Securing WordPress

Filed Under: WordPress by Miloš Spasić Written on October 19th, 2011

Securing WordPressThis is the ultimate guide on how to achieve maximum safety of WordPress installation. After you make this changes, your WordPress blog will become bullet proof I guarantee you that!

During the years of my work with with WordPress I came up with the list of six simple rules that you should implement on your WordPress installation to make it secure and safe.

Securing WordPress – six primary rules:

  1. Use unique database prefix
  2. Update wp-config.php to the newest version
  3. Edit your theme’s functions.php file to remove some risky messages
  4. Use .htaccess to secure wp-config.php and .htaccess file itself
  5. Install two great WordPress security plugins
  6. Keep your WordPress up to date

Use unique WordPress database table prefix for your installation

WordPress database table prefix is the default weakness for all WordPress blogs, because nobody ever bothers to change it. Hackers know this very well and they use it to massively deface WordPress sites. Don’t be lazy and change this. Only problem with this is that you must change it before you have installed your WordPress.

Open your wp-config.php file and find the default WordPress database table prefix. It looks like this:

62
$table_prefix  = 'wp_';

Change it to something unique and hard to guess(only numbers, letters, and underscores):

62
$table_prefix  = 'm3x7q_';

Save the wp-config.php and upload it to the host by overwriting the old file. And that was it, you are now ready to continue with the installation.

If you already have installed your blog with the default WordPress database table prefix, don’t worry. There is a solution for that as well.

Changing default table prefix after installing WordPress

Before changing your table prefix, make a backup of your database and be aware that your site is going to be down for a few minutes. Then open your wp-config.php and change your database table prefix as I described for the new installation.

Go to your database using phpMyAdmin, select your WordPress database, click on the SQL tab and paste the SQL commands bellow to rename all WordPress table prefixes from wp_ to whatever you specified in your wp-config.php file.

SQL commands to rename the eleven default WordPress database tables:

RENAME table `wp_commentmeta` TO `m3x7q_commentmeta`;
RENAME table `wp_comments` TO `m3x7q_comments`;
RENAME table `wp_links` TO `m3x7q_links`;
RENAME table `wp_options` TO `m3x7q_options`;
RENAME table `wp_postmeta` TO `m3x7q_postmeta`;
RENAME table `wp_posts` TO `m3x7q_posts`;
RENAME table `wp_terms` TO `m3x7q_terms`;
RENAME table `wp_term_relationships` TO `m3x7q_term_relationships`;
RENAME table `wp_term_taxonomy` TO `m3x7q_term_taxonomy`;
RENAME table `wp_usermeta` TO `m3x7q_usermeta`;
RENAME table `wp_users` TO `m3x7q_users`;

If there are any other tables beside defaults, from plugins or whatever, rename them also using the same method.

Next step is to search the options table for any instances of the old database prefix. To accomplish this, enter the following SQL query in the SQL tab:

SELECT * FROM `m3x7q_options` WHERE `option_name` LIKE '%wp_%'

If you find any options created by plugins, custom scripts, etc. that begin with wp_ rename them to the new prefix. You will be able to change it by clicking on the edit button for each record.

Now search the usermeta table for all instances of the old wp_ prefix. Here is an SQL command:

SELECT * FROM `m3x7q_usermeta` WHERE `meta_key` LIKE '%wp_%'

Rename any entry that begins with the default WordPress table prefix wp_ to the new prefix.

Once you have completed all above steps, check your site for the proper functionality. Test the Admin, pages, posts, search etc. If your site is working normally, you have successfully changed WordPress database table prefix and you can move on to other security tweaks. And for just an case, make another database backup. Top of Page


Update wp-config.php to the newest version

What does this mean? When you are updating your WordPress, wp-config.php stays from your old installation. It doesn’t change because it contains essential information’s for your site, so it can communicate with the database. So why to change it? Because WordPress have drastically improved security in its newer versions and some of that security improvements are contained in the new wp-config.php wich comes with fresh installation.

OK, so how can I upgrade my wp-config.php to the newest version? If we assume that your WordPress is up to date, go and get the latest version of WordPress. Unpack the archive and find the file wp-config-sample.php, rename it to wp-config.php and open it with some editor. Now download your current wp-config.php from the host, and open it with the editor.

