Hardening Existing WordPress Installation
In the last installment, you’ve learned how to install WordPress securely from scratch. Now what should you do after it? Or, what could you do to harden your existing WordPress installation? This post has a few ideas for you.
It is worth reiterating that security is like a chain. It is only as weak as its weakest link. In other words, you should implement all of these tips, if at all possible unless you know the consequences and work around them.
Again this post is written for educational purpose only. There is no guarantee of any kind that just by implementing these your blog will be immune to intrusion.
1. Use Less Privileged User for Blogging
Bloggers should begin using WordPress regularly with less privileged users than administrator. This is basically how webmasters using content management system (CMS) should approach their web sites.
The Administrator role is there just to administer. If you need something to be done related to the system, Administrator is required.
However, for just regular posting, Author or Editor roles are more than enough. With power always comes responsibilities. It comes down to your practice and also preventative measures.
For instance, if you occasionally blog from a publicly accessible computer, you should remember to log out every time as you finish with your work inside the Dashboard. But a little counter measure like using a less powerful user role for blogging certainly helps minimize the