Security for Your WordPress Site: Processes, Passwords, & Plugins

One of the most important things to consider when developing a site for a client is client education and training on site security. While it is true, that once we develop a site for someone, information security belongs to them. We could have implemented all the best WordPress security plugins and processes, but if the user has a poor password then it will only be a matter of time before they are exploited.

So, first and foremost information security, site security, belongs to both the developer and the client. As far as the client is concerned, if their site gets hack or there is a problem with the site due to security vulnerabilities, the first person they will blame is the developer. However, if we educate our clients on the importance of information security, while it may be their tendency to blame the developer, it may not be their first recourse. Simply speaking, information security is everyone's responsibility.

Most of this information was obtained from WordCamp Phoenix Security Presentation by WPVibe.com co-founder Dre Armeda along with CEO and founder of Webdev Studios, Brad Williams.

So what are some security tips around passwords, plugins, and processes?

Processes

• Browser Processes
  1. Use a secure connection whenever possible, e.g., https://.
  2. Use NoScript FireFox extension if you use FireFox.
• FTP Processes
  1. Use sFTP or SSH instead of normal FTP. FTP passes passwords unencrypted.
  2. Don't store creditials in FTP client. As tempting as it is to have browsers and FTP clients remember your credentials, avoid doing this.
• Hosting
  1. Use hosts that talk about security. Free hosting is nice, but the cost of recovering a site may not be worth it.
  2. Purchase a SSL certificate from your hosting company.
• WordPress
  1. Update WordPress! Minor WordPress versions (3.0.x, 3.1.x, 3.2.x). WordPress is open source and once they find a vulnerability, it is known. And if your site has not been updated, then all the hackers in the world know how to hack your site. Minor versions don't necessarily need development testing. Major releases (3.0,3.1,3.2) should be tested in a development/staging environment before implementation.
  2. Update Plugins! Read the changelog and details to determine if new features are introduced. This is where you can check those change details to determine whether the plugin is adding new features, patching issues or known problems, or is a security upgrade.
  3. Change database table prefix. The default is wp_ and everyone knows this. However, if you change it to something unique. The famous five minute install has a place for you to do this upon installation. However, there are also plugins that will help you change this. And if you know phpmyadmin and mySQL, the prefixes can be changed rather easily. See also my pictorial guide: Pictorial Tutorial on WordPress Security: Change the WP_ Prefix
  4. Use Secret Keys with your wp-config.php. To get your secret keys visit the WordPress Secret Keys API. It's a hashing salt for your cookies on your computer. Newer installations have this in them already; however, older installations may not have it. So if you started with an older WordPress installation and have upgraded, you may want to check to make sure these are in place. Changing these on a live site will only render current cookies invalid and will have no adverse affects on the site.
  5. Lockdown WP Login and WP Admin. Add the following code in wp-config.php to force SSL on login and on all Admin pages. Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping.
     On login only
     [php]define( 'FORCE_SSL_LOGIN' , 'true' );[/php]
     On admin pages
     [php]define( 'FORCE_SSL_ADMIN' , 'true' );[/php]
  6. Create .htaccess file in your wp-admin to lockdown IP addresses. Add the following lines of code to your .htaccess:
     [html]
     AuthUserFile /dev/null
     AuthGroupFile /dev/null
     AuthName "Access Control"
     AuthType Basic
     order deny,allow
     deny from all
     #IP address to Whitelist
     allow from 67.123.83.59
     allow from 123.123.123.123
     [/html]
     This example will only allow a user with the IP 67.123.83.59 or 123.123.123.123 to access wp-admin. However, also note that IP addresses do change, and if you are locked you can go into the file edit it to include your new IP address or you can simply delete the file. Also, this file will not be deleted on WordPress upgrades since it does not belong to WordPress core.
  7. Move wp-config.php. WordPress features the ability to move the wp-config.php one directory above your WordPress root. So if your WordPress wp-config.php file is located public_html/wordpress/wp-config.php you can place it to public_html/wp-config.php.
  8. Disable WordPress Generator Tag. Viewing the source on most WordPress sites will reveal the version they are running. This helps hackers find vulnerable installations or older versions. To remove the code, find the following code in your header.php and remove it.
     [html]<meta name="generator" content="WordPress <?php bloginfo['version'];?>" />[/html]
     The wp_head() function also includes the WP version in your header. To remove it, add the following to your functions.php file:
     [php]remove_action( 'wp_head' , 'wp_generator' );[/php]
     Themes and plugins may also output their versions, but some may have an option to remove it, such as the Genesis Framework.
  9. Use Trusted Sources for Themes and Plugins. Use WordPress.org. Themes found elsewhere may have some base64() code that can break your site or just add some black hat SEO. Instead of solely relying on Google or your favorite search engine, use these trusted sources:
     1. WordPress.org Theme Directory
     2. WooThemes
     3. Themelab
     4. Theme Hybrid
     5. ThemeShaper (Thematic)
  10. Don't use admin for your username. All WordPress installs before WordPress 3.0 had an admin install. Change the admin username in MySQL:UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin';. Or:
      1. Create a new account with a unique username
      2. Assign account to Administrator role
      3. Log out and log back in with new account
      4. Delete admin account (WordPress will allow you to reassign all content written by admin to an account of your choice.)
  11. File/Folder Permissions. Good rule of thumb:
      • files should be set to 644
      • folders to 755
      • If your host requires 777, switch hosts.

      This can be easily checked/set via Filezilla by right clicking on the file/folder and clicking on File Permissions. Or via SSH:

      • find [your path here] -type d -exec chmod 755 {} ;
      • find [your path here] -type f -exec chmod 644 {} ;

Passwords

• Use different passwords for your different sites.
• Use a password management tool
• Change passwords often
• Don't ever share your passwords with anyone

Plugins

Security Plugins:

1. WordPress Exploit Scanner
2. WordPress File Monitor
3. Login Lockdown
4. AskApache Password Protect
5. BulletProof Security
6. Secure WordPress
7. BackupBuddy: Contains a Malware scanner module
8. See also WP Smith: The Best Security Plugins for WordPress 3.0+

Backup Plugins:

1. WP Time Machine
2. WP-DB Backup
3. BackupBuddy
4. VaultPress

Website Scanning Tools

1. Sucuri.net
2. Unmask Parasites

Malware Removal

1. Sucuri.net
2. VaultPress

Security Related Codex Articles

• Hardening WordPress
• Changing File Permissions
• Editing wp-config.php
• htaccess for subdirectories

Blog Security Articles **Beware of DATE published!

• WP Beginner's Vital Tips and Hacks to Protect your WordPress Admin Area
• Sucuri.net
• GrowMap: WordPress Explouts
• WP Candy: Clever WordPress Security Tips
• SemLabs
• 18 WordPress Security Plugins & Tips To Secure Your Blog
• Cats Who Code: 10 Easy Ways to Secure your WordPress Blog
• WP Smith: The Best Security Plugins for WordPress 3.0+

Info graphic by WPBeginner: