12 Ways to Secure Your WordPress Site You’ve Overlooked

WordPress security is often referred to as “hardening.” Makes sense. After all, the process is like adding reinforcements to your castle. It’s all about bolstering the gates and putting lookouts on every tower. But that term doesn’t always allow you to realize the details that go into improving site security.

Even if you’ve done next to nothing to improve your site’s security, it’s likely that you have at least a cursory familiarity with some popular tactics. It’s also likely you’ve heard of a plugin or two that can get the job done. We’re not going to be talking about those things today, however.

This article is going to focus more directly on the ways you can secure your site’s admin, and more specifically than that, the ways that aren’t discussed over and over in every list out there. Because security is seriously important.

As WordPress continues to grow as a platform, security is not something you should neglect.
As WordPress continues to grow as a platform, security is not something you should neglect.

Did you know 73% of the popular sites that use WordPress were considered “vulnerable” in 2013?

Or that of the top 10 most vulnerable plugins, five were commercial plugins available for purchase?

Worse yet, one of those five plugins was actually a security plugin, which is just, well, pretty awful.

While the core installation of WordPress is very easy to use and relatively secure, the more you add on top of it via plugins, themes, and custom code, the more likely it is to be hacked. And the more users you add to any given installation, the likelihood increases further, still. That’s bad news all around for individuals and businesses, alike. 

With that in mind, let’s spend some time today exploring the 12 ways you can secure your site’s backend to ensure your information (and that of your customers’) remains safe.

What You Should Know Already

I know I just said that I wasn’t going to talk about the more commonly referenced security solutions here, but just in case someone reading this isn’t well-versed in WordPress, I’d be remiss if I didn’t at least list them out. Even if you’re a WordPress pro, having this list to refer to can be helpful as you set about implementing security strategies on your sites.

Keep WordPress up-to-date. Something so simple can have a big impact on site security. Whenever you login to the dashboard and see that “Update available” banner, click it and update your site. If you’re worried about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.

Keep plugins and themes up-to-date. Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your site’s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like an open door to your personal info.

Delete any plugins or themes you’re not using. Along the same line of thinking as what’s listed above, getting rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. If you’re not using them, you’re not going to want to update them, so it’s a much better idea to delete them. Read: Deactivating plugins isn’t enough; you must actually click “Delete.”

Only download plugins and themes from well-known sources. When you can, downloading plugins and themes from WordPress.org is actually your best bet since they will have been thoroughly scanned before being admissible to the Theme Directory or Plugin Directory. If you want a premium theme or plugin, only download them from reputable sources like Themeforest or from a highly respected developer’s website.

Change file permissions. Avoid configuring directories with 777 permissions. You should opt for 755 or 750, instead, according to WordPress.org. While you’re at it, set files to 640 or 644 and wp-config.php to 600.

Don’t use “admin” as a username. If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin or by following the instructions laid out in our latest post on the subject.

Change your password often (and make it good). Random strings of letters and numbers are best. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task like Norton Password Generator or Strong Password Generator.

Passwords have been given the special treatment for the upcoming version of WordPress 4.3 and will by strong by default.
Passwords have been given the special treatment for the upcoming version of WordPress 4.3 and will by strong by default.

Make sure your users establish strong usernames and passwords. It’s all fine and well if you create a good username and password but if your users don’t, your personal efforts won’t matter and your site will be just as vulnerable.

Add two-step authentication. A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including ClefGoogle Authenticator, and Duo Two-Factor Authentication.

Install a firewall on your computer. It’s one extra step, yes, but easy to do. And once installed offers another layer of protection from hackers and security breaches. A few firewall software providers to check out include Comodo, Norton Internet Security, and ZoneAlarm Free Firewall.

Limit logins. The brute force attack is tactic #1 for hackers. If you let them, they’ll try to login to your site over and over again until they crack your password. That’s why it’s called “brute force” because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time. Login LockDown is great for offering this feature but other plugins that offer a whole set of security features often include login limiting like iThemes Security and Sucuri Security.

Limit user access. Sometimes site security is run through the wringer because of something very simple: granting too many people access. A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks. Giving all of your contributors administrative permissions is just asking for trouble.

Backup your site. I don’t just mean every once in a while. I mean predictably on a schedule. Scheduled backups are an essential part of any site’s security strategy because it ensures that if your site is compromised, you’ll be able to restore it to a version prior to the damage with ease. Choose an automated solution like VaultPress, BlogVault, BackupBuddy, or WordPress Backup to Dropbox for simple backups and with built-in restore options.

