Tips to improve WordPress security

Posted on by Andrew Coates

A few weeks ago, a website I had worked on became unavailable, and I investigated to find that it had been compromised, or hacked. A file, ‘indix.php’, was added to the root directory on the fileserver. The file contained some referral to a Ukrainian website, but it was enough to take the site down.

The site was a WordPress website. WP is quite renown for poor security, but that’s not to say you can’t make it secure. I’d like to now write about how I have increased the security of this website to prevent future problems.

The first thing I can recommend is to install the WP Security Scan plugin to see how secure your site is currently from here.

File Permissions

The general rule for WordPress file permissions is to keep file directories as 755, which means that a user can read, write and execute, and to keep individual files as 644. This means that the owner can read/write the file and other users (the world) can only read it. One exception to this rule is the ’.htaccess’ file, which you should keep on 400 permission, meaning that only you and the server can read the file.

.htaccess

A very important file to web development. You can use ’.htaccess’ to control security throughout your site.

Prevent directory browsing:


 Options All -Indexes

Protecting wp-config.php file:



Order Allow,Deny
Deny from all

Restrict access to any .php file:



AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

AskApache Password Protection Plugin

Another great plugin that will add a brick wall to your PHP files. Download from here.

Moving the wp-config.php file from the root

You should move the ‘wp-config.php’ file one directory up from the root WordPress folder.

This tip is quite controversial, but after reading through the answers posted here I’m convinced this is a good decision.

Keeping passwords secure

I’m sure this was the reason the site I worked on was hacked; poor passwords. I guess that a hacker ran a pass on millions of WordPress sites using a large word list, effectively guessing the user/password combination. The solution to this is simple: use a better password. One with numbers, capital letters, symbols. I feel this comic illustrates the idea well.

Keeping WordPress up-to-date

This is self-explanatory. Always check for updates.

Leave a Reply

Please Login to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.