Blog

WordPress Security Tweaks

by

WordPress is a very capable feature-rich blogging platform and content management system. It’s free and open-source; developed by hundreds of generous developers around the world, but how secure is it?

Generally speaking, it’s pretty good, but as open-source code it’s up to you to make sure you’ve got it installed and setup correctly. The following 10 tweaks are the more common things to watch out for.

Tweak #1: Remove the WordPress version from your website

Displaying your WordPress version number in your website’s source code makes it easier for potential hackers to exploit your particular install. Your version number may be hardcoded into your theme, so check for that too, but also add these few lines of code to functions.php in your theme:

//Remove the WordPress version from displaying
add_filter( 'the_generator', 'no_generator' );
function no_generator() { return ''; }

Tweak #2: Turn off file editing capabilities for plugins and themes

If you’re not often editing your theme or plugins in WordPress Admin area, turn this feature off. Leaving it enabled makes it easier for potential hackers to make malicious changes to your code. Add the following line of code to wp-config.php:

//Turn off file editor for plugins and themes in wordpress admin
define('DISALLOW_FILE_EDIT', true);

Tweak #3: Remove unecessary error messages on failed logins

WordPress (trying to be helpful) displays error messages on unsuccessful logins, mentioning that a username and/or password was incorrectly entered. This feedback makes it easier for hackers to start brute force attacks to get your password once they work out the login. Add these few lines of code to functions.php:

//Remove unnecessary error messages on failed logins
add_filter( 'login_errors', 'explain_less_login_issues' );
function explain_less_login_issues() {
   return '<strong>ERROR</strong>: Entered credentials are incorrect.';
}

Tweak #4: Remove unnecessary files

There are two files found in your WordPress install that are really not required, these being readme.html and install.php.

The readme.html file contains the version of WordPress you are running, which can help a hacker exploit your install of WordPress. This file is unnecessary and can be deleted, it’s located in the foot folder of your blog. (Be aware though, this file will reappear with the next upgrade of WordPress).

The installation script install.php is used when you first install WordPress. It builds database tables and sets up your preferences. You can delete this, it’s located in the /wp-admin directory.

Tweak #5: File and Folder permissions

The following permission settings are recommended by WordPress, as found in the WordPress Codex:

  • wp-config.php should be 400 or 440 to lock it from other users
  • .htaccess rights should be set to 644 or 664 (if you want WordPress to be able to edit .htaccess for you)
  • /wp-content/ should be writeable for all (777), according to WordPress Codex. But it’s probably better to set it 755 and change to 777 (temporary) if some plugins asks you to do that.
  • /wp-content/themes/ should have rights 755
  • /wp-content/plugins/ should have rights 755
  • /wp-admin/ should have rights 755
  • /wp-includes/ should have rights 755

Tweak #6: Secure wp-config.php

As mentioned in the WordPress Codex, you can move the wp-config.php file to the directory above your WordPress install. Additionally if you use a server with .htaccess, you can put the following lines of code in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>
order allow,deny
deny from all
</files>

Tweak #7: Ensure WP_DEBUG is turned off

This global variable should be turned off on your live website. Occasionly developers use this option when debugging and can forget to turn it off again when they’ve finished. You don’t want debugging information displaying on your website as it makes it easier for potential hackers to gain access. You can turn if off by ensuring that the global variable WP_DEBUG in wp-config.php is set to false.

define('WP_DEBUG', false);

Tweak #8: Don’t use the username ‘Admin’

Using Admin as a WordPress username is not safe, it’s way too predictable; making it easy to crack. You can execute the following SQL command in your MySQL interface client (such as phpMyAdmin) to change your username.

update tableprefix_users set user_login='newuser' where user_login='admin';

Tweak #9: Dont use ‘wp_’ as your SQL table prefix

By default the WordPress super easy installer will set the table prefix to wp_, and if you don’t notice it when you install you’ll end up with very predictable table names. Make it harder for hackers and change this prefix to something unique and less obvious. Use your MySQL interface client (such as phpMyAdmin) to change all table prefixes from wp_ to something different, and set the table prefix in your wp-config.php.

$table_prefix  = 'tableprefix_';

Tweak #10: Keep WordPress updated

You should keep your install of WordPress up-to-date to keep it secure. The developers of WordPress are constantly adding bug fixes and addressing vulnerabilities (plus adding fancy new features) with each new release. If you’re comfortable doing this kind of stuff yourself, by all means go for it, but there are plenty of experienced developers out there that can help you if not.

Detailed instructions can be found on the WordPress Codex.

 

Disclaimer: The above list is intended as a basic guide; some of the more common things to look out for. If you’re uncertain about anything mentioned here or not confident tinkering with your WordPress install please enlist the help of an experienced website developer.

Updated:

30 response to WordPress Security Tweaks

  1. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. It is extremely helpful for me.

    » Reply

  2. I am happy to find this post very useful for me, as it contains lot of information. I always prefer to read the quality content and this thing I found in your post. Thanks for sharing.

    » Reply

  3. Really impressed! Everything is very open, and very clear explanation of issues. Your website is very useful. Thanks for sharing. Looking forward to more!

    » Reply

  4. So informative! Big thanks!

    » Reply

  5. You are definitely a great writer, I will follow you.

    » Reply

  6. very interesting article for read, i like it.

    » Reply

  7. this is a good post. this post gives truly quality information. i’m definitely going to look into it. really very useful tips are provided here.

    » Reply

  8. your website is a great source of information.

    » Reply

  9. i am happy with this information, but i need more information, so please update more stuff thank you.

    » Reply

  10. After study a few of the blog posts on your website now, and I truly like your way of blogging. I bookmarked it to my bookmark website list and will be checking back soon. Pls check out my web site as well and let me know what you think.

    » Reply

  11. happy i found your blog, there are so many useful things in here. i’ve bookmarked you so i can always have access to your posts.

    » Reply

  12. i really liked the topics you post here. thanks for sharing this information that is so helpful for us. good day.

    » Reply

  13. very useful content. thanks.

    » Reply

  14. congratulations for all the success of the website, it’s growing up every day.

    » Reply

  15. hey this blog is wonderful, following you to see more posts.

    » Reply

  16. nice informative post. another knowledgeable one.

    » Reply

  17. yeah. it is a wonderful website. this is very nice one and gives in depth information. i think it will be helpful.

    » Reply

  18. Pretty nice post. I just stumbled upon your weblog and wanted to say that I have truly enjoyed surfing around your blog posts. After all I’ll be subscribing to your feed and I hope you write again soon!

    » Reply

  19. Appreciate the recommendation. Let me try it out.

    » Reply

  20. I absolutely love your site.. Great colors & theme.
    Did you create this site yourself? Please reply back as I’m attempting to create my own personal website and would love to find out where you got this from or just what the theme is called. Many thanks!

    » Reply

  21. Hello, just wanted to mention, I loved this
    post. It was practical. Keep on posting!

    » Reply

Add a comment

Your email address will not be published.

Required