Check for theme authenticity and conduct security scans. Just as you install an antivirus software on your computer to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri SitecheckCodeGuardTheme Authenticity Checker, and AntiVirus.

Now that we’ve brushed up on the things you should already know about securing a WordPress website, we can move on to some of the more obscure things as well as those that you just might not have thought of yet.

But first, make sure you create a child theme before making any changes to your functions.php file.

1. Cut Back on Plugin Use

I know I already mentioned in the list above that you should delete plugins and themes you’re not using. But it’s worth noting that you should make an effort to limit the total number of plugins you install in the first place. To keep your site secure, you need to be scrupulous in the criteria you use to select plugins.

How many plugins do you really need?
How many plugins do you really need?

This isn’t just about security, either. It’s about site speed and performance, too. Loading your site up with too many plugins can slow it down dramatically. So if your site can function without a particular plugin, skip it. Or, look for plugins that check off several items on your must-have features list. The fewer plugins you have, the fewer chances you give hackers to access your info.

2. Don’t Download Premium Plugins for Free

Though I totally get what it’s like to be a business person on a budget, it’s just a bad idea overall to try to download premium plugins from anywhere other than where they are officially for sale.

Illegal versions of premium plugins usually contain malicious code.
Illegal versions of premium plugins usually contain malicious code.

It’s lame to download pirated plugins anyway, but if you needed more of a deterrent than that, totally legitimate plugins are often corrupted with malware by the time they hit these illegal download sites. That means what was once a great premium plugin with excellent code is now a hacker’s direct line into your site’s backend. And for what? All because you wanted to save a quick buck.

Skip the illegal downloads and torrents, people. Just don’t do it.

3. Consider Automatic Core Updates

I’ve already talked about the importance of updating your WordPress installation whenever a new version is released, but it bears repeating. In fact, if you’re running an older version of WordPress than what is current, all of the security flaws in the version you’re running is common knowledge to the public. That means hackers have that info, too, and can easily use it to attack your site.

Though minor updates install automatically, major ones still require approval.
Though minor updates install automatically, major ones still require approval.

But updating your site might not be enough, especially if you don’t make site maintenance a regular habit. In these cases, the more automated you can make these tasks, the better. While I recognize it’s not for everyone, automatic updates might be a good option for those who want to take a more hands-off approach to site management but want a secure site, just the same.

Ever since WordPress 3.7, minor WordPress updates now happen automatically. But major updates are still something you need to approve. You can insert a bit of code into your wp-config.php file, however, to configure your site to install major core updates automatically.

It doesn’t get much simpler. Just insert this in the file and major core updates will happen in the background without the need for your approval:

Be warned, however, that auto updates can break your site, especially if you’re running a plugin or a theme that isn’t compatible with the latest version. Still, setting up the auto updates might be worth the risk if you don’t regularly log into your site.

4. Set Plugins and Themes to Update Automatically

Now I realize this one also isn’t for everyone, but it’s worth mentioning anyway. Typically, plugins and themes are things you’ll need to update manually. After all, updates are released at different times for each. But again, if you’re not someone who makes site maintenance a regular thing, you may wish to configure automatic updates so everything stays current without necessitating your immediate intervention.

Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. For plugins you’ll use:

For themes, use:

5. Eliminate the Plugin and Theme Editor

If you’re the kind of developer who routinely makes changes and tweaks to plugins and themes then you may want to disregard this section. But if you don’t use the built-in plugin and theme editor in the WordPress dashboard on a regular basis, you’re better off disabling it altogether.

Why? Because authorized WordPress users are given access to this editor and if their accounts are hacked, the editor can be used to take down an entire site just by modifying the code found there.

So you can remove this editor by inserting another bit of code into the wp-config.php file. It’s another simple one:

6. Eliminate PHP Error Reporting

Beefing up your site’s backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesn’t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but here’s the problem: these error messages often include your server path.

Hackers would only need to view your error reports to get your full server path, which means you’d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, it’s a better idea to disable it altogether. This one’s another code snippet to be added to wp-config.php.

7. Protect Your Most Pertinent Files Using .htaccess

If you’re into WordPress security at all, you’ve heard of the .htaccess file before and have likely accessed it. Still, the changes you make in this one file can have such a huge impact on your entire site’s security, I can’t leave it off the list.