In the new wp-config.php find this variables:

18
19
20
21
22
23
24
25
26
27
28
/** The name of the database for WordPress */
define('DB_NAME', 'database_name_here');
 
/** MySQL database username */
define('DB_USER', 'username_here');
 
/** MySQL database password */
define('DB_PASSWORD', 'password_here');
 
/** MySQL hostname */
define('DB_HOST', 'localhost');
62
$table_prefix  = 'wp_';

Replace variables above with the values from your old wp-config.php file.

After you have finshed that, in your new wp-config.php find these lines:

45
46
47
48
49
50
51
52
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

Go to the WordPress.org secret-key service, copy all you see there and replace the lines above with the new values.

Save your new wp-config.php file, and upload it to the server by overwriting the old file.(first backup the old file for just in case)

Go to your site, if you done everything correctly, you should see the front page. If not, you will see the warning that WordPress cannot connect to the database. If that happens, don’t panic, you have just missed to copy some of the variables from your old to the new wp-config.php. Go and check everything once more, I’m sure you will find the missed variable. Top of Page


Edit your theme’s functions.php file to remove some risky messages

By default, WordPress displays its version in the head of your site:

<meta name="generator" content="WordPress 3.2.1." />

That is bad, because if hackers find out what is the version of your software, they can hack it more easily.

To remove that version notification from the head add these lines to your themes functions.php file:

<?php
//Remove WordPress version from head
remove_action('wp_head', 'wp_generator');
?>

Also, when someone illegally try to log on to your admin area, WordPress by default displays error messages about wrong password or user name etc. That is bad! You don’t want to make things easier to attacker to hack in to the you admin area. Remove these error messages by adding these lines to your themes functions.php file:

<?php
//Remove admin login page error messages display
add_filter('login_errors',create_function('$a', "return null;"));
?>

That is all, save your functions.php and upload it to the host by overwriting the old file. Top of Page


Use .htaccess to secure wp-config.php and .htaccess file itself and to disable directory browsing

If someone have their eyes on your wp-config.php file, your site is history, there is no need to give further explanation about this. And if someone get hold of your .htaccess, he could redirect your site to some phishing website. That is also catastrophic situation. Also its not a good idea let someone to view your directory content. So how can we protect these two vitally important files for our WordPress site and prevent directory browsing?

Solution is very simple, download the .htaccess file from your host and open it with the Notepad. If you are using custom permalinks, you should see this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Add these lines of code before code above:

# disable directory browsing
Options All -Indexes
# secure wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

When you are finshed, your .htaccess file should look like this:

# disable directory browsing
Options All -Indexes
# secure wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Save your .htaccess and upload it to the host by overwriting the old file. Go to your site and check if everything is working normally. Top of Page


Install two great WordPress security plugins

All WP experts these days advice us to use plugins that are scanning our site for traces of malicious code. My approach is slightly different, I like to stop bad things before they even have a chance to happen.

I recommend you to install and use these two great WordPress security plugins:

  1. Limit Login Attempts
  2. Block Bad Queries (BBQ)

I will not go into details about how these plugins work and what is their purpose, you can read all about that on links above. Trust me, they are must have. Top of Page


Keep your WordPress up to date

One of the most basic things about WordPress security is to keep things up to date. There is no perfect software without security holes in it, but WordPress community is doing a great job about fixing this holes constantly.

So please, update your WordPress regularly. You can do automatic Update or manual update.

Remember, your plugins and themes should be also updated regularly. By doing regular updates you can save your self hours or days of work if your site gets hacked.

A few more security tips

Read about file permissions in WordPress, and set up them wisely. Bad file permissions can easily lead to be hacked.

Also if have default admin user on your blog, delete it and assign his posts to some other user name. Regulars backups of database, wp-content and uploads folder are also the things that you must never forget to do.


Conclusion

If you follow these WordPress securing instructions, you reduce the probability to be hacked at some minimum level. I follow these rules so long and so far I have never failed.

OK people, that’s all about Securing WordPress for now. If have any comments, suggestions or questions, feel free to post them below. I’ll be glad to answer you.

Top of Page

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Top of Page