Case Study: Security Hardening WordPress

I’m often asked by clients to perform security reviews and security hardening procedures on their WordPress sites.  In this post I want to tell you what I think the key areas are that need to be addressed when securing your site.

WordPress security is an issue, I have fixed dozens of hacked sites, by following this guide (and the videos that acompany this post) you can make your site much less attractive to the would-be hacker.

Video Coaching

I have a free video coaching guide to show you how to make all of these changes I mention below, simply join my mailing list in the sidebar to the right for details of the coaching videos.

The processes are quite long and drawn out, so a video explains it in much more detail.

Before You Start

You are going to make fundamental changes to your site if you follow this guide, please take a backup and know how to restore before you start, you have been warned 🙂

Keep Your Site Up To Date

The first and most important step if to keep your core wordPress file and all plugins up to date.  Many updates to WordPress are security patches, so whenever the banner pops up at the top of your dashboard, take action and update your site.

The only caveat I would add is to check that any critical plugins (e-commerce etc) are compatible with the latest update before you do that.

Change Default Table Prefix

By default the WordPress tables are called wp_, so a hacker knows that the users are held in wp_users table, they already have part of the puzzle if they try an SQL injection.

Change the default table prefix to wp_{somethinghardtoguess}_

Change Default Admin Name

On earlier versions of WordPress you were forced to accept admin as the default super user name, this had thankfully changed with newer installs, you can choose your admin user name.

If you are using admin as your super user, consider changing it for something more difficult to guess, the hacker already has half the puzzle if he know your admin login name, a brute force attempt to send thousands of passwords to yoru site is made much easier.

Security Keys

WordPress has the facility to encrpy a lot of the security information it holds in browser cookies to stop people gaining access to those credentials, but you need to add some encryption keys to wp-config to make this work.

Look for teh following section

define(‘AUTH_KEY’,        ‘LONG STRING’);



define(‘NONCE_KEY’,       ‘LONG STRING`’);

define( ‘AUTH_SALT’, ‘LONG STRINGl’ );

etc etc

Use the following tool to set random encrypted keys https://api.wordpress.org/secret-key/1.1/

Use Strong Passwords Throughout

Make sure you are using strong passwords over all of the important layers of your site.  WordPress users have a password strength guide, but you may want to use this tool for the other layers http://www.pctools.com/guides/password/

The passwords you need to check are

  • WordPress admin logins
  • The WordPress database password (held in wp-config)
  • FTP users
  • The login to your hosting panel

Don’t use the same password on all layers, and consider changing hte password on a regular basis

Hide WordPress versions

If a hacker knows what version you are running, it makes it easier to find vulnerabilities.  Hide the version of WordPress you are running.  It can be found in two key areas

The file yourdomain.com/readme.html, delete this file.  Note this will be re-isntalled with each new version installed, I like to set the file permissions to 000 on this file.

If you view source of your wordpress page you will see the version written into the source code, this is a good plugin to remove that loop hole http://wordpress.org/extend/plugins/replace-wp-version/

Access Backend via HTTPS

To ensure all access to your backend dashboard is encrypted, I like to do the following

Ensure I can access my site via https, check with your hosting company, you may need to buy an SSL certificate.

Enable the force ssl options,you can either force all logins to be encrypted or all backend activity to be encrypted by adding one of the following commands to yoru wp-config file.

  • define(‘FORCE_SSL_ADMIN’, true);
  • define(‘FORCE_SSL_LOGIN’, true);

For more details on SSL admin see http://codex.wordpress.org/Administration_Over_SSL

Only FTP To Your Site Using SFTP

Not really a WordPress security fucntion, but only upload and download files to yoru site using SFTp not FTP, your ftp password will be sent in the clear over the net if you use FTP.Check with your hosting company on how to configure SFTP.

For more details on using SFTP see this post https://ibraininc.com/sftp-flip-sake

Security Plugins

There are a couple of additional security plugins I like to install

wp-malwatch, kind of an anti virus plugin for your site to spot malware

Login lockdown – stops incorrect logins after three attempts and locks the user ID

Want A Secure WordPress Install

If you want me to secure your site, get a quote for a security review from my WordPress technical support page

Leave a Reply

Your email address will not be published. Required fields are marked *