Wordpress Security Best Practices by the Rich Sage

Starting out with the basic to the more advanced, I’ll cover some of the features you’ll need to follow to keep Wordpress secure for your sites and your Clients. All this is leading up to another update from my current Wordpress installation to the latest stable version –sometime in September.  I’ve started the planning now, and these are the security issues that I will look into as I make the migration.

Wordpress Content Management System

As I continue my discussion, I’ll cover the most widely used Wordpress “lock down” ideas you need to consider in your online success efforts.  You may be out to make money online, but so are just about everyone else with a few malicious ideas up their sleeve.  These steps will cover your rear while you make money online.

Keeping Wordpress Secure:

1. Well, first of all the first item on the list is simple –are you running a version of Wordpress that was a stable release?  One that does not have any glaring security holes?  Make sure that for the version that you are running, you have accommodated the latest version that has accounted for all the security issues.  At the bottom of this post, I’ve also reviewed a few plugins that will aide your work to find holes in your installation.  Use them to find the weak points.
2. When you enter your admin space, make sure to use a user account that is not “admin”.  You can create another user account with admin privileges and delete the user account with “admin” name.  Keep in mind that when your username is “admin” anyone who wants to enter the account has 50% of their work already done.  With that in mind, give your account a cleaver username with admin rights and then work on the password.  The same type of mentality needs to be kept with you password.  Make sure to make it something that has letters and number, lower and UPPERCASE and meaningless, especially to someone else.  Lastly, you can go one more step, and use a SSL URL to access the admin area.  In this case you’ll have to purchase a SSL certificate to create an encrypted path to your admin area link.  There are many more details about this in the Wordpress Codes about SSL Admin Access found here.
3. In general your files hosting Wordpress will be given “644″ rights, while the directories holding the files will have “755″ rights.  This is in general and has a lot to do with the way your hosting server is configured.  Again, I’ve posted links and reviews below to Wordpress plugins that help you resolve issues with files and directory access rights.  Keep in mind that some servers will require “777″ rights to upload files, while other servers may allow you to use “775″.  Again, there are hand plugins that will help you manage these directory rights.
4. At this time your config.php file is in it’s normal location, which is in “wp-admin”, but there is no steadfast rule that you need to keep it there.  You can even move the file UP ONE level and out of the public html folder!  That’s right –Wordpress will then look in the entire setup are for the config.php file, and you’re good to go.  Some of you may consider moving the entire “wp-admin” folder.  I’ve read in a few forums where such a move was advised.  Well, you may be able to get away with such a move on a basic Wordpress setup.  However, when you have hundreds of Wordpress installations, and need to manage them and a dozen plugins, this is ill advised!  You may end up “breaking” many plugins and that will cause Wordpress not to work!
5. I’ve already advised you to keep Wordpress updated.  Just as importantly, you need to keep your plugins updated to the latest releases.  Often these plugins have security updates –make sure to upgrade them as necessary to keep current.  Wordpress now has a “change log” that shows the updates associated with each plugin.  This change log will show exactly the type of update –you may be able to bypass feature updates that you don’t need.  However, I advice that you don’t skip on security updates.
6. Wordpress 2.6+ allow you to insert 3 secret keys to your config file.  There is even a link where you can obtain these three.  Just grab those three keys and insert them into Wordpress’ config file and you are set.
7. Wordpress database table name reset –by default your table names start with “wp_”.  Hackers can insert data into the db following an exploit, unless you have changed the table name prefix to only something that you know.
8. There are all kinds of things you can do with your .htaccess file.  But these processes start to get complicated.  The usual MO presented by htaccess files is to allow only your IP address to login.  Well, that fine when you have a static ip address or a range of ip address you can input.  However, I feel the easier way to accomplish this task is to use a plugin such as Login LockDown.

Finally, below is my list of Wordpress plugins that can greatly aide your monitoring and implementation of Wordpress:

I’ve already mentioned the use of the Login LockDown plugin.  The below plugins are more for the aide of security details.  Trying to nail down security by scanning file rights and directories can get tedious.  Using these plugins, you’ll save a lot of time and trouble:

WP Security Scan — It will go over passwords, file permissions, database security and even Wordpress admin security and help you make the right adjustments.

WP Exploit Scanner –  Suppose you feel that your Wordpress installation has been compramised, this plugin will help you find such anomalies by looking at the files and database.  It’s not going to prevent such actions, but it’s better to know what has happened and take action.

WP Filemonitor — Monitors your WordPress installation for added, deleted and/or changed files. When a change is detected the plugin can even be setup to send you an email notice!

I hope the above “best practices” for Wordpress admin and management will help you have a safe, and successful online experience.  Again, working on your make money online efforts are not easy at all.  However, when you follow tried and proven measures, success is far easier than you can imagine.

Carpe Diem,
Rich Sage