WordPress Security: What You Need To Do To Keep Your Website Safe

The mind boggles at all of the advice out there on WordPress security. It is certainly a hot topic — it seems like everyone in the blogosphere has jumped on the security bandwagon and has wise words to offer about what you should be doing to keep evil hackers at bay.

That in itself reveals one of the less considered dangers of the Internet: Just because an enormous electronic repository of information is available to us does not mean that all of that information is valid.

With that in mind, and as an avid WordPress user and someone who makes a living from WordPress blogging, I set out to discover the definitive answers to keeping a WordPress website secure. I wanted answers to the toughest questions from seasoned WordPress veterans and web security experts alike. Well, I got those answers, and in this chapter I’ll share them with you.

Table of Contents

This chapter is split into three parts. You may wish to read all three, or you may be interested in one section more than the others. Feel free to read the chapter in its entirety or skip to the part that interests you most:

1. Is WordPress secure?

2. Basic security and plugins

3. Advanced security measures

Is WordPress Secure?

First, let’s consider whether we should be using WordPress at all. After all, it seems that a few months can’t go by without some major new security flaw making the news.

In fact, WordPress attracted worldwide exposure a few weeks ago from huge news outlets, including the BBC¹, which reported on a vast botnet of “tens of thousands” of computers attacking WordPress websites. And that’s just the tip of the iceberg; recall, for instance, the TimThumb saga², the repercussions of which are still fresh in the minds of many WordPress users.

To the uninitiated, it might seem that using WordPress is a risk not worth taking. In reality, nothing could be further from the truth. Take it from Dre Armeda, CEO and cofounder of Sucuri³, who has this to say⁴ on the topic of WordPress security:

When you look at the team and the effort behind the community that comprises WordPress, if you look at the processes that are in place to mitigate vulnerabilities when they are discovered and disclosed, all the way through getting that launch into a patch that’s going to hit over 17% of the internet, bar none I would say that in marriage the triad that makes up a successful project like [WordPress] (people, process and technology), hands down it takes the cake.

That’s a pretty glowing endorsement from a security expert who deals with all major content management systems.

So, what gives with all of the security threats we’ve been hearing about? Well, it’s all a matter of perspective. WordPress’ core itself has been largely secure for years now, as Armeda notes:

We haven’t seen a major vulnerability in WordPress since the pre-3.x days [June 2010⁵]. There have been some minor security bugs and those have been fixed pretty quickly, but in terms of major security vulnerabilities, we haven’t seen one in quite a while.

One can state categorically that, when compared to its peers, WordPress is as safe and secure as they come. But that conclusion seems to conflict with the ongoing emergence of security exploits. What’s really going on?

Where WordPress “Fails”

Says Robert Abela, of WP Pro Help⁶:

I’ve met two types of WordPress users: those who do not bother at all and those who care about security, invest in it, and live it. In most cases, those who care have been hacked before and that is why they care.

If I could use only one word to describe the inherent weakness of WordPress, it would be “apathy.” I can’t take the credit for that, though; I first heard the word in this context from Chris Wiegman, developer of the hugely successful iThemes Security⁷ plugin (formerly known as Better WP Security).

You may be wondering how a piece of software can be apathetic. Of course, it can’t, but when we talk about security flaws in WordPress, we must ultimately look at ourselves, the users. That’s where the weakness lies: in the human implementation and administration of WordPress websites.

Every single major security vulnerability in WordPress in the past few years has come from third-party software (that is, plugins and themes) or from human ignorance of the most basic security measures, such as using a unique password. Every third-party software vulnerability has been quickly patched and updated, which means that only out-of-date installations have remained vulnerable.

Put simply, the security of your WordPress website lies in your hands. If you regularly follow just a few simple measures, you can expect your website to be safe from all but the most deliberate (and unlikely) of attacks.

What Do You Have to Be Afraid Of?

Some people have a somewhat romantic image of hackers. They imagine a lone person toiling over their computer late into the night, their work powered only by a harsh desk lamp and fast food.

In reality, hacking is not quite so glamorous (if that scenario even seems that). Hacking is a profitable business these days, and those involved are generally motivated far more by money than anything else.

I spoke with Mark Jaquith⁸, a lead developer on WordPress’ core and the project lead on the upcoming version of WordPress. He had this to say about potential risks for WordPress users:

The risk is usually the same, except in cases where hackers want to take over a site for political or religious reasons: hackers want to get in and either use your site to promote spam, or use your server as a “bot” in a “botnet” so they can attack other sites.

We’re not talking about a lone ranger targeting your website — we’re talking about automated programs that indiscriminately target huge numbers of websites, with the expectation of finding a proportion that are vulnerable to attack.

These programs automate hacking — they’re not autonomous. The fact is that if you implement just a few simple security measures and make your website more secure than the vast majority of websites out there, then the likelihood of yours getting hacked becomes extremely slim.

Basic Security And Plugins

The basics of keeping a website safe are no-brainers, but their importance cannot be overstressed. As Chris Wiegman, author of the iThemes Security⁹ plugin, reminds us:

Not taking security seriously or assuming it doesn’t affect your site is the biggest issue facing WordPress website owners.

In light of that, here are the four basic rules of keeping your website under lock and key:

1. Keep your software up to date.

2. Choose a unique username and password (don’t use “admin”).

3. Manage access. (If someone doesn’t need to be an administrator, don’t give them that role.)

4. Use a comprehensive backup solution.

The importance of these basic rules cannot be overstated. Even advanced WordPress developers skim over some of these. If you spend your whole day in WordPress, then the simple chore of updating everything is easy to defer to another day. This decision is the number-one cause of security issues.

By closing all security loopholes as quickly as possible (i.e. by updating the core and plugins), you are making it vastly more difficult for hackers to gain access. The same is true for user names and passwords. If your password is unguessable, then you will need to use an app to “remember” it, which will take around 20 seconds from your day. If your website is hacked, it will take hours if not days or weeks from your life.

Security Packages

iThemes Security¹⁰ is an all-in-one solution to a number of problems. It includes user action logging, two-factor security, password expiration, data obfuscation and a lot more. If you need to cover multiple angles, this is a great choice.

A few other plugins provide similar features. All In One WP Security & Firewall¹¹, BulletProof Security¹², WordFence Security¹³ and Acunetix WP Security¹⁴ are all much-used and much-loved plugins with great feature sets.

Backups

BackUpWordPress¹⁵ automatically backs up your website, including the database and files. You can set folders to exclude and have backups emailed to you. It’s a great overall backup solution.

In case you have a tight budget, VaultPress¹⁶ is a great product as well. Made by the folks at WordPress, it backs up your website remotely and can restore with the click of a button.

Advanced WordPress Security Measures: Are They Necessary?

After a certain point, the lines blur a bit. You could take innumerable additional measures to secure your WordPress website, but ultimately it is up to you to decide how safe is safe.

If you are interested in implementing more advanced measures, then Smashing Magazine has you covered. Daniel Pataki wrote a great article¹⁷ back in November 2011 that includes some general and some WordPress-specific tips to make your website even more secure.

While I recommend reading that article in its entirety (and consulting the “Additional Reading” section at the bottom of this post for even more advanced security measures), I have included three tips below that are personal favorites of mine.

A word of warning before moving on: We will be working with the .htaccess file a lot. Make sure to add the examples below outside of the # BEGIN WordPress and # END WordPress section. WordPress freely overwrites anything within that section, so your work could be removed if added there.

Protecting Directories

To put it simply, only administrators should be able to view standalone files on your website beyond posts and pages. If people can gain access to a directory that really should be hidden from the average web browser, then they might be able to gain access to system files, which would compromise your security.

Try this now for yourself. Using private-browsing mode (such as Incognito in Chrome), try to access a directory in your wp-content directory, something like this: http://yourwebsite.com/wp-content/uploads/2013/07/.

If you are presented with a list of files in that directory, then anyone else can see the same thing should they wish.