Why is this file so important? It’s at the heart of WordPress and directly affects how your site structures permalinks and how it handles security. You can insert many different code snippets into the .htaccess file anywhere outside the #BEGIN WordPress and #END WordPress tags to modify what files are visible within your site’s directory. These snippets are sourced directly from the WordPress Codex.

For starters, you’ll want to hide wp-config.php because it’s a central hub for your site and includes your personal info and many other details related to security. Hide it by adding this bit of code to .htaccess:

You can also restrict admin access by creating a new .htaccess file and uploading it to the wp-admin directory. You’ll then insert the following code:

Insert your own IP address in the appropriate spot. You can allow access to wp-admin from multiple IP addresses by listing them out as allow from IP Address, each on a new line.

You can restrict access to wp-login.php in much the same way. Just add the following code into .htaccess:

If you don’t want to block every IP but your own and instead wish to just block specific people attempting to access wp-admin or wp-login.php, you can do so by blocking those IP addresses individually using this bit of code:

Another way to prevent people from viewing your site’s directories is to make them non-browsable. This simple bit of code will do the trick:

There are many other ways to modify .htaccess to heighten your site’s security as well—we’ve written on them extensively here—but these are just a few of the more important ones you should implement.

8. Hide Author Usernames

If WordPress defaults are left intact, it’s really easy to find out each author’s username for your site. And since more often than not the main author of a site is also the administrator, it’s also easy to find out the admin’s username. Which isn’t good. Anytime you’re giving away info to hackers, you run the risk of seeing your site compromised.

According to DreamHost, it’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier. To do this, all you need to do is add some code to your site. Once inserted, this code will make it so when someone inputs ?author=1 after your main URL, they won’t be presented with the administrator’s information and will instead be sent back to your homepage.

Just copy and paste the following into your functions.php file:

9. Keep Track of Dashboard Activity

If you have many users on your site, it might be a good idea to keep track of what they’re doing on your dashboard. Not that you suspect them of any wrongdoing, but sometimes when you have a lot of people involved in your site, a simple misstep can cause something to break. That’s why logging dashboard activity is so useful – it allows you to retrace your user’s steps up to the point of site breakage. You can even retrace your own steps.

This is also great for security because it allows you to connect the dots between a specific action and a specific reaction. So, if a certain uploaded file caused your site to break, you can investigate it further to see if it contained malicious code.

A great, free plugin option for checking over activity on your site.
A great, free plugin option for checking over activity on your site.

Yes, WordPress logs this information automatically but it’s not easy to use. It’s a much better idea to use a plugin to organize all of that data. So you can see if installing a certain plugin, making a specific code change, or uploading a file caused the issue you’re dealing with. But even if you’re not handling a site issue, being able to see what your users are doing on your site at all times can offer some peace of mind.

According to Pagely, a good plugin to check out is WP Security Audit Log. This free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.

If that plugin doesn’t do it for you, there are others available including Activity Log and Simple History that are well worth checking out.

10. Obscure the Login Page

Though security that focuses on obscurity isn’t complete, it’s still an important part of your overall strategy. After all, hiding certain elements of your site won’t prevent hackers from accessing them, but it’ll make it harder for them to get to. And that’s good, right?

Lockdown and lockout intruders with this free plugin.
Lockdown and lockout intruders with this free plugin.

Relocating or renaming your login page is a quick way to make a hacker’s job harder. Brute force attacks are typically automated, so if your login page is anything different than www.websitename.com/wp-admin or www.websitename.com/wp-login.php then they’re going to have a really difficult time attacking. Many plugins are available that make this simple change for you including Lockdown WP Admin as well as several of the major WordPress security plugins.

11. Pick the Best Hosting You Can Afford

You can trick out your site all you want with all the latest security hacks but if you don’t have a good hosting provider, your efforts aren’t going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. That’s edging on half there, which means you need to do something about your hosting plan, ASAP.

If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone else’s site on the server from affecting yours in any way. But I think it’s a much better idea to use a service that’s catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.

Pagely was the first managed hosting service for WordPress. 
Pagely was the first managed hosting service for WordPress.

A few really good managed WordPress hosts that have solid security track records include WP Engine, Pagely, and Siteground.

12. Keep Your Computer Up-to-Date, Too

Sometimes hackers can gain access to your site due to security vulnerabilities on your computer. The best way to combat this is to keep your computer up-to-date. When software patches are released, install them. When a new operating system is released, do your best to upgrade as soon as possible.

Don't forget to keep your computer up-to-date, too.
Don’t forget to keep your computer up-to-date, too.

