Nik Rawlinsonwalks you through the process of beefing up security on your WordPress-driven site
WordPress powers almost a quarter of all the live sites on the web. That’s not surprising, as it’s well supported, easy to use and extremely flexible. It’s no longer just a blogging tool either, since the fully fledged content management system sitting behind the friendly interface is more than capable of running hugely popular sites.
Unfortunately, the more popular a system becomes – be it Windows, Android or a publishing tool such as WordPress – the more it attracts the attention of less scrupulous users. Put simply, it’s never been more likely to be attacked than it is right now.
But there’s some good news. There is a huge range of tools and extensions designed to fix this problem, so you can quickly and easily make your WordPress site more robust, even if your behind-the-scenes expertise doesn’t extend much further than installing an off-the-shelf theme.
In this guide, we’ll show you how to harden your site. Follow our advice and it should withstand almost all attacks, and make it a much less attractive target. Even if your defences do eventually fall, you’ll have a much better chance of being back up and running in short order, with the minimal data loss.
Before you get started, though, follow one simple piece of advice that we’d give to anyone on any platform: if you haven’t changed your password in the past six weeks, do it now – and require the same of the other users running accounts on your system. You should consider installing the WP Password Policy Manager (pcpro.link/257word) to automate password expiry on a regular basis and enforce rules for generating more complex passwords.
We prefer not to use an external password manager when working with a tool such as WordPress, because the primary benefit of using online applications is that you can access them from anywhere, at any time. So, if we have a particularly complex password that we can’t possibly remember without the help of a digital locker, we’d effectively be shut out whenever we’re away from our primary PC (unless it’s stored in a smartphone app).
We have, therefore, got into the habit of building unique, but easy-to-remember, passwords for every site we need to access as follows:
■ Think of a meaningful sentence that nobody else would guess, including names, numbers, ordinals and punctuation. For example: “Why did you call your second pet Bob?”
■ Take the initials of each word, convert written numbers into digits, include their ordinals and retain capitalisation. Using this example, we’d end up with “Wdycy2ndpB?” That’s already difficult to guess, but easy to remember.
■ Add some letters from the domain you’re logging in to. You should always choose the same letters for every domain. You might choose the last two letters, such as “hr” for alphr.com, “il” for gmail.com and “bc” for bbc.co.uk/news. Position them somewhere within your sentence. For example, we might choose to reverse them and put them before the “2”, so that when we’re logging in to alphr.com, our password would be “Wdycyrh2ndpB?”, while for Gmail it would be “Wdychli2ndpB?”.
■ The result is a hard to guess, easy to remember password for every site we need to access, which is unique to each one. Even if you choose to change your password every six weeks, you still only need remember one new sentence and one formula for all of your logins.
Setting (and retaining) a feeble password will make much of what follows pointless, since you’re effectively securing your site’s front door with the weakest padlock. So, the first step is to reinforce your credentials as above, then read on as we work through the remainder of the process.
1 Keep WordPress up to date
WordPress is constantly updated, with major point revisions introducing new features, and minor updates focusing on patches and security. Make sure that you’re always running the most recent versions, both of WordPress itself and your plugins and themes, to mitigate against vulnerabilities. The most recent public release is WordPress 4.3.1. You’ll know if you’re running it – it’s detailed at the bottom of every screen in the Dashboard. If you’re not up to date, the line will change to “Get version x.x.x”. Click on it to go to the update page. Note that, if you’re running WordPress 4 or later, minor revisions are installed automatically.
2 Update plugins and themes
It’s just as important to keep your plugins and themes up to date as the core WordPress software. You will know if these are out of date when the update icon beside your site name at the top of the Dashboard (the two circular arrows chasing each other) has a number beside it. Click on it and apply whichever patches are required. If you’ve tweaked your installed theme then you should take extra care because installing an update will usually overwrite your amendments, unless you have applied them using a child theme. If you’re not using a child theme, always remember to save a backup copy of your amended theme before applying the update so you can reinstate your changes afterwards.
