Hi, today I would like to cover a slight look on how to secure your WordPress, starting from the practical daily use and technical stuff. But first of all, if you are using free services like wordpress.com, then these tips are not for you, obviously because you won’t have the rights to install the plugins, nor playing around the .htaccess files deep into your home hosting directory. But well, doesn’t mean its less secure, I would say its more secure because all the hard way are already done by WordPress.com team, so cheer up, don’t cry. Lets get the fun now, shall we.

Installation Wise

By installation wise, I meant it to be the very core of your installation.

  1. Choose your hosting, make sure its reliable and put more effort on security, asks around, don’t be ashamed.
  2. When installing new WP blog, make sure you change the table prefix from its default wp_ to something elses.
  3. Don’t use normal or regular admin name, I’ll explain later why.
  4. Use a safe password, search the internet how to choose a safe passwords
  5. After installation, check up file permission, all your folders must have 755 permissions and all your files should have 644. For the wp-config.php file, it is recommended to have 750. The .htaccess files should be writeable only by the user under which your web server runs so WordPress and other plug-ins will be able to modify them.
  6. Choose your plug-in wise, consult to other senior blogger or more knowledgeable programmer, or if you’re in pinch of not having any, consult to Google search. Older plugins might risk a security bug, beware, more functionality always comes with more risks.
  7. If you choose to edit files and try the installation on your local computer to upload it later, check your file and folder permission settings again after uploading.

Regular Update

Next, the very basic thing to do are update and upgrade your WordPress install regularly. As fast as you can, whenever new updates available. Updates usually give out not just stability and bug fix, but often a security fix, so its essentials to secure your wordpress.

Change Admin Username and Displayname

You need to change the default username and displayname so it will be hard to guess when someone trying to bruteforce your admin panel. Go to your CPanel and choose PHPMyAdmin, after that, choose your wp_user table from your wordpress installation database. You should have only one user by now, unless you have a wordpress for your whole team. Now press the edit button, something like a pencils.

securewp01

Next, edit your user_login and display_name field. user_login is the name you will use for login, and display_name are what should be displayed on your “posted by” posts.

securewp02

Remember, no special character, use letters and numbers, but please, something unusual. Hit the go button and you’re done.

Want the easier way ? First, make sure you use unusual name for admin username when you first install your wordpress. Now go to your Dashboard > Users > Your Profile

  1. Under the field Nickname, change it to your new display name, Save it
  2. Back again here, under the dropdown option of Display name Publicly as, there will be your new nickname, Save it, Done!

Securing /wp-admin folder : .htaccess password

You can add more security to your /wp-admin folder by adding more authentication. Create new .htaccess file inside your wp-admin folder, the content of your .htaccess would be like these :

AuthType Basic
AuthName "secretfolder"
AuthUserFile "/home/this/will/be/location/of/your/secret/password/public_html/wp-admin/passwd"
require valid-user

And content for your passwd file would be like these :

myprotector:$apr1$dq23G1v$pHubhsxvu442eBETVsswO9F/

AuthName is what your authentication popup name title, AuthUserFile is where you will place your passwd files. On the passwd files, myprotector is your username and next to it are the Apache encrypted passwords. To generate both files you can use DynamicDrive .htpasswd tools.

Easier way ? Use CPanel > Security > Web Protect. He will autogenerate everything for you :)

Deny Access to certain files

Again, use .htaccess to deny access to certain files like .log, .htaccess and so on. Add these lines below into .htaccess on your public_html directory.


<ifModule mod_php4.c>
php_value zlib.output_compression 16386
</ifModule>

# deny all .htaccess, .DS_Store $hî†é and ._* (resource fork) files
<Files ~ "^\.([Hh][Tt]|[Dd][Ss]_[Ss]|[_])">
Order allow,deny
Deny from all
Satisfy All
</Files>

# deny access to all .log and .comment files
<Files ~ "^.*\.([Ll][Oo][Gg]|[cC][oO][mM][mM][eE][nN][tT])">
Order allow,deny
Deny from all
Satisfy All
</Files>

Restrict IP

If you have single static connection at home, and will only access your wp-admin folder from home, then you can restrict which IP address can access it. Be very careful as you might accidentally block all access to your own sites. Add these lines into .htaccess on your public_html directory, where xxx.xxx.xxx.xxx is the IP you would like to have access to the folder.


order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Check Log Files

Regularly check your log files, not only you may catch a bad things trying to breach your security, you might also discover some bug and error on your sites and take precautions to fix them.

Security plug-ins ? why not ?

There are already a lot of plugins out there, check some of few useful lists below (please add your own pick if you don’t mind):

  1. WordPress File Monitor – It checks if any changes have happened to your files while you were gone. Sometimes he will alert you because you update the files, but you’ll know if it wasn’t you making the changes.
  2. Login LockDown – It protects your blog from brute-force attacks on your login form. It will block IP based on how many wrong password attempt, so it will backfire you if you forgot your password, LOL.

Be careful with plugins that gives out forms and other input on your pages/posts/widget, cause if its coded poorly, it could be exploited.

Change wp-admin name entirely

Actually, this is not a good approach, and not a good method, because it will break your wordpress core somehow or another. And it will make it hard to update your wordpress in the future. I’d rather wait for the WP team to make the admin folder a variable that easy to set. But if you insists and have the guts to play around with WordPress Core system, fine. Check Rockyrasonable wingrep here, WordPress discussion here, or an Old stealth login plugin here (very old, not working on WP ver. 3++).

Basically, the way to do this are change your wp-admin folder, then change the variable inside the entire wordpress script which refer to the folders and all its content.

Another way are using .htaccess again, Michi already covers this on his blog, its old articles but still a decent reading on this topic.

Conclusion and further reading

See, its not easy to set up and maintain your self-hosted WordPress blog so it will be secure and save. And its a pity to say this, truth be told, nothing secure on the Internet. A lot of things can be done to breach your security, especially when you’re now owning your own server and you administrate them from a public internet facilities like hotspot, office, or even your own home. I haven’t had the check on the SSL login things, not much experience on that matters, but theoretically, it could add even more security for your sites.

But to minimize the damage, all those hard thing are good to go. This how to secure your wordpress tutorial might just be one step ahead, better than nothing. Trust me, it hurts to lost something you could actually prevent. Further reading :

Want to add more ? comment ? suggestions ? feel free then :)

Incoming search terms:

  • wordpress restrict display name
  • What permissions should wordpress htaccess be
  • archlinux wordpress htaccess writable
  • wingrep wordpress security
  • wingrep wordpress
  • where do i put the passwd file in wordpress
  • what is ds_store in wordpress css file
  • how to secure your wordpress blog
  • files ~ ^\ ([hh][tt]) satisfy all
  • ds_store wordpress