WordPress, Joomla and Drupal, the 3 most popular CMS engines are all open source which means that information on exploits and security vulnerabilities is always available on the public domain. As a developer/designer you should strive to patch up your system and keep crackers from poking about your network. This post covers a few basic tips on how to achieve that…
Install updates
…the most obvious, easiest and single most effective way of securing your installation. New iterations are meant to patch up security holes, add new features and enable your installation to stay compatible with new standards.
Update your plugins and installation whenever you can, it is after-all effortless, just a few clicks here and there from your dashboard and you’re good to go. If you’re worried that an update may contain unknown exploits or possibly break your plug-ins and themes, then you can always hold of updating until potential issues have been identified and resolved.
It’s always a good idea to backup both your database and server-side files before performing a major upgrade, just in-case something goes horribly wrong.
Better username
Everyone who has ever used WordPress knows that it has the “admin” default administrator username, it makes sense that one changes this to something unique from the get-go. Once youre setup, WordPress wont allow you to change your username from within the admin dashboard.
You can create a new account with better credentials and drop the old one, but then you’d run the risk of losing post and comment data associated with that account. The best way would be to use your host’s MySQL administration tool to directly alter your database elements, wpmu.org has a tutorial on how this can be done here.
Use a strong password
This is a no-brainer… every system needs a strong unique password. If your password is password then maybe you’re just asking for it. Just be sure to pick something you’ll remember. 1Password is a great app that lets you manage your passwords with ease, make use of it if you can.
Limit login attempts
A brute force attack consists of trying every possible code, combination, or password until the right one is found. Any website that requires authentication is susceptible to such attacks.
A popular way of preventing this in WordPress is using a plug-in that records the IP address and timestamp of every failed WordPress login attempt. If a certain amount of consecutive login failures have occurred from the same IP range, then the system locks out further requests from that range. Limit Login Attempts and Login Lockdown are free plug-ins that allow you to secure your site this way in WordPress, grab yourself a copy.
Secure your wp-config.php file
wp-config is probably the most important file in your installation. It contains all your configuration information. One way of securing this file is adding the following few lines of code to your .htaccess file …
# secure my wpconfig.php file <files wp-config.php> order allow,deny deny from all </files>
These configurations will restrict anyone from directly accessing the file returning an 403 forbidden error instead.
Define random keys and salts
Authentication Unique Keys and Salts are just a bunch of random characters that help improve encryption of information stored in the user’s cookies. You can generate random salts via WordPress secret-key service and replace the ones found in your wp-config.php file.
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.WordPress.org/secret-key/1.1/salt/
WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will
force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
/**#@-*/
Remove wordPress version info
This is one security by obscurity tip you find floating around the web. By placing the following code snippet into your theme’s function.php file, WordPress version information will be excluded from your head meta tags section of your installation.
function remove_version_number() { return '';}
add_filter('the_generator', 'remove_version_number');
Backup
Backing up is one contingency plan you can have in case something goes horribly wrong with your install and it turns out you can’t rectifying the problem. You can always keep a copy of your server side files and databases somewhere away from your host computer.
From your admin panel, you can navigate to tools > export to use WordPress built in export feature which creates a file containing your posts, pages, comments, custom fields, categories, and tags. Some plug-ins can also help you backup your sites. You can try your hands at Backup to Dropbox, a plugin that automatically uploads a backup of your entire website, including all files and its database, to Dropbox.
Use correct file permissions
File permissions can be change with ease from your FTP client. Try to go as low as possible. 644 should work for most files, 755 works for folders, 600 could work for your wp-config file, if you find that a particular file permission breaks your site then you can always assign a higher one but try to stay away from 777.
Change The Default Table Prefix
The default “wp_” table prefix makes it easy to guess the names of tables in your database. You can change the prefix to something a bit more creative, a few random characters would do, preferably after “wp”, that way you can still identify your WordPress tables in your database .