Likewise, make sure you use an anti-virus software on a regular basis. You can run a free antivirus software like Avast, Panda Free Antivirus, Comodo, or AVG to see if there are any viruses or malware on your computer and to eliminate them.

Wrapping Up

Securing a WordPress site is about so much more than installing a security plugin and walking away. There are subtle nuances that fill out a complete strategy. Some you might’ve known about before but it is my hope that some were new discoveries. Sometimes, it’s the simple things you haven’t thought of yet that spell the difference between a mediocre security strategy and a great one.

What are some things you do to secure your WordPress sites? Did I miss a detail here that you think is vital? Feel free to sound off in the comments below. 

Image credits: Rupa Panda, India7 Network.

45 Responses

  • Design Lord, Child of Thor

    #8 Maybe I’m missing something. Is there a place where the username is displayed publicly other than as the author? If so can you please tell me where?

    If you’re simply referring to the author link, there’s no need to add any code. Just can simply go to the user’s profile, add a nickname, and select that nickname in the “Display Name Publicly As” dropdown box right below the nickname. This functionality is built into WordPress.

    Also, as I feel the need to repeatedly point out on this blog…

    DO NOT ADJUST THE FUNCTIONS.PHP FILE!!!!!!!!!!

    Any changes in there will be removed when WordPress is updated, which you seem to be recommending here as well. Build a plugin or don’t do it!

    • Design Lord, Child of Thor

      P.S.

      Sorry for my grammatical errors. I get a little flustered when I read recommendations to put code you don’t need in file that shouldn’t be touched.

      Also, I was only skimming headers and thought that one was begging for problems. I haven’t read through any of the other suggestions to either endorse or criticize them.

    • The Crimson Coder

      As with all of our posts that mention changes to the functions.php file, we recommend creating a child theme and wouldn’t suggest otherwise! I’ve amended this post to make that point even clearer.

      In regards to #8, you might want to click through to the Dreamhost article to read the background on why they recommend hiding author names.

      • Design Lord, Child of Thor

        I hate to be a stick in the mud here, but I think it needs to be said. I’ve checked at the beginning and end of the article as well as that specific section. It still appears to me that it says to put it in your functions.php file. No mention of a child theme, even though I still think a plugin would be the easier and better way to go.

        Also, the points you are referencing in the DreamHost article are out of date, irrelevant to many if not most of your readers, and written by a guest blogger who’s primary website is not about technology or WordPress. I say this is irrelevant to many of your readers because this only hides the administrator, but if the administrator is also the main blogger, it doesn’t hide their name from the website. It only hides who author=1 is. Using a username that is different from your nickname actually solves this problem, not just attempt to hide it. This is also why I think the article is out of date. If memory serves, this additional security measure was put in place about 3 years ago after a string of breaches. Of course, if DreamHost would be kind enough to date their articles so that they can be properly referenced, we’d know for sure.

        However, if you wanted to go a step further, the safest bet would be to create a second author and give it a contributor role, making sure to attribute at least one article to that user/ID. Then create a third user and give that user administrative rights. Then log in as the third user and delete the first account, being sure to assign any posts to the new author with the ID 3. This way, once they realize there is no user #1, they will likely dig for a user #2, but won’t be able to access anything even if they do figure out the password.

    • New Recruit

      Jason,
      The functions.php can be adjusted as long as it’s a child theme or it’s a custom theme you’ve built yourself. Updating WordPress core does not affect the functions file of a theme.

      That said it’s best to make a functions plugin if you are making changes to your WordPress site that need to remain in place regardless of theme, such as custom post types, adding Google analytics etc.

      Rule of thumb:
      If it’s theme design specific, you can edit the functions.php of the theme
      If it’s global regardless of theme, make a plugin.

      And making a plugin isn’t that difficult:

      https://www.doitwithwp.com/putting-things-where-they-belong/?utm_source=diww&utm_medium=post&utm_campaign=content

  • The Bug Hunter

    Fair Warning – DO NOT USE – unless you know what you’re doing!

    `Header set Strict-Transport-Security “max-age=10886400; includeSubDomains; preload” env=HTTPS`

    If you are just starting to play with HSTS, try starting with something more like this:

    `Header set Strict-Transport-Security “max-age=300; includeSubDomains” env=HTTPS`

    …and really, don’t mess with HSTS until you’ve done some reading =)

    All that said, I was rather surprised that using HTTPS – at least for login/admin was not mentioned in the article!

