-;/BOdiec0=N?sgcWK4$|T8kJP1>]/Nn%r*QP9|n^');
define('SECURE_AUTH_SALT', 'F#9^SVxj6ZO_*J0%CGUFK}P !q-v<N(Is|h@<N,ze6sQ+%n@fk[-y-zBJQS!:hIs');
define('LOGGED_IN_SALT', 'evjn3aEM0UA8UF|du|I]WSG.i_B|@)^=.-5-qY)p}m9[kwVD|gjVOj[l_(?S9W%<');
define('NONCE_SALT', ':YLC?hr7D<))Jt9S;U#+7c9Nsk148rImy;M8NWHCEYaqr0he]tE}JV9vrRtE/ppe');
7. Hide Login Errors
While it's useful to know why you can't log in to your blog if you entered your password wrong, it's also useful to hackers. Place this in your theme's functions.php file to hide the error message:
add_filter('login_errors',create_function('$a', "return null;"));8. htaccess Security Rules
Place the following rules in your htaccess file. These rules protect the htaccess and wp-config.php files, disables directory browsing, and disables the server signature.
# Protect htaccess <files .htaccess> order allow,deny deny from all </files> # Disable server signature ServerSignature Off # Protect config <files wp-config.php> order allow,deny deny from all </files> # Disable directory browsing Options -Indexes
9. Install Security Plugins and Services
Some of my favorite security plugins are WP Security Scan, Wordfence, and Login Lockdown.
Website Defender is a service that scans your server for any changes that have occurred. It will send you an email if there is something suspicious going on so you can investigate further.
10. Change Database Table Prefix
This can be completed simply with the WP Security Scan plugin. Select the Database tab under the plugin, and back up your site first. Enter a new prefix and hit Start Renaming.
Hi Mitchell,
I'm guilty of using admin as my username. π When creating a new username, do I want to create that one as an administrator?
Thanks so much!
Yes, you'll want to give the new username administrator privileges. π
Ok, looks like I have a bit of work to do, but these are all quick fixes. I figure an hour or so and I will be incredibly less hack-able. Thanks for the tips Mitchell!
Thanks for the great advice, Mitchell! I have made it almost completely through the list. Feeling much more secure. π
What a life saver you are! I just spent 20 minutes and changed several things! I hope that I'm unstoppable now that I have been hacked every day for the past week. I'll keep you updated! Thank you so much.
It doesn't take long to run through the simple security tips and make changes. It'll be a lot easier than trying to revert a hacked site!
Hey Mitchell - great tips, especially for the most recent reports of "brute force" WordPress attacks. I've seen some sites recommending CloudFlare as extra precaution. Do you think this service is effective for safeguarding a site?
Hey Ryan,
I believe CloudFlare is good for a second layer of protection. I've had CloudFlare installed on this site and my frugal blog for about a year, and I've noticed it's blocking a lot of malicious requests ever since the brute force attacks started. Just over the last week, it's blocked about 10,000 threats on one site.
Hope that helps!