A Few Simple Steps to Make Your WordPress Installation More Secure

What is security?

Fundamentally, security is not about perfectly uncrackable systems, which might well be impossible to find and/or maintain. Security has more to do with trust and responsiveness. For example, a trusted host runs a stable, patched branch of their webserver (be it Apache, IIS, or whatever). They should tell you this, test their configuration themselves, and let you determine it for yourself. An untrusted host does not apply patches when they are released and does not tell you what server versions they are running. – via WordPress.org

Most people don’t think about web security until after they have been attacked. Why not take a few precautionary steps that will help prevent your chances of running into problems in the future. The WordPress.org Codex has a great page, titled Hardening WordPress, which is an in depth reference on securing your WordPress installation. Here are a few great WordPress security tips that I have found to be most important over the years.

Keep WordPress and Plugins Up-to-Date!

Upgrades and updates don’t always necessarily mean new features. WordPress has two types of releases, incremental and major. Incremental releases, like 3.0 to 3.0.1, never introduce new features and primarily are bug fixes and security patches. Major releases, like 3.0 to 3.1, are where new features are implemented. In any case, it’s highly recommended you keep your core WordPress files up to date. Also, with each release WordPress.org will release a changelog where you can see what’s changed.

Same goes for plugins. Try to keep your WordPress plugins up to date as the developers will often release new versions for not only new features but bug fixes and security patches as well. Each plugin in the WordPress.org plugin repository usually has a page for changelog where you can see what has changed in each release. Here’s an example from Akismet.

Admin Username & Passwords

Out of the box WordPress will default it’s administrator username to “admin”. I highly recommend you use something other than “admin” since that is the first account the bad guys will target. WordPress now allows you to select the admin account during the installation process. Change this to something else.

WordPress will now tell you your password strength as well. Try to use a strong password with a combination of characters, numbers and symbols like “987^%$abcd” instead of “password”.

Database Prefix

By default WordPress sets it’s table prefixes to “wp_” but allows you to change this during the installation process. Like the admin account, change this to something custom so it can’t be guessed easily.

Remove WordPress Version Number

WordPress automatically displays the version number you are on when you view your sites source. Usually not a problem if your running the most recent release, but if your not, an attacker can easily target your site and vulnerabilities with that version. Add the following line of code to your theme’s functions.php file to remove this.

remove_action('wp_head', 'wp_generator');

Move Your wp-config.php File

Your wp-config.php file contains information WordPress needs in order to run. From your database credentials to other vital information this is something you don’t want anyone to have access to. By default this file exists in your WordPress root directory but you are actually able to move up one directory and WordPress will find it.

Example: Move ‘/root/wp-config.php’ to ‘/root/folder/wp-config.php’

Remember… Backup, Backup, Backup!

Don’t ever assume you won’t get hacked. Probably the best and most important tip is to take backups of your site. There are numerous plugins and methods to doing this and if you take proper backups you won’t lose your data.

Here are some other great WordPress security resources (Outdated but still useful).

Please note: These are just a few tips, there are an abundance of other resources out on the web to help you lock down your website. Google is your best friend, see what other people are doing!