This guest post is by David Wang of The ClickStarter.
Hacktivist groups Lulzsec and Anonymous are on the prowl again. Their actions have generated lots of attention for hacking, and you can be sure that many bored kids and shady characters are interested to start hacking too.
What if your blog was the target of a rookie hacker, honing his skills to make it to the big leagues? All of your hard work building a better blog, growing traffic and readership, and making money with your blog would be jeopardized—or, worse, lost forever.
Thankfully, WordPress is pretty secure out of the box and they provide frequent security updates. Even better are the following super-simple actions that you can take to make WordPress ten times more secure. (Not scientifically verified! Your mileage may vary.)
wp-config.php up one level
wp-config.php file contains all of your WordPress configuration information and settings. It’s game over if hackers gain access to this file—they would be able to inject malware into your blog pages, or *gulp* delete all of your blog content.
A little-known feature of WordPress is that you can move the
wp-config.php file one level above the WordPress root. On most Linux servers,
wp-config.php would be located in:
Simply FTP into your server, and then move
wp-config.php above the
public_html directory so that it is located in:
wp-config.php is outside of the public-facing web root, and no longer accessible to scripts and bots that hackers may employ over the Web.
There are no other settings to configure—WordPress will automatically know to look for
wp-config.php one level above. Easy, right?
Caveat: This tip will not work if you install your blog in a subdirectory (e.g.
public_html/blog) or as an add-on domain in cPanel (e.g.
Time required: 1 minute
Delete the ‘admin’ account
The default Administrator account on WordPress has a username of ‘admin’. Every n00b hacker would know that, so using ‘admin’ as the username is like having a back door to your house that every thief knows about. Do not ever use this as the main account. Choose a different username when installing WordPress.
If you have been using the ‘admin’ username, go into the Dashboard » Users » Add New User screen. Create a new user with the role of Administrator. Now log out, and log back in as the new user.
Go to the Users screen again and delete ‘admin’. You can transfer all of the content created by ‘admin’ to your new user account before confirming deletion.
Time required: 1 minute
Update WordPress, plugins, and themes
WordPress makes it so easy to update itself, plus plugins, and themes, to the latest version. It’s so easy that you (almost) deserve to get hacked if you don’t stay updated. Spending one minute installing updates will save you hours or days of frustration and headaches if you ever do get hacked.
Plugins and themes should also be updated regularly. All plugins and themes from the WordPress directory integrate with the automatic update feature. Many premium plugins and themes also have automatic updates, which is another great reason to invest in a high-quality theme framework for your blog.
Time required: 1 minute
Install WP Security Scan and Secure WordPress
Finally, plugins that deal with security are another great way of reducing the likelihood of your blog getting hacked. Two really good plugins that do this are WP Security Scan and Secure WordPress by WebsiteDefender.
WP Security Scan comes with several tools to help make your blog more secure:
- The Scanner checks the permissions of the WordPress files and highlights any with the wrong permissions. FTP into your server and change the permissions accordingly.
- The Password Tool tells you the strength of your password, and also generates random and super-strong passwords that you can use.
- The Database tool allows you to backup the WordPress database and change the database prefix. Use it to change your database prefix to something like ‘
7yhj2_‘. This makes it difficult for hackers to guess your database table names when trying to perform SQL injections.
Secure WordPress takes a different approach and helps improve security by removing clues that can help hackers detect vulnerabilities in your system. The plugin’s settings screen is a simple list of checkboxes that do everything from removing login error messages, removing WordPress version numbers and even blocking malicious URL requests. I recommend activating all the checkboxes, unless you have a specific need for one of the features that it blocks.
Time required: 2 minutes
The steps above will drastically improve your blog security and prevent it from becoming a target of opportunity for rookie hackers. However security is an ongoing process, and also involves practicing security as a habit.
Stay vigilant and make it a point to keep up with the latest security news for WordPress, especially if you use it to run your business. You should also learn as much about security as you can. The ProBlogger archives are full of great posts that contain much more information on keeping your blog hacker, spammer and spyware-free and even planning for a blog disaster!
Now, please take five minutes and perform all of the steps above. I wish you good luck and hope your blog stays hacker-free!
David Wang blogs about his journey to generate the majority of his revenue online at The ClickStarter. He is also a WordPress evangelist and recently launched a free online course called Getting Started with WordPress. Follow David on Twitter – @blogjunkie
David, I really appreciate this post. As traffic has been growing on my blog, I’ve realized that I need to be more vigilant with security because people are going to make attempts at hacking into my business. I really like the wp_config idea and will be doing that, oh wait, right now.
