I recently gave a presentation at WordCamp Montreal on WordPress Security. While doing research for my presentation I came across a bunch of great WordPress Security tips that all WordPress users should use. Surprisingly, a good majority of these tips are not usually followed. Below is a list of the top 5 tips that most WordPress administrators do not do, but should:
1. Don’t use the admin account – The default user account that is created with every installation of WordPress is the admin account. Unfortunately the entire world knows this, including hackers, and can easily launch a dictionary attack on your website to try and guess your password. If a hacker already knows your username that’s half the battle. It’s highly recommended to delete or change the admin account username.
2. Move your wp-config.php file – Did you know since WordPress 2.6 you can move your wp-config.php file outside of your root WordPress directory? Most users don’t know this and the ones that do don’t do it. To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.
3. Change the WordPress table prefix – The WordPress table prefix is wp_ by default. You can change this prior to installing WordPress by changing the $table_prefix value in your wp-config.php file. If a hacker is able to exploit your website using SQL Injection, this will make it harder for them to guess your table names and quite possibly keep them from doing SQL Injection at all. If you want to change the table prefix after you have installed WordPress you can use the WP Security Scan plugin to do so. Make sure you take a good backup before doing this though.
4. Use Secret Keys – This is probably the most followed security tip on the list, but still I’m amazed at how many people don’t do this. A secret key is a hashing salt that is used against your password to make it even stronger. Secret keys are set in your wp-config.php file. Simply visit https://api.wordpress.org/secret-key/1.1 to have a set of randomly generated secret keys created for you. Copy the 4 secret keys to your wp-config.php file and save. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.
5. htaccess lockdown – This is actually my favorite tip from my presentation. Using a .htaccess file you can lockdown your wp-admin directory by IP address. This means only IP addresses you specify can access your admin dashboard URLs. This makes it impossible for anyone else to try and hack your WordPress backend. To do this simply create a file called .htaccess and add the following code to your file, replacing xxx.xxx.xxx.xxx with your IP address:
AuthName "Access Control"
deny from all
#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
You can add multiple “allow from” lines so make sure to add any IP addresses you plan on accessing your site from (ie Home, Office, etc). Remember most ISP use dynamic IPs so your IP address might change on occasion. If you get locked out just update your .htaccess file or delete it all together. This obviously is not a good tip if you allow open registrations as you need to allow your users access to wp-admin.
So, how many of these tips do you follow regularly?
You can view my full WordPress Security Presentation from WordCamp Montreal below and view my slides (Canadian flags and all!) here: