10 steps to protect your WordPress blog

Original author: SmashingMagazine
  • Transfer
The administrative zone of any web application has long been a favorite target for hackers and its security is extremely concerned for developers. This also applies to WordPress - when installing a new blog, the system creates an administrator account with a unique randomly generated real-time password, which blocks universal access to the system settings, controlling it using the authorization page.

This article focuses on issues of enhancing WordPress security - both the admin panel and blog settings, implying the entire contents of the wp-admin folder , which is displayed only after authorization . We deliberately highlighted the phrase " after authorization"- you should be clearly aware that only one simple request separates the" evil hacker "and the admin panel of your entire blog or website! And the latter is protected as much as the powerful password you chose.


To complicate the crackers' task at times, we offer a set of operations that you can do it manually These solutions do not guarantee 100% protection, but with their help you will significantly improve the security of your blog.

1. Rename the wordpress folder.

Starting with version 2.6, it became possible to change the path to the wp-content folder . Unfortunately, this still does not apply to the wp-admin folder . Security-conscious bloggers came to terms with this and began to hope that it would be possible in future versions. Until this happens, we suggest using the following alternative solution to the problem. After unpacking the archive with WordPress files, you will see the “WordPress” folder - rename the folder (ideally into something incomprehensible like wordpress_live_Ts6K” ) and after that configure the wp-config.php file in the root directory accordingly .
What will this change give us?
  • Firstly, all WordPress files will not be mixed with other files in the root of the site, thus we will increase the clarity of the root level.
  • Secondly, multiple copies of WordPress can be installed in parallel in folders with different names, excluding their interaction, which makes it ideal for testing
  • The third advantage is directly related to security: the administrative zone (and the entire blog as a whole) is no longer in the root folder and to carry out any hacking actions, you will first need to find it. This is problematic for humans, but as for bots, it's a matter of time.

Several installed versions in the root directory - it is possible!

Note: If the WordPress system files are no longer in the root directory and the installation folder name is changed in accordance with the recommendations described above, the blog will still be available at wp-config.ru . Why? Go to the “General settings” section of your blog and enter the real blog address on the server in the “WordPress address (URL)” field, as shown in the example:

The blog address must be beautiful and unobtrusive

This will allow the blog to be displayed at a beautiful virtual address .

2. Improve the wp-config.php file

The WordPress configuration file wp-config.php contains some site settings and information for accessing the database. There are also other settings related to security (they are presented in the list below). If there are no such values ​​in this file, or there are only the default ones, you need to add or modify them accordingly:
  • Security Keys: Starting with version 2.7, WordPress has four security keys that must be installed correctly. WordPress saves you from having to invent these lines yourself, automatically generating the right keys from a security point of view. You just need to insert the keys in the corresponding lines of the wp-config.php file. These keys are required to ensure the security of your blog.
  • The table prefix of the newly installed WordPress blog should not be standard “wp_”. The more complicated the prefix value, the less likely it is that unauthorized access to the tables in your MySQL database will occur. Bad: $ table_prefix = 'wp_'; . Much better: $ table_prefix = 'wp4FZ52Y_'; Do not be afraid to forget this value - you need to enter it only once, you will not need it anymore.
  • If SSL encryption is available on your server , it is recommended to enable it to protect the administrative zone. This can be done by adding the following command to the wp-config.php file: define ('FORCE_SSL_ADMIN', true);

You can also adjust other system settings in the configuration file. A clear and comprehensive list of available settings is available on the Code page.

Do not neglect to install the correct security keys!

3. Move the wp-config.php file

Also starting with version 2.6, WordPress allows you to move the wp-config.php file to the highest level. Due to the fact that this file contains much more important information than any other, and because it is always much more difficult to access the root folder of the server, it makes sense to store it not in the same directory as the other files. WortdPress will automatically go to the top folder in the search for the wp-config.php file . Any attempts by users to configure the path themselves are useless.

4. Protect the wp-config.php file

Not all ISP servers allow you to transfer data to higher levels than the root directory. In other words, not everyone has the rights to carry out the previous step. Or for other reasons: for example, if you have several blogs, with a certain folder structure, you will not be able to put all the files in the root, since their names will coincide for each of the blogs. In this case, we can restrict access to the wp-config.php file from the outside using the .htaccess file . Here is the code for this:

[code] # protect wpconfig.php

Order deny, allow
deny from all

[/ code]

It is very important to make sure that the .htaccess file is in the same directory as the wp-config.php file .

5. Remove the administrator account.

During the installation process, WordPress creates an admin account with the default nickname “admin”. On the one hand, this is quite logical, on the other - a user with a known nickname, i.e. Administrative ID - 1 is a predictable target for hackers with their password guessing programs. Our advice follows:
  • Create another user with administrative rights and your nickname.
  • End your work session.
  • Log in with a new account.
  • Delete the " admin " account .

If you do not have a new blog and you have already published posts or comments under the admin account , then from the proposed options at the time of deletion, select “Link all posts and links to:” and select the name of the new user:


Note: Ideally, it is desirable that the login the new user was different from the displayed username in the posts so that no one would recognize your username.

6. Choose a strong password.

The probability and frequency of potential attacks directly depends on the popularity of the blog. And it is advisable to be sure up to this point that your site has no weak links in the security chain.

Most often, passwords are the weakest link in this chain. Why? The methods for choosing a password for most users are often thoughtless and careless. Many studies have shown that most passwords are monosyllabic existing words in lowercase letters that are not difficult to find. Password crackers even have lists of the most commonly used passwords.

WordPress has an intuitive password strength indicator that shows its difficulty level in color:


We recommend using at least seven characters, combine lowercase and uppercase and use service characters such as ! "? $% ^ & () .

7. Protect the wp-admin folder.

Following the proverb “two heads are better than one”, there is a way to double the protection of the administrative zone. Protection is regulated by the .htaccess file , which should be located in the “wp-admin” folder along with the .htpasswd file , which stores the username and password of the user. After accessing the folder, you will need to enter a username and password, but the difference is that in this case, authorization is controlled on the server side, and not by WordPress itself.

In order to easily and quickly generate .htaccess and .htpasswd files , use this service .

8. Prohibit the display of errors on the authorization page.

The WordPress authorization page is the door to the administrative area of ​​your blog, which becomes available after error-free verification. Each user has an infinite number of authorization attempts, and each time by default the helpful WordPress indicates exactly what the error was. That is, if the entered login is incorrect - WordPress will say so. This is convenient for the user, but also for the hacker.

It is easy to guess how quickly the likelihood of choosing a combination of login / password is reduced when the system indicates what exactly is entered incorrectly. A simple line of code will help solve this problem, just add it to the functions.php file of your theme:

[php] add_filter ('login_errors', create_function ('$ a', “return null;”)); [/ php]
The initial / changed appearance of the authorization page.

9. Limit the number of failed authorization attempts.

WordPress does not keep statistics of authorizations, whether successful or not. This is very inconvenient for the administrator, since he does not have the opportunity to see if there were any unauthorized access attempts to take any measures if they become more frequent. We offer two solutions: Login LockDown and Limit Login Attempts plugins . After installation, they not only log in authorizations, but also limit the number of failed authorization attempts by blocking the IP of the person trying for a certain time.


10. Keep up to date.

And the last thing: as a rule, WordPress developers respond very quickly if they find vulnerabilities in the engine. Therefore, stay tuned and update whenever possible. Fortunately, WordPress itself announces the release of a new version. This also applies to plugins - keep their versions up to date.


Remember : less is better when it comes to any add-ons and add-ons. As an administrator, you need to make sure that you have installed and active, only those plugins that you really need. Each plugin is a potential risk and security risk, as they are all developed by third-party developers.

And you?

How do you protect your blog from hacking? What are you using for this?

Translation from WordPress for everyone !

Also popular now: