At Crucial we have a large number of customers running their websites on WordPress. Being arguably the most user friendly CMS’ available means a huge number of new WordPress website’s go online every day, adding to the already huge worldwide user base. This huge user base also means a huge number of users contributing to the WordPress community, with Plugins & Themes which can be of varying quality.

Unfortunately, WordPress’ runaway success is it’s biggest issue, as most WordPress users who have been hacked now know, it only takes one out of date installation, plugin or a poorly coded theme to result in a security threat on their website. The popularity of WordPress makes it an attractive target for hackers as exploits new & old arise, which means it’s even more important to stay on top of things, especially updates.

In the web hosting business, supporting customers who are unfortunate enough to experience their website’s being hacked for various reasons comes with the territory. However, websites that fall victim to being hacked generally follow a pattern of not following the best security practices (updates, updates, updates!), in order to provide themselves protection against potential vulnerabilities.

In this blog I’m going to detail some best practices for providing a base level of security to your WordPress installation.

First off, let’s begin with some of the ways you can identify a hacked WordPress website:

• Keywords or links to other websites that you did not specify
• Spikes in traffic/bandwidth usage under your account
• Website redirection to other URL’s
• Encoded or obfuscated text in plugins
• Strange text hidden in sections of your website html page code (Commonly in the Footer)
• Popup’s that you have not created
• Notices for Spam or other Email activity/abuse
• Strangely named folders or files in your web directories

Additionally, in order to understand why your website might be hacked, let’s take a look at some of the potential goals hackers may have in compromising your site:

• Creating hidden links (SEO abuse)
• URL redirection
• Infecting users with Malware
• Hosting malicious files
• Running custom code
• Leaving backdoors
• Spam
• Vandalism/defacement
• Running fraud, phishing and other scams
• Because they can

These are some of the most common, but it generally doesn’t matter the goal or reason. If your website is vulnerable and you do nothing to update & secure it, then it is safe to assume soon or later it will be compromised. Fortunately, securing your WordPress at least to a standard level is really not that difficult.

Securing Your WordPress Installation

1. Update! Update! Update!

The moment there is a WordPress update, make sure you are aware of it. In early versions of WordPress, like any CMS, this was a slightly tedious process. Today however, it is as simple as a few clicks from the WP Dashboard, there really is no excuse!

If you are running custom Themes & Plugins, then you also need to stay on top of them being up to date, even if they are deactivated! If they are deactivated and you don’t require them, delete them! This cannot be stressed enough and is the number one reason for WordPress website’s being compromised

• Logins:

Increase the difficulty for attackers by using unique login credentials.

• Create a new administrator user and delete the default “admin” account. Remember to move any old posts when you do! This is where any brute force password attempt will start.
• Additionally, do not publish your administrator account name on your WordPress blog, use the option to display a nickname you specify as your public name under the ‘User Profile’ settings.
• Never use the default “wp_” prefix for your database tables. Changing this to something different will reduce the chances of an SQL injection attack.

Now you may be thinking this is just ‘Security Through Obscurity’, which as any security concious person would know is generally a band-aid solution. However, here we are using it as part of an overall security strategy and every little bit helps to reduce the overall attack surface of your website!

• Passwords:

In today’s society where almost everything we do is online & password based this should go without saying. Use strong & unique password’s for everything involved with your installation — your cPanel Hosting account, your admin & user logins, your MySQL database user etc.

This doesn’t mean you need an impossible to remember 20+ random string of characters. As detailed by fellow Crucial admin Daniel in his blog on Password Security, there are a number of techniques you can use to intelligently increase your password strength without being ridiculous or making life overly difficult for yourself.

Additionally, use a login attempt limiting plugin such as ‘Limit Login Attempts‘ to limit the number of login attempts per IP. Our shared hosting servers employ Software & Hardware firewalls with login failure blocking, however, you can never be too safe. Realistically, you simply should not be failing to login multiple times.

• Themes & Plugins:

Do not use themes or plugins from suspicious sources. This is just common sense. There are a bajillion WordPress plugins themes available for free. Some of the more impressive options will come with a fee for the time the creators have spent coding & styling them and keeping them up to date with new releases.

If you choose to bypass this and source a theme that has been ‘scrubbed’ eg. to remove any anti-piracy steps for the creators work, not only are you cheating the developer(s) but you are only cheating yourself. You will not only make life difficult in terms of updates, but do not be surprised by any hidden features now also in the theme’s code.

• Check Known Vulnerabilities:

On the topic of plugins, it is a good idea to check for known vulnerabilities before even installing the plugin you’re considering. You can check via ExplitDB or Secunia amongst others.

• SSL:

Protect your website with SSL and force SSL logins. This may not be practical for everyone, but SSL Certificate prices are very competitive these days and the installation process is only tricky until you view a guide such as the following blog by fellow Crucial Team member Vikram in his blog’SSL Installation Explained‘.

You can view details on how to Administer WordPress Over SSL at the WordPress Codex

• File Permissions:

Another common problem occurs when users don’t quite understand file permission settings and set the wrong file permissions. Generally file & folder permissions in any WordPress install will default to what they’re meant to be, but it never hurts to check.

• All files should be owned by the actual user account
• All directories should be 755 or 750
• No directories or files should ever be given 777 permissions, even upload folders.
• Being written in PHP, wordpress relies on a number of core “.php” files, which should be set to 644 or 640 permissions (Except for wp-config.php which should be 600, or even 400 or 440).

Note that most hosts including us here at Crucial will run features such as SuExec for PHP binaries, which will achieve correct PHP permissions for you. However, if you have a VPS and for some reason you are not running PHP SuExec, you should ensure you CHMOD your “.php” files to 644 permissions.

If you’re unsure about setting correct permissions visit the WordPress Codex.

• Secure your wp-config.php

Your wp-config.php file is basically the key to your WordPress installation, obviously one look when editing this file during install should tell you that if this file is compromised all is lost. This makes it a key point for attackers to target. As mentioned above, the simplest way is to ensure you have the correct file permissions set. However, above this you can also add some extra security measures.

• You can move the wp-config.php file to the directory above your WordPress install. For example for a WordPress install in the root of your hosting account (/public_html for cPanel) you can store wp-config.php outside the root making it inaccessible from the outside world.
• If you use .htaccess files you can add the following to deny access to anyone probing your website for this file:
  
<files wp-config.php>
order allow,deny
deny from all
</files>


• Security & Monitoring Options: 

There are numerous WordPress plugins designed to scan your installation for vulnerabilities to core WordPress files & your database, such as Exploit Scanner, WordFence Security and BulletProof Security.

There are also a number of plugins and external services that you can use to monitor your WordPress installation. Whenever a change is made it leaves a trace, depending on your type of hosting it is not always easy or practical to setup monitoring of your logs 24×7. However, there are a number of WordPress plugins such as WordPress File Monitor Plus, which will do the job for you. Get instant notifications whenever a file is modified, which depending on the file will be a dead giveaway somebody is doing something they shouldn’t be.

• Backup! Backup! Backup!

Just as with Tip #1 this cannot be stressed enough. Even the best laid plans can go awry, no website is 100% invulnerable and security is an ongoing task at mitigating potential threats so you need a backup. Even a backup for your backup and so forth! Obviously depending on the size & popularity of your site you should adjust your backup strategy to suit your needs.

Some users may get away with a Monthly backup, while other websites may require nothing less than hourly or greater backups. Along with the backup strategy that is right for your website are any number of methods for automating backup requirements.

Under a cPanel hosting account with a few settings you can setup a Cronjob to perform a backup task at specific intervals eg. a MySQL dump, you may then even automatically move it offsite to a remote FTP location for added peace of mind.

There are also any number of plugins for WordPress to automate backups, such as ManageWP, VaultPress and WordPress Backup to Dropbox.

On top of this we also offer R1Soft Remote Backups as an account addon for our hosting plans. This will perform automated account backups to our redundant backup servers, offering both file & MySQL retention allowing you to revert individual files with ease, as well as your entire account in the worst of situations occur.

There are many many more ways to improve your WordPress security, this is merely a starting point and some of the key areas that many users will miss.

Stay tuned for Part II where I will detail some more advanced security hardening techniques step by step, to help lockdown protect your WordPress website even further.