I’ve heard of things such as putting in the .htaccess the IP address of the user to the wp-admin. What’s your opinion of doing something like this to add a level of security? Since I access the site on more than one computer, it seems it might be counterproductive, but for security, would it make sense?
Hi Jacob, good for you on taking security seriously! Yes adding a .htaccess filter by IP would increase your security somewhat, but at the expense of convenience. You never know when or where you may need to login to your blog but you’re locked out because you’re not at your whitelisted IP.
Something more convenient would be to password-protect your /wp-admin/ directory with .htacess. Here’s a handy password generator you can use for that – http://tools.dynamicdrive.com/password/
Great advice, I already knew about changing your Admin account, but the other stuff is definitely overlooked but really helpful.
Have you ever had experience with Automattic’s own VaultPress for security? I haven’t yet used it, but I’ve heard good things about it, I just don’t know if its really a necessity.
That’s an awesome post David.I think all points are exceptionally great except using wp -security plugin.I have very bad experience with it.You couldn’t manage the status code of File permission,you have to do with http://ftp.Password generator is less important as you can do this with any other.But the database table prefix changing through this plugin are most dangerous.If you want to to change table prefix then it would be better to change by manually through c-panel.This plugin will change the prefix but couldn’t complete the task.When I tried to do this with it,it just did half work and I lost all the administrations control,even my blog was vanish for almost 14 hours.Next day I discover that database table prefix changing was not completed ,half was with old prefix and rest was changed with my new prefix.This could cause blunder for any new users.
Thanks for all of this information. I would also recommend a backup plugin like BackWPup, which is free and allows you to backup to a cloud based site like dropbox.
I’ll be implementing some of your other ideas today. Thanks again
Hi David! I’m a big fan of backup myself. I didn’t include it only because it would have increased the time required for this tutorial :P
Yeah, thirty-five minutes doesn’t sound nearly as good as 5. :)
Thanks for the great information. My wordpress account actually did get hacked, and they deleted everything. Fortunately the blog was only up 6 months. Still was not a fun thing to go through! Thanks again, I will be implementing many of these tips
How about Better WP Security plugin, is it recommendable?
Hi Muhammad, I wasn’t aware of Better WP Security but that looks like a great alternative to Secure WordPress. Thanks for sharing!
As the author of Better WP Security I’ll vouch that it does a lot more locking down than the above two plugins but does not [yet] scan individual file permissions. What it does do is lockdown files via htaccess, watch for possible attempts, and obscure any data and files that could be used to get information about your installation.
Thanks for mentioning Muhammad!
Great plugin Chris! I installed it and am liking it a lot. Thanks for working on this plugin and sharing it with the WordPress community :)
Super tips man. Securing a blog is as important as building one. I don’t want to see my blog belongs to a hacker. Hackers are getting stronger day by day and we must take good attention over the security side of our blog.
Thanks for the tips
Oh man!!!! Thanks very much for this. I’ve been wanting to know for ages how to tighten things up. the webhost has provided various tools, but i’m not sure about those. The ‘admin’ advice was ‘timely’ – and gave me a shiver. Thanks again.
About the Admin account, I don’t think that’s too much of a concern. Because the hacker still needs to ‘fight’ for the corresponding password.
I’m curious to know what software you use to make those nice yellow arrows in your screenshots.
That’s jing (by tech smith) he’s using – its free and it’s awesome! jingproject.com – it’ll rock your socks off
Excellent tips and all very easy to don in under 15 minutes.
Hey, thanks for this post! I love these easy to follow ways to protect my blog :)
However, I don’t have a public folder. My stuff is in a folder named www. And if I move the config file to another folder, my blog is down and tells me that it can’t access the config file. Any thoughts?
Hi Maaike! Unfortunately the wp-config.php trick doesn’t work with all web hosts. For it to work, you need to move it 1 level above your WordPress install, you can’t just move it to any other folder.
If moving wp-config.php up one level doesn’t work, please make sure that it has the correct permissions (666) at least. Stay safe :)
wp – database security says that wp-config’s permissions should be set to 644. is either fine, or which is better?
How about backing up? What is the most effective way of backing up your blog? I think that would’ve been a good inclusion to this article. :)
Just to clarify – I recognise that the article is aimed at securing your blog, not backing it up, but it is related ;-)
Hi Tom. Backing up is super important. It’s so important that I invested in a premium plugin called BackupBuddy. It provides automatic scheduled backups and can send the backup files to Amazon S3, Rackspace Cloud and even Dropbox.
