In this tutorial I will give 11 tips to secure your WordPress website. Tips cover the web-server, the WordPress installation as well as plugins & themes. For more tutorials check out my blog at http://julienklepatch.com/blog
you use a secure web-hosting – Security Tip #2: Create a different database user for each website – Security Tip #3: Strengthen your .htaccess • WordPress • Plugin & Themes
web-hosting • Problem: – WordPress needs a webserver (generally Apache), a database (mySQL) and PHP to work – These 3 software are evolving projects, with new vulnerabilities regularly discovered – New versions are safe (known vulnerabilities are fixed), but old versions are not – Running WordPress on old versions of these software is dangerous
web-hosting • Solution: – Choose a secure web-hosting: mySQL and PHP must be regularly updated (WordPress requirements: PHP 5.2.4 or greater / mySQL 5.0 or greater) – Optional: automatic backup services • WordPress recommends some hosting companies here: https://wordpress.org/hosting/
each website • Problem: – Same account is being used for all databases (ex: root account in mySQL) – If a hacker can access this database, then he can also attack all other databases (i.e website) – In other words, a vulnerability on one WordPress website can lead to vulnerabilities in many WordPress websites
website • Solution: – For each WordPress website create a specific database user and enter its credentials in your wp-config.php – Thus this user will only have the required privileges for your website to work – This is the “Principle of Least Privilege”
Depending on your web-hosting, default server configuration is not safe enough – For example, usually everyone can: • browse through directories in your account • Try to login to your admin from any computer • Access your .htaccess file
Prevent people from browsing your directories – Restrict admin access by IP #to be put in wp-admin/ <Limit GET POST PUT> order deny,allow deny from all allow from your_ip_here </Limit> #to be put at the root Option All -Indexes
wp-config.php – Protect .htaccess #to be put at the root <files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files> #to be put at the root <files wp-config.php> order allow,deny deny from all </files>
Problem: – New vulnerabilities are constantly found by hacker / security organizations – When this happen, the WordPress core team quickly releases a new version of WordPress with a patch for the security issue
Solution – Update your WordPress website whenever there is a new version – Same for your plugins – Generally no problem during update, but you can backup your website before updating anyway
– Regularly backup your website – If any problem, just restore the backup – Several ways to do it (similar to moving a website): • Manually (https://speakerdeck.com/jklepatch/how-to-move-a-wordpress-website) • With a plugin (https://speakerdeck.com/jklepatch/how-to-move-a-wordpress-website) • Using a paying service (https://vaultpress.com/)
– If you use an admin name too easy to guess, it will help hackers – If you use your admin account to write posts, you might make your admin account username public and help hackers – If you make anyone else admin, they may not be as knowledgeable about security as you and they might create some vulnerabilities in your website
– Don’t use admin account for daily management – Don’t use ‘admin’ as username for admin account – Don’t display your username directly as post author. (User => Your Profile => Display name publicly as…) – Don’t make anyone else admin
– WordPress mySQL database is organized in tables – In the standard WordPress installation these 11 database tables always have the same name – It means hackers can know the structure of databases in WordPress installations – They can use this information to hack your website more easily
– WordPress database tables have all a prefix which can be customized (wp_ by default) – It is possible to change this prefix in wp- config.php, by changing ‘wp_’ in this line: $table_prefix = 'wp_'; – After you have done that, hackers have no way to know the name of the tables in your database
– When you login to your admin, information is sent to your server using HTTP protocol – This protocol is not secure, meaning that hacker able to intercept your message on the internet can get your login and password
– There is another protocol, HTTPS, which is secure (anyone intercepting the message on internet will not be able to decipher it) – You will need to buy a SSL certificate from your web- hosting – Once it is done, in wp-config.php, add this line: define('FORCE_SSL_ADMIN', true); – You may also need to setup another .htaccess for the secure site. Contact your web-hosting for more info
– Security Tip #9: Delete unused plugins and themes – Security Tip #10: Always download plugins / themes from trusted sources – Security Tip #11: Install a security plugin
– You are less likely to pay attention to unused plugins and themes – You might forget to update them – You might find that some of them are old, not maintained anymore and have huge vulnerabilities left open
– Regularly delete unused themes and plugins – For plugins, first de-activate them, then delete them – For themes, you have to use ftp to manually remove the theme files in wp-content/themes/ – Be careful: De-activating a plugin is different from deleting it (i.e de-activating it DOES NOT delete files , it is not enough)
sources • Problem – It is very easy for a Hacker to insert malicious code in a theme / plugin – It would take a lot of efforts to inspect all theme / plugin files yourself – Once you upload the malicious code on your server you may run into big problems
sources • Solution – Only download plugins / themes from trusted sources such as: • Wordpress.org for free • Themeforest, or other well-known themes / plugins seller – Do not download a free plugin / theme from another website than wordpress.org – Do not download plugins / themes from bittorent
All the security tips I mentioned before can be difficult to enforce for non-technical persons – Some other protections (such as protection against brute force attack) cannot easily be done
Use a security plugin – There a lot of free and non-free security plugins – Most famous ones: • WordFence Security (Free & paying) • iTheme Security (free & paying) • All in one WP security & Firewall (Free)
jklepatch
ttskch
daikikatsuragawa
ikumatadokoro
quramy
yosuke_furukawa
marxallski
bkuhlmann
sakama
mackey0225
mizdra
schroneko
free_world21
danielanewman
vanstee
eileencodes
addyosmani
lara
csswizardry
kevinliebholz
bkeepers
michaelherold
jcasabona
pedronauck
