Secure WordPress Websites

November 18th, 2009

Two of my favorite sessions of WordCamp NYC 2009 were:

There are real threats out there and there are real sites being hacked. Sure, you could be the lucky guy who can stay safe. But, instead of counting on pure luck, why not take a few minutes to apply these simple steps that will bring your WordPress site to a higher security level and give you more peace of mind.

WordPress Security Tips

Stage Difficulty Tip
Installation Easy “wp_” table prefix
Do NOT use default “wp_” table prefix. Instead, choose something unique for your site.
Anytime Easy “admin” user
Create a user with “administrator” privilege. Delete “admin” user account.
Anytime Medium (need FTP) wp-config.php
Move “wp-config.php” to one level above the WordPress folder. (Version 2.6 or later and when WordPress is installed under a subfolder under web root, for example /public_html/blog/)
Anytime Medium Folder (wp-content/upload) permission
First try 755; if not work, then 775; still not work, then 777.
Anytime Easy Security Plugins

  • WP security scan (check once in a while)
  • WordPress exploit scanner (check once in a while)
  • WordPress file monitor (leave on)
Anytime Medium Authentication Unique Keys
Open “wp-config.php”, follow the instructions to set up these keys. https://api.wordpress.org/secret-key/1.1/
Anytime Difficult .htaccess lockdown
Modify .htaccess to only allow access to wp-admin to one or a range of IP addresses.
Development Difficult Develop themes or plug-ins
Follow instructions on: http://codex.wordpress.org/Data_Validation

References:

http://codex.wordpress.org/Hardening_WordPress

2 Responses to “Secure WordPress Websites”

  1. [...] : WordCampTV Locking Down the Chastity Belt on WordPress Security – Brad Williams : Vimeo | review Writing Your First Core Patch – Matt Martz (sivel) : slides Intermediate Plugin Development [...]

  2. Arjay says:

    I’m impressed! You’ve managed the almost ipmsoibsle.

Please add your comment