Step-by-step Guide to Securing WordPress from Malware and Hacking

Lucid Agency develops countless websites utilizing the WordPress Content Management System (CMS) each year. WordPress is definitely a great CMS. It’s fast to install, easy to customize, is infinitely scalable for numerous applications, has thousands of plugins for almost anything you can imagine and it has a simple user interface which our clients love. However, like most great things, it too has some short-comings. One of these is security. Because there are millions of installations (over 65,000,000 downloads of version 3.0 as of Dec 2011) and WordPress is the most widely used content management system on the internet, powering roughly 22% of all websites – it is often a target for hacking and malicious malware distribution.

Of course, nothing is ever totally secure, as the CIA recently found out when it’s website was hacked. But if you take the proper precautions, WordPress can be made much more secure, to a level where an intrusion is very unlikely, and any malicious incident will be highly isolated, with much easier remediation.

Lucid Agency has put together and internal list that we use as a basic guideline for a “more secure WordPress” installation. We have decided to share this list, so that others don’t have to spend as much time researching this as we have. Please feel free to share this list with anyone, and if you have questions, you can ask them in the comments below.

Please note: this list is not intended to be fully comprehensive, and there are other security procedures that we implement as well, however this is a great starting place and will help make any WordPress installation more secure.

1. Apply the official WordPress hardening approach   http://codex.wordpress.org/Hardening_WordPress
   1. Don’t have a user named “admin” in the system. All admin users should have a custom user name.
   2. Make sure permissions are set to 644 for all files and 755 for all directories.
   3. Only use SFTP (not standard FTP) so that all files uploads are encrypted.
   4. Use strong passwords with a mix of numbers, letters and symbols. WordPress will measure the strength of your password, so make sure you see the “green” and have a strong password.
   5. All websites on a single or shared hosting environment should be on a unique user account (prevents cross-contamination if one site gets infected with something nasty).
   6. Move wp-config.php up one level on your hosting environment (WordPress will look for it in either location, but it must either be in root WordPress install location or up one level from the root WordPress install). It is more secure to have it up one level from WordPress.
   7. Secure wp-config.php by copying the code below into the VERY TOP of the .htaccess file:

      <files wp-config.php>
      order allow,deny
      deny from all
      </files>

   8. Secure wp-includes. Copy the code below into your htaccess file.

      # Block the include-only files.
      RewriteEngine On
      RewriteBase /
      RewriteRule ^wp-admin/includes/ - [F,L]
      RewriteRule !^wp-includes/ - [S=3]
      RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
      RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
      RewriteRule ^wp-includes/theme-compat/ - [F,L]
      
      # BEGIN WordPress

2. Install security “secret key” to wp-config.php file
• Go to https://api.wordpress.org/secret-key/1.1  to have a set of randomly generated secret key generated. Copy the 4 secret keys to your wp-config.php file underneath the “define(‘DB_HOST’…” line and then save and re-upload the file. You can add/change these keys at any time, the only thing that will happen is all current WordPress cookies will be invalidated and your users will have to log in again.
3. Install the WordPress Firewall Plugin
• Go to http://www.seoegghead.com/software/downloads/wordpress-firewall.seo and install this plugin. It provides a simple “firewall-like” service that will prevent many simple intrusions – a good first line of defense.
4. Install the Secure WordPress Plugin
• Go to http://wordpress.org/extend/plugins/secure-wordpress/ and install the plugin. This provides some good security measures such as removing the WordPress version number from your header.

WANT EVEN HIGHER SECURITY? Here are a couple additional tactics you can utilize:

1. .htaccess lockdown
• You can lock down your wp-admin directory by placing some code in your .htaccess file. You will specify a list of IP addresses that will have access to this area. If a user from an IP address that is not on this list tries to access this area, they will be denied access. Simple copy the code below into your .htaccess file and replace the xxx.xxx.xxx.xxx with your allowed IP addresses. Two Notes: sometimes ISP’s use dynamic IP addresses that change from time to time, so you could easily lock yourself out. If this happens, simply go back into the .htaccess file and edit the IP addresses to include your new one. You can include a full list of IP addresses to grant access to.

  AuthUserFile /dev/null
  AuthGroupFile /dev/null
  AuthName "Access Control"
  AuthType Basic
  order deny,allow
  deny from all
  #IP address to Whitelist
  allow from xxx.xxx.xxx.xxx

2. Change the WordPress table prefix
• The WordPress table prefix is wp_ by default. You can change this before you install WordPress for extra security, by changing the $table_prefix value in your wp-config.php file. This will make SQL injection hacks much more difficult.