It also does more than backup. For an example, please have a look at this screencast I created:
David to the rescue!!!
I have a question ? Do i cut the wp-config file and paste it in the ‘tmp’ folder ?? or can I paste it anywhere in this directory ?
I just realised I can’t cut it ! Sorry, I am new to wordpress.org !
Hi Mushfique. No, you don’t put the wp-config.php file into the tmp folder. Use your FTP program to *move* it up one level. You should be able to see it sitting alongside the public_html directory. Please note that this doesn’t work in all hosting configurations. Good luck!
Another benefit of getting rid of the admin account and switching to, say, your real name, is that it is better for SEO as well. This way when somebody searches your name you will rank higher with yourdomain.com/author/your-name/ than you will with yourdomain.com/author/admin/
That’s an interesting point Seth, I hadn’t thought about that. That’s why I love the ProBlogger community – we learn new stuff every day!
If I’m using that security plugin in my blog should i relax that my blog is under safe hands?
Err.. I wouldn’t completely relax. The goal of the steps explained in the article was to help you go from zero security to better security in 5 minutes. However that doesn’t mean it is the best security and a determined hacker may still be able to find a way into your site.
My last point was to stay vigilant remember? The ProBlogger website is a great resource to learn more about security – https://problogger.com/?s=security. You should also subscribe to ProBlogger to be notified of new posts on the topic.
I use WordPress Firewall 2 a plugin for WordPress. This WordPress plugin monitors web requests to identify and stop the most obvious attacks.
Brilliant article! I did it in 5 minutes.
What do you think about the BulletProof Security plugin?
“BulletProof Security protects your website from XSS, CSRF, Base64 and SQL Injection hacking attempts.”
It sounds very good but to install it is a bit complicated. Is worth it?
Wow, that’s a lot of features in that 1 plugin. I included the 2 plugins in my article because they were a quick and simple way of increasing security. However plugins go out of date too so it’s important to keep an eye out for new and better ones.
Personally I wouldn’t bank on using plugins to ensure the security of my site. I think it gives users a false sense of security when they should actually be more vigilant.
Even when plugins are on the main repository it is always good to keep an eye out on other security sites like http://blog.sucuri.net/
If you are working on a larger site get a developer to check any plugins that you are using since they are a “moving target”
Bullet Proof Security was actually a security problem itself a few months back. It is sorted now but always be careful
most of these tips are security by obscurity style and better than not doing them you should also have a look at
However in purely practical terms the single biggest issue I have found on most sites is that passwords are often very basic and easily guessed. Using a password generator and regularly resetting passwords as well as scaling down roles when users change on a site is very important.
I often see sites where most users are listed as admins when
a) they don’t need to be
b) as admins they can delete all kinds of good stuff by accident
So set those roles as a safe level and set a smart policy of using a password generator to keep all user passwords stong enough. One generator I use no says that 15 characters are needed and then they / you can also use http://keepass.info/ to track that.
That’s very well-explained Jason. I totally agree, I’ve seen sites with 40+ plugins that are way outdated, WP core is outdated and admin accounts for countless contractors they dealt with ages ago. *shudder*
Thanks for sharing your WP security expertise, Jason.
Recently, I added LassPass for password management [honestly, just to save time navigating!] and also found the custom Generator a great defense tool in setting up new site/subscription logons.
I don’t use it for finance or obvious exposure sites but it adds a nice layer of awareness & control for development projects, as well.
Thanks for the tips on keeping our wordpress sites safe. I will be implementing the wp-config.php tip right away.
I have also used Jason Fladliens product WP Twin to clone sites and move them to other hosting accounts. But they are also useful as a back up system
Great tips. I have done most of them except the first one. I will try this one now. Further, I will use wp secure login so anytime, anyone would like to login even admin must check email for an one-time password and to confirm IP then they can login as normal :-)
Most of WP users now relies on hosting security and never use plugins. That is why many of their blogs were hacked. Thanks for great tips.
Hi there, thank you for this post! I love it, especially the problem of logging in as admin. Question though- if you create a new user, and say you wanted to make it a user name no one would ever guess- don’t you get stuck then with all your posts being credited (assuming your posts have an author byline) to that User, thereby rendering a secure user name public? I think and hope I am wrong, I just want to make sure before I make the switch!
When you create a new user, you can set the user’s First name, Last name and even give it a nickname. You can then choose which you want WordPress to display throughout the site :)
great summary, wp-security scanner and wp-database backup are two plugins i ALWAYS install very early on on any wordpress installation, without them it’s like going for a walk in the rain without your shoes on and not expecting your feet to get wet..