    Also, using SFTP for WP/plugin/theme Updates is often overlooked =)

    Kind Regards, Max

  • New Recruit

    Another thing, that came to my mind. The user locking thingy after too many failed attempts is a trap, as it is, because sooner or later bots are going to try to log in with your username, and are going to get your username blocked.
    My point: please, don’t forget that requires that you create yet another additional user account with full admin rights. You will never log in with that last resort username… except when your usual admin account gets blocked because of bots trying to log in with a password dictionary. It’s at that time that you log in with your last resort admin account, unblock the usual account, and log off again.

    (About finding usernames: see my above comments, the username is shown in clear in the RSS, even if you left the “admin” username into existence and created yourself a secondary admin account.)

    • Design Lord, Child of Thor

      Actually, tools like login lockdown can be set to login IP, so the attack would have to be coming locally if you set it up that way. But the couple of times I have been under attack like that, it’s time to just shut off all login info anyways and work with the host on blocking DDOS attacks. If someone isn’t capable of managing the site from their file manager or FTP, they are better off just getting logged out, contacting their hosting provider, and riding out the storm.

      • New Recruit

        Well, it depends on what tools you have. I have a plugin that’s blocking a username getting too many access attempts, as a principle. I should say I had, it was too annoying.
        In average, the active accounts on my biggest blog receive between 10 to 200-300 login attempts, with password dictionaries. An IP will try x times before being blocked, another IP will follow, and so on. Good luck with blocking IPV6s.

        My point: this is not a DDOS, just f***ing bots doing their f***ing bot’s job, on a fully automated basis, without even having that “personal” dimension of someone meaning you harm.

        So, if you’ve got a plugin that blocks user accounts getting hammered, sooner or later you’ll need that unused secret admin account. And it’s not even panic material, it’s not a DDOS or anything :-/

  • New Recruit

    One thing you should note:
    in this section – 4. Set Plugins and Themes to Update Automatically – where is mentions to add the ‘add_filter( ‘auto_update_plugin’, ‘__return_true’ );’ or ‘add_filter( ‘auto_update_theme’, ‘__return_true’ );’ to ‘wp_config.php’, it is important to note that this should say ‘child theme’s functions.php file’ and NOT ‘wp_config,php’.

    If added to the ‘wp_config.php’ file you will get a fatal error – because both ‘add_filter’ and ‘_return_true’ functions are not yet created at this time. Adding them after the ‘require_once(ABSPATH . ‘wp-settings.php’);’ line will not cause an error, but the filters will never fire.

  • Design Lord, Child of Thor

    Your tip number 4
    “Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. For plugins you’ll use: add_filter( ‘auto_update_plugin’, ‘__return_true’ );
    This definitely does NOT go into wp-config as it could result into a php error with a blank site as a consequence. A plugin or the child theme’s functions.php is a better place for that code

  • New Recruit

    Hey all,

    Just to follow up on this… one of the recommendations is to have fewer plugins installed. Well we have a plugin that will replace the plugins proffered here… it’ll do what they do, and more. And, it’ll let you configure your automatic updates of plugins and themes without touching your theme files and any PHP. It also now has the option to mask your ?Author=1 URL scanning too :)

    It’s on WordPress.org, so worth checking out: https://wordpress.org/plugins/wp-simple-firewall/

    Enjoy! :D
    Paul.

    • New Recruit

      Paul, how funny. I was just getting ready to comment on how they said not to install too many plugins yet they recommended several. And your comment about your plugin just happened to be at the very bottom of the list so I saw it. Has anyone said they’ve gotten hacked after implementing your plugin? One of the things that interested me about your plugin was the anti-login sharing feature. That will be useful for me when I get my site set up!

  • Syntax Hero

    Here’s another one: If you’re not going to use the default WordPress themes, delete them. Many (or most) people leave the default themes there and don’t update them because they aren’t being used. But those themes can have (and have had) vulnerabilities. So many people have had weak links security-wise, even in components that weren’t even being used.

    Mark
    WPPronto

  • The Incredible Code Injector

    Very detailed and much appreciated guide @Brenda :) Thanks!

    I can see you wrote this article from experience, from both the hacker as the hacked side, or you know someone who has had either of those. :o

    Anyway, I once broke into a site with an outdated theme framework. It contained a file which allowed me to inject any file I wished to any directory.

    The owner of the website has its own server, just to quickly ‘control’ his/her website, without any experience. They outsourced their work of setting it up and don’t bother with updating. The site hasn’t been updated for a good 1.5 years now.