3 Install a sentry
You can’t spend all day watching your back-end waiting for hackers to force their way in, so install Wordfence to do the job for you (wordfence.com). There are both free and paid ($39/year) plans. We’d recommend starting with the free option and upgrading, if you choose. Without paying, you can block IP addresses, scan for DNS changes, hunt out known malware and backdoors, limit crawlers and, perhaps most importantly, repair any files that become corrupted or changed from their original make-up, which may point towards an installation of unauthorised code on your server.
An at-a-glance Wordfence panel on your WordPress dashboard details unauthorised login attempts over the past couple of weeks, allowing you to identify which user accounts are being targeted most frequently. As you can see from the screengrab, it’s detected nine attempts to log in to one of our sites using the nonexistent account “admin”, which leads us on to our next point.
4 Kill your admin user
Determined hackers will resort to brute force to break into a system. Make their lives more difficult by not setting up (or by deleting) any “admin” logins. Many systems – particularly those updated over many years from old installations where admin was the default username – still have these in place. Removing them means the hacker will not only need to guess your password, but also the account name to which it relates, dramatically reducing their chances of success. Make sure you give another user administrator rights through the Dashboard by clicking All Users from the Users flyout on the sidebar, clicking Edit below one of your existing users’ names and changing their role to “Administrator”.
5 Rethink your table prefix
When you’re setting up a new site, the WordPress installer will ask what prefix you’d like to use for your table (where all the blog data is stored). It suggests “wp_” by default, and a lot of hackers will assume that you’ve stuck with this, potentially giving them a head start on targeting your MySQL database directly. Make life more difficult for them by changing this for any new site you set up from now on. It’s not something you’ll need to type more than once, so pick something obscure and difficult to guess.
6 Benefit from other people’s misfortune
A bonus of running the same back-end as many other sites is that you can gain from their experience. Install the free Jetpack extension (search for it by clicking Plugins | Add New in the Dashboard sidebar) and enable the Protect tool. This compares the IP address of every user (or bot) that visits your site with a list collected by other sites running Jetpack with Protect enabled. If any of them has reported the address as being the basis of a brute-force attack, it’s blacklisted, and it will be denied access to your site.
7 Hide helpful error messages
Sometimes, just knowing why they’re not succeeding can give a hacker sufficient clues to break into your site. Muting login error messages so they no longer say whether the username or password is incorrect on a failed login attempt helps here, and can be implemented by adding a single line of code to your FUNCTIONS.PHP file. You’ll find this in your current theme directory. Open it using your preferred code editor and add the following immediately before the closing “?>” at the end of the file:
add_filter('login_errors',create_function('$a', "return null;"));
This tells WordPress that when an error occurs, it should give a blank response (null).
8 Check (and limit) your permissions
Don’t allow anything – or anyone – access to more of your server than they absolutely need. WordPress itself recommends that all folders be set to 755, and files to 644. You can usually set these using your FTP client by right-clicking the folder or file (or group of folders or files) and picking Set Permissions, Info or CHMOD from the menu. If your FTP application doesn’t allow you to type in the numbers directly, set the permissions by checking the following boxes:
755: read, write and execute for “user”, and read and execute for both “group” and “world”
644: read and write for “user”, and just read for both “group” and “world”
Depending on your configuration, it may be necessary to be a little more permissive, by setting these to 775 and 664 respectively. It’s easy to work out how to do this, since the permissions are set in accordance with each level’s assigned binary value. Read scores 4, Write scores 2 and Execute scores 1, so 775 would be read, write and execute (4+2+1) for both “user” and “group”, and read and execute (4+1) for “world”.
For information on file permission for a secure installation of WordPress, go to pcpro.link/257word1. To understand file permissions, read pcpro.link/257word2.
9 Back up regularly
You should keep regular backups of your WordPress site – both your uploaded files and your database content. But how? Automattic, the company that guides WordPress’ development, has a solution, the paid-for VaultPress (vaultpress.com), For $99 (£65) a year, it will make daily backups and keep a 30-day archive for rolling back. If you have a Dropbox account, check out BackWPup, a free install from the WordPress extensions repository. This backs up your site to Dropbox (we’d recommend daily for a busy site) at no charge.