To prevent this from happening, insert the following code in your website’s .htaccess file:

Options -Indexes

This will present the user with a “403 Forbidden” message if they attempt to access any directory on your website.

If you don’t mind people accessing certain files within directories (say, images), then you could include commands in the .htaccess file to hide only certain file types. Perhaps the most important instruction would be this:

IndexIgnore *.php

This will hide only PHP files, leaving all other files open and accessible.

Incidentally, this measure blocks people from nooks and crannies that they should not be peeking into as much as it maintains security, so I recommend it doubly.

Whitelisting IP Addresses

Security is so often about control — if you control access to your website, then you can also ensure its security to a great extent. This is why whitelisting IP addresses for access to a website (and, by extension, blacklisting all other IPs) is such an effective security measure.

To whitelist a particular IP address, just enter the following in the .htaccess file:

<Files wp-login.php>
Order Deny,Allow
Deny from all
# Allow access via this IP address
Allow from xx.xxx.xx.xx
</Files>

You can include any number of IP addresses, like so:

<Files wp-login.php>
Order Deny,Allow
Deny from all

# Allow access via this IP address
Allow from xx.xxx.xx.xx

# Allow access via this IP address
Allow from xx.xxx.xx.xx

# Allow access via this IP address
Allow from xx.xxx.xx.xx

</Files>

For instance, you could list the IP addresses of the three locations from where you typically access your WordPress website (home, work, local coffee shop). If you happen to be at another location, just Google “What is my IP” and add that address to the .htaccess file.

Prevent Suspicious Activities Using the .htaccess File

Jeff Starr has created a great firewall using .htaccess rules. The sixth iteration is currently in beta; you can look at the 6G beta¹⁸ or go for the 2013 5G Blacklist¹⁹.

A note of caution: In some rare cases, lines in these blacklists may cause conflicts with specific administrator pages in WordPress. Troubleshooting these is easy; you can usually pinpoint the issue by deleting lines from the blacklist.

Using some form of this added layer of protection is great because it stops the most common threats in their tracks.

Protecting The wp-includes Directory

The wp-includes directory contains scripts and other files that are generally not meant to be accessed by users. Restricting access to this part of WordPress is usually safe. The WordPress Codex has a great .htaccess ruleset for us to use:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Protecting the .htaccess File

Now that we’ve used the .htaccess file to add security measures, you should secure the file itself. Fortunately, this is easily done by inserting the following code:

<Files ~ "^.*.([Hh][Tt][Aa])">
Order Allow,Deny
Deny from all
Satisfy all
</Files>

This will prevent external access to any file whose name starts with .hta.

Conclusion

At this point you might reasonably ask, “Where does one stop with WordPress security?”

Well, let’s think about it logically. Mark Jaquith follows only the three main rules (covered earlier) for his own websites, which probably makes you think, “Anything good enough for one of the most influential WordPress developers around is good enough for me.”

On the other hand, if you have the time and inclination to incorporate additional security measures, there is certainly no harm in doing so.

Ultimately, it comes down to personal preference. Those of us who have suffered in the past are more likely to implement more advanced security measures. Nevertheless, if every WordPress user carried out the three fundamental steps covered above (and backed up, too) as a bare minimum, then the world of WordPress would be a far safer place.

Additional Reading

•“Hardening WordPress²⁰,” WordPress Codex

•“Roles and Capabilities²¹,” WordPress Codex

•“Is WordPress Secure?²²” Tom Ewer, ManageWP Blog

•“Securing Your WordPress Website²³,” Daniel Pataki, Smashing Magazine

•“10 Useful WordPress Security Tweaks²⁴,” Jean-Baptiste Jung, Smashing Magazine

•“WordPress Security Through .htaccess²⁵,” Dragan Nikolic, ThematoSoup

•“15 Advanced Security Tips to Make Your WordPress Site Bulletproof²⁶,” Aritra Roy, corePHP

•“9 Tips for Advanced WordPress Security²⁷,” Kim Crawley, Synthesis

•“5 Essential WordPress Security Tips in 7 Minutes²⁸,” Kristen Wright, iThemes