Since this spring, websites running WordPress have been the target of a large and coordinated brute-force attack. According to TechCrunch, in April this attack involved the use of over 90,000 IP addresses! If you think your WordPress website hasn’t been affected by this attack, you’re likely not paying attention…
A recent client contacted me to repair their WordPress-based website that had gone offline (disclaimer: I had no part in the deployment of the website and it’s lack of security). After some investigation, it became obvious that the site had been hacked and many core WordPress files modified (I gave up searching after finding around 10 infected files). I was able to mostly restore this client’s website, but, unfortunately, a few images will probably be a casualty of the intrusion (if the client had a backup, the images could have been restored also; but that is an article for later).
As a result of this experience, I have begun strengthening the security of both my own websites and those of my clients. It’s nearly always easier to take preventive action than to clean up the mess after you’ve been hacked.
In this post, I will list what I consider to be some of the more critical aspects to securing your WordPress website. My next post will detail how to easily implement many of these recommendations by using the security plugin, Wordfence.
Methods for Improving WordPress Security
WordPress security can be improved in many ways; some of them very easy and others that require some technical knowledge on your behalf. Implementing just one of these suggestions will improve your security; however, you should strongly consider as many as possible to decrease the chances of your site being hacked.
Use a Reputable Web Host That Takes Security Seriously
If your web hosting provider doesn’t take security seriously, then there isn’t much you can do to improve things from within WordPress. Unfortunately, it can be hard to determine if a web host is any good prior to signing up. However, there are a few things you can do to evaluate the quality of a potential web host prior to signing up:
- avoid web hosts whose pricing seems “too good to be true” (e.g., anything free)
- avoid web hosts with “unlimited” storage, bandwidth, etc. plans
- check availability of recent and supported versions of PHP, Apache, mySQL, etc.
- stick with web hosts that are headquartered in the United States
- consult sites, such as Web Hosting Talk, to find unbiased reviews and recommendations
I have used FluidHosting and A Small Orange for several years and have been extremely satisfied with both.
Keep Everything Updated
One of the simplest things you can do to minimize the chances of being hacked is to simply keep WordPress and all your installed themes and plugins up-to-date. Doing so means that you have the latest versions of each of these with any security fixes and improvements that have been added. You don’t have to install updates the day they come out; waiting a week or two is fine and allows you to let others find any bugs before they can affect your website.
A word of caution is advised due to the potential of incompatibilities being introduced with a new version of WordPress, a theme or a plugin. Before installing an update, make sure that you take a look at the change log and make note of any new dependencies and other issues that may cause a problem. When viewing the WordPress updates screen, any plugins with available updates will include a “compatibility” rating for both the installed version of WordPress and the newest available version of WordPress:
Taking this even further, you may want to consider creating a separate clone of your website dedicated to compatibility testing. This can be done using any of several “virtualization” applications to create a virtual server on your desktop computer with a duplicate of your WordPress installation. This method will reveal any incompatibilities between updated versions of WordPress and the specific theme(s) and plugin(s) that you use. In the near future, I will post an in-depth article describing how I do this.
Use Strong Passwords
Pay attention to the WordPress password strength meter! Don’t use any password that has an indicated strength less than “strong”, especially for any user that has “Administrator” privileges. There are many ways of generating a strong password including:
- some web browsers will suggest a strong password
- several websites (do a Google search for “strong password generator”)
- Mac OS X’s Keychain can generate several types of passwords
- third-party password managers such as LastPass and OnePassword
- user your own “recipe” for generating a password
In general, the longer the password, the better (I recommend using at least 16 characters). The strongest passwords also don’t include any dictionary words at all so that dictionary based password attacks will never succeed.
This advice also goes for mySQL, FTP and any other passwords on your server. Each and every one of these services are avenues for hackers to remotely access your web server and compromise it.
Don’t Use the Default “wp_” Database Table Prefix
When installing WordPress, one of the questions will be what mySQL database table prefix you want to use. The default option is wp_. Do NOT use the default value; choosing anything other than wp_ will lessen the likelihood of a site breech via your mySQL database.
Note that changing the database table prefix AFTER you have installed WordPress either requires an SQL query (not recommended unless you have some experience with SQL databases) or the use of a plugin specifically designed for the purpose. Simply changing the value of $table_prefix in wp-config.php will break access to your database and bork your site.
Use as Few Plugins as Possible
Think hard (and then think even harder) about whether you really need the feature provided by a WordPress plugin. The more plugins you have installed, the more potential security vulnerabilities and avenues for illicit access to the web server will exist. Furthermore, relying on non-standard features implemented via a plugin can come back to haunt you if the plugin ceases to be maintained by the developer.
A corollary to this is, if you have installed plugins that aren’t being used, delete them instead of just deactivating them.
Avoid Plugins That Allow Arbitrary Code Execution
Plugins that allow arbitrary PHP or other code to be executed from within WordPress should be avoided at all costs. The last thing you want is for an intruder to have an easy avenue for inserting malicious code into your website. Examples of these types of plugins include: Insert PHP, Insert PHP Code Snippet, etc.
Disallow File Editing From Within WordPress
By default, WordPress allows users with “Administrator” privileges to edit PHP files such as plugin and theme files. This is an easy avenue for intruders to inject their malicious code into your WordPress installation. To disable this, place the following in your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
Use Quality Plugins and Themes
Before installing and using a plugin or theme, make sure that you do some legwork to assess the quality of the plugin or theme.
A simple and quick way to do this is via the “Reviews”, “Support”, “Stats” and “Changelog” tabs of the WordPress plugin and theme repositories. Obviously, the “Reviews” section will let you know what other people think about the plugin or theme. The “Support” section will give you an idea of whether the plugin/theme author is actively supporting his work by resolving issues in a timely fashion (a red flag would be multiple old and unresolved support requests). The “Stats” section will give you an indication of how popular the plugin/theme is with other WordPress users. Finally, the “Changelog” section will give you an idea of how often the plugin/theme is updated with bug fixes, enhancements and compatibility updates.
Commercial plugins and themes not hosted on the WordPress website are another matter. Assessing the quality of these will likely involve a Google search or reading the equivalent of the “Reviews”, “Support”, “Stats” and “Changelog” information that will hopefully be provided from the plugin/theme download site. WordPress does have a list of recommended theme developers that can give you a start in your search for a commercial WordPress theme.
None of these, in and of themselves, are definitive indicators of plugin or theme quality, but together they should give you a fair idea of which plugins or themes are worth installing and which to avoid.
Don’t Use “Admin” as a Username
The most common brute-force attack on a WordPress website (and probably any other website that has a protected area with username/password authentication) is to attempt a login using the username “admin” and then various methods of guessing the associated password (dictionary attacks, pattern checking, social engineering attacks, etc.). Refraining from using “admin” as a username greatly reduces the chances of brute-force attacks succeeding as they must now guess both a username and a password.
You can find multiple tutorials on changing a WordPress username (for example, here) as well as a handful of plugins to do the job (for example, Username and WPVN – Username Changer). Alternatively, you can simply create a new user with “Administrator” privileges and then delete the old “admin” user (be sure to assign all posts attributed to the old “admin” user to another user otherwise they will be deleted):
Change the Administrator Account User ID
Changing the administrator username to something other than “admin” is a good start. However, WordPress actually references users by an ID and not by the username. What difference does that make, you ask? Quite a bit, as even if you change the administrator username as I suggest above, a slightly more determined hacker can expose the obfuscated username by accessing the following URL on your site:
http://www.yourwebsite.com/?author=1
This will redirect to a URL which looks something like:
http://www.yourwebsite.com/author/obfuscated_admin/
which quickly reveals what is likely to be an administrator username. The reason why is that WordPress assigns user ID “1” to the first user created and that user is almost guaranteed to be the administrator account created during WordPress installation.
We could work around this by changing the user ID of the administrator account to something other than “1” (there are several ways to do this; you can find one here).
Isn’t There An Easy Way To Do All This?
By now, you’re probably saying to yourself, “This is all well and good, but I don’t have the time or expertise to implement your suggestions”. Fortunately, there are plugins for WordPress that will implement many of the above recommendations automatically freeing you from having to make the changes manually.
Next time I’ll discuss the plugin that I use to implement several of these security best practices: Wordfence.