    The file I injected was a PHP file, from which I called wp-config.php relatively, dumped it on my screen.
    I also created a hash for a random password through the wp_hash_password() function. And finally I said to unlink the injected file.

    All this gave me both the location, the username and the password of the database. And allowed me to inject a new admin user within the database with the hashed password.

    And I got in.

    The laws in my country strictly prohibit these kind of attacks and scared me away quickly. I deleted all my traces and left the site be. Luckily, they can only prove my actions through a court order after they’ve sustained a reasonable amount of damage. I was being a white-hat hacker, to prove a point for that I didn’t want to execute a payment on their site (they think they’re an awesome debt collection agency, for which I must say: their order wasn’t justified and they’ve been proven wrong in court), but it’s still illegal.

    With this I gained experience on securing WordPress websites. And it’s true:
    Delete plugins/themes you don’t use. Hackers could call the files even if your theme or plugin is inactive.

    Please trust me on the following:

    To developers:
    NEVER write header action function files without a WordPress function wrapper (like add_action, add_filter, etc.). If you use WordPress function wrappers, the intruder would need the WordPress core to be loaded to inject files. Which is much, much harder to do.
    Because the site will give you a 500 error and you can’t hack it.
    And this is exactly how I got in.

    Also remove the generator tag, which actually exposes all known vulnerabilities to that version date:
    `remove_action(‘wp_head’, ‘wp_generator’);` (I notified WPMUdev about this a while back D:)

    To users:
    Never download premium themes/plugins that don’t allow auto-updates.
    For this I love WPMUdev. It’s both premium, secure and easily up-to-date. Without the hassle Envato gives.

    The worst part about Envato premium plugins/themes is: Envato DOES have an update server. The developers just don’t bother with using it.

    I could write on and on about how to secure your blog, but the most, if not all, is already covered in the blog post here :)

    Another note is: If you do not have the knowledge, or if you’re not willing to spend time or money to actively secure the whole server or learn about it, don’t host your own server. You’re much better off using Managed hosting by any trusted company.

    And last but not least: Use WPMUdev, Automattic, WooThemes or StudioPress plugins and themes. They’re not only considered safe, they actually are.
    I learned to write plugins and themes from them, and copied their standards :). So I think I can also safely say that my plugins and themes are safe as well :D

    With all this, I’m now going to check my written plugins for vulnerabilities and update them where needed.

    Once again, thanks!

  • WPMU DEV Initiate

    For everyone talking about #8, the answer is very simple –> Change your author slug.

    Background: In the DB there is the username field, and there is an “author-nice-name” field that contains what your author slug would be. By default, they say the same thing, but they don’t have to.

    To fix, all one needs to do is install the “Edit Author Slug” plugin, and change the author slug for their admin account. ( Plugin Link: https://wordpress.org/plugins/edit-author-slug/ )
    If you don’t want to keep the plugin afterwards, simply delete it. The changes it made are persistent.

    After having done this, you could have the username “f0o”, with a public slug of “bar”, and you could have your display name be “My Name”.

    WordPress definitely publicizes the author slug (the user-nice-name), but there is nothing forcing you to keep it as the same value as your actual username.

    ~Cam

  • The Incredible Plugin Injector

    Hello Brenda,

    Nice post! I always try and make WP as secure as possible. My next move was setting up auto updates for plugins. I used the code you put at #4. Every time I insert this code in wp-confid.php, I get an error message and can no longer access the dashboard and websites. I’m on a WP Multisite install. Any idea why?

    Best regards,

    Paul

  • New Recruit

    I have a few WordPress sites, I was paying a lot of money to clean my hosting account every time I got hacked. I tried a lot of these things and realized I needed to monitor my website VERY closely. I did not have the time so I honestly pay someone to secure my site and keep me up to date with all the updates. I did get hacked once, but they guaranteed if I did they would clean it and they took care of it. I paid so much more money being attacked on a regular basis, and it felt like once I was attacked, I was targeted more often. I use http://gro-online.com/wordpress-maintenance/ for my sites, but there are plenty of other services that do the same thing.

  • New Recruit

    Thank you, very useful article. I, frankly, was already tired to clean the wordpress sites of my friends from viruses. You will need to give them a link to your article.

    I would also add to your list the following rule: do not store sensitive files on the server. Technical innovations will not protect the site if the user stores on the server sensitive data that can be indexed in Google.

    Under the link information article on the topic: how to check whether your site has confidential information which can be indexed by Google – http://audit4top.com/infosecurity-for-website-owners

Comments are closed.