Thanks David. Great tips. I will be installing the security plugins tomorrow. I tend to be reluctant to install WP plugins until I hear a recommendation from a credible source. Much appreciated.
Don’t wait till tomorrow, install them now! It only takes 5 mins :)
Excellent security tips David. Thanks so much – all done! (well, with the exception of user=admin which I don’t ever use – more luck than knowledge of security) and the ongoing vigilance of course. Plus thanks also to the other comments on other options and ideas.
I have installed WP Security Scan and Secure WordPress on my blog.They are working fine.
Very timely info. I woke up to a notification that my blog had 8 failed login attempts and had blocked access for 20 min. The name they tried was wp-admin. I recommend the Limit Login Attempts plugin, as well.
Another thing I like to do is create another account and give it AUTHOR ONLY rights. I use this author on any posts or uploads. This may not seem like much but it could slow down a hacker if he did not know your Admin login name. A little mis-direction never hurts.
Great short efficient tips there which we can all benefit from. I would also include backing up your blog every month or so “if” someone does manage to hack your WordPress you have something backed up. It’s one of those things you only really consider once you’ve lost everything and kick yourself for never doing.
Keep the great posts coming.
Just implemented most of your secure strategies after getting our site hacked into. Thx for the great tips and step by step instructions!
Thank you for the helpful information David. It’s much appreciated.
I also heard about hiding your WordPress version number. Do you think this makes a blog more secure or is this just a myth?
I think it helps.. but only a little. Hiding the WordPress version number is like hiding the brand on the lock of your front door. The amateurs may be fooled but it won’t mean squat if you’re dealing with an expert. Follow the steps that Jason mentioned in his comment above.
Thanks for the great information. My wordpress account actually did get hacked, and they deleted everything. Fortunately the blog was only up 6 months. Still was not a fun thing to go through! Thanks again,
Thanks for the tips. I moved my admin.php without incident and installed plugin. If we all do a little security perhaps hacking will lose profits.
Great article. Will moving wp-config.php up a level effect the one-click updating process? That is, the one-click updaters that become available for the WP core engine and plugins when updates are published. That’s typically how we update the core, and plugins — not manually.
Other good stuff to do:
Add unique salts and keys to your wp-config.php:
Have wp-admin login and dashboard forced over https by uncommenting this in wp-config.php”
Use the plugin bad behavior to block spam bots. It can be linked up to project honeypot so your blog can automatically ‘subscribe’ to known spammer / bot ip addresses.
Thank you for the great article David. Knew most of those but moving wp-config.php is new to me. Going to do that.
Another thing you need to do is make sure you’re using a secured FTP connection. Don’t use regular FTP, use either SFTP, FTPES, or FTPS.
If someone hacks your FTP connection, they will be able to bypass all of your WordPress security checks.
This is so helpful. Clearly presented & easy to follow – I’ve actioned it!
Nice article but I would like to know is their a more secure way to safeguard the WordPress blog from iframe malware that attack the theme files and then the blog ends up in Google red list
since there are a lot of online readers having a blog for a business is a big plus. just make sure the site got some really interesting post about your business.
– Jack Leak
Excellent and priceless information that you gives us David.
Just a question, I am using WP-Sentinel plugin. Would be there any kind of conflict if I add the Secure WordPress plugin in my blog?
Great article. WordPress is doing an amazing job at making life easier for individuals and businesses who want to get online with minimal effort. Likewise, in the spirit of WordPress, securing the site should also be easy and effortless.
Many thanks for mentioning our plugins:WP Security Scan and Secure WordPress, but the great features of these plugins have now been rolled into one enhanced plugin called WebsiteDefender WordPress Security.
It’s also worth checking out the comprehensive WordPress security monitoring service at http://www.WebsiteDefender.com.
Those are very quality tips to make your WordPress secure. I only think that some things are outdated in this post. For example, there is no more admin user, because now you chose a unique user name during the process of installation.
wp-config.phpin a different directory other than your WP directory in order to secure it from bots and hackers doesn’t help any more. Because some hackers setup bots to crawl for your wp-config.php file and in the end, they are going to find it.
I have written a complete guide on how to achieve maximum safety of WordPress installation. If you are interested, you can check it at my site.
Just a few hours ago my entire site was hacked. I was fortunate because the support team of our hosting services are really good and managed to take it down. A colleague shared your post and find it very very helpful. Words are not enough to summarize how thankful I am for this post. Im sharing this on my fan page too
Thanks for sharing. I have to do this.