WordPress is a great blog platform but like anything popular, it’s often targeted by hackers; hence hardening your WordPress deployment is mandatory. Getting your WordPress site hacked can be very stressful and a potentially expensive problem. It’s akin to getting your *insert something important here* stolen. This is especially true if your WordPress site is critical to your online presence, as downtime can destroy the traffic you’ve garnered not to mention it can hurt your website’s reputation.
NOTE: This WordPress hardening Guide is an intermediate to expert task.
This guide assumes you or your web host have already secured the server computer itself. If this has not yet been done or you aren’t sure, then you should do it first or ask your web host to do it for you, as your WordPress could still be hacked if your server is insecure. Search Google for guides like “hardening linux” and “securing /tmp”. Also check out SELinux, CSF and LFD. The WordPress.org site has also published an extensive WordPress hardening guide.
Step 1: Changing the WordPress Database Table Names
This one can be difficult to do but it is the absolute most critical. By default, WordPress prefixes all its database tables“wp_”. Changing the table prefix to a random string makes it difficult if not impossible for a hacker to execute remote SQL injection attacks.
Go to random.org to generate a random database table prefix. If you haven’t installed WordPress yet, then during installation you can change the table prefix to the random string you generated previously. Make sure you add an underscore ( _ ) after the string so your tables are easier to read.
If you have already installed WordPress, then you will need to edit wp-config.php and enter the new database prefix. Then export the entire database and using a text editor, replace the prefix of every table to the random string you generated above. Again, make sure you add an underscore ( _ ) after the string so your tables are easier to read.
Table names are stored in the CREATE TABLE `NAMEHERE` or CREATE TABLE IF NOT EXISTS `NAMEHERE` lines. After you do the edits to the exported database, you will need to drop the WordPress database on your web host and import your edited database.
Step 2: Update Your WordPress Installation, Plugins, and Themes
Keeping your WordPress installation, plugins and themes up-to-date is the single most critical thing you can do. Exploits are discovered daily and if you leave your WordPress running an older version, you risk getting hacked. To update WordPress, login to the Dashboard and on the right-hand side look for "Updates".
Step 3: Secure Your Plugins
Since plugins add new functionality, they can also add the functionality you don’t want, such as backdoors. Before installing ANY plugin, do the following:
- Search the exploit databases such as Exploit-DB to see if there are any security advisories for the plugin. If there are, make sure they aren't for the current version.
- Check if the plugin is compatible with the current version of WordPress.
- Check how many support requests have been solved in the past few months. If it’s a low number (less than 50%), then look in the support forum to see what questions people were asking. Plugins with poor or no support tend to not get updated often so avoid them if you can.
- Only if 1, 2, and 3 are OK, the plugin can be installed.
Here are a few plugins that should be avoided as they increase the attack surface of WordPress or are just generally malicious:
Additionally, if you have any plugins that are disabled and you don't intend to use them then delete them.
Step 4: Choosing a Complex Password
It is critical that you choose a complex and hard-to-guess password. Choosing an easy-to-guess password makes as much sense as leaving your front door unlocked in a neighbourhood with lots of crime. If you must insist on using an easy to remember the password then add a few symbols to it. For example, replace the letter S with a dollar ($) symbol, the letter O with a zero (0), the letter I with an exclamation point (!). You should have at least 2 symbols and 1 number in your password and it should be at least 12 characters long (to increase entropy and make it even harder to guess or brute force). If you still aren’t able to remember your password, then get a password manager application like KeePass or BitWarden. Try and avoid browser-based or browser-integrated password managers as browser hijacking is common. When using a password manager, use the random password feature with symbols. The password will be impossible for you to remember, but it will also be very difficult for hackers to guess. Also, ensure you avoid re-using passwords.
Step 5: File and Folder Permissions
Using your SFTP program or the command line (if you have access to it), chmod the permissions of all folders and files. This is critical for security and while it is a long and boring process, you need to do it.
All directories should be 750 or if they require write access, then 755. All files should be 644. Exception: wp-config.php should be 600 to prevent other users on the server from reading it. File and group ownership (UID and GID) should be ideally set to what the web server itself requires (e.g. apache.apache).
Most FTP applications allow you to change the permissions of a folder and file simply by right-clicking the object and selecting CHMOD, Attributes, Permissions, or something similar. Read the help file that came with your FTP application for more information. If you're using the command line, then use the following command:
chmod ### <folder or file name>
So for example let’s say you were chmod’ing the wp-admin directory, which is located in /home/yoursite/wordpress/public_html. The commands would look like:
cd /home/yoursite/wordpress/public_html
chmod 750 wp-admin
Every time you install a new plugin or theme, you will need to set the folder and file permissions for those new folders and files accordingly.
Step 6: Securing wp-config.php
Move wp-config.php outside of the web directory (i.e. one directory up). WordPress knows to look for the file in other directories if it can't find the file in the web directory.
For extra security, add the following to wp-config.php:
define('DISALLOW_FILE_EDIT',true);
Choose new authentication keys and replace the old keys in wp-config.php with the new ones you generated.
Step 7: Securing Themes
Put the following in your theme’s function.php file:
add_filter('login_errors', create_function('$a', "return null;"));
remove_action('wp_head', 'wp_generator');
Search your theme's header file for the following and delete it:
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
If you have any themes that are not being used or are disabled, then delete them.
Step 8: Recommended Security-Enhancing Plugins
The following plugins will enhance security and should be installed and configured:
For more information on securing and hardening WordPress please consult the extensive and comprehensive WordPress hardening guide over at wordpress.org.