How-To: Make a WordPress Install More Secure

April 18th, 2010 3 Commented

This post is about enhancing the security of WordPress. It is targeted to those, who are like me, install their own copy of WordPress on their web hosting server.

There are a few simple ways that you can make your installed WordPress more secure.

Always keep WordPress up to date

Each new version comes with updates of new features and removes a bunch of security loop holes, bugs and other possible exploits that can make your install vulnerable. Therefore, if you don’t update regularly, you won’t get those fixes.

Make sure that the “Authentucation Unique Keys” are updated

The “Authentucation Unique Keys” of the default wp-config.php file looks like the following.

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

This is a security function to help make your WordPress more secure and less prone to hacking. You’ll only need to add these keys once, and while they can be entered manually and be whatever you like, it is recommended to use the wordpress.org’s online generator. It’ll generate random strings for each load. The output may look something like the following. Simply copy the output of http://api.wordpress.org/secret-key/1.1/ and replace the keys shown above.

define('AUTH_KEY',        '1Bqi>B{nCHFHc/g ruRi! Zs=M6ggfwhHG&9ExqA>Mo$g^ZEw }m,5>*Igg&^-Rd');
define('SECURE_AUTH_KEY', '^|T`87/gfK_YNaua}|if*R%Ek28Y&NDRJY94-3`pw]`.7h55jemXq,~n lX#iET`');
define('LOGGED_IN_KEY',   'R}B{OS,Tn7*csp ^MO$M@KQ$;0t|z!Q@0qsFFd=3Fp^|Q+NkY!94rg3sq>4^aa^I');
define('NONCE_KEY',       'aiA6H&n|-u');

By replacing the keys, you’ve made your WordPress a little more secure from those hackers.

Create different accounts for different purposes

Create a new user with admin privileges, log in with that user, and delete the default “admin” account. Well, everyone knows that if there is a user named admin, then that account has full admin capabilities. So, if you wanted to hack your way into a WordPress install, you’d start by looking for the admin user to try to force a login.

Of course, one could argue that deleting the admin user won’t guarantee that hackers won’t find another user to build their attempts on. If you have user archives on your blog, those will give you away. One solution would be not to display them, nor any links to an author page (other than those you’ve created without using WordPress’ functionality). But what do you do if you need them?

The solution is to keep your account credentials sparse. There is no need to have an administrator account for writing or editing posts and pages. An editor’s credentials are more than enough. If an account with editor status got hacked, then it’ll be bad for your site because the editor can do a lot of things, but at least it is not an administrator account and that will keep the worst things at bay.

Backup your database

Remember to backup your database contents from time to time. Further elaboration on this is not needed as I assume that everyone should know the importance of backing up.

Use server side support

If your web host provides SSL support, you can force SSL encryption when logging in to the WordPress admin. This will make packet sniffing a lot harder for hackers. It’s pretty easy to force SSL, just add the following code snippet to your wp-config.php file, above the /*That’s all, stop editing! Happy blogging*/ comment.

define('FORCE_SSL_ADMIN', true);

Remember, SSL won’t work without support from your web host.

That’s all folks. These are some tips to improve the security of your WordPress install.

Happy blogging!

Tags:
,

3 responses to “How-To: Make a WordPress Install More Secure”

  1. Nopy says:

    Thanks for the tips, it’d be very disappointing if you wake up one day to find that your blog has been hijacked.

  2. Fabrice says:

    Ha about time, i see a post about it! ^^
    Im always wondering if i installed wordpress properly since i always have some problems with it. =(

    Ill try and follow and do what you put up ^^
    Thanks for the TIP!

  3. divinelight says:

    thanks, I think I’ll give it a try this weekend.
    yeah security is one of the most important in any web.

Leave a Reply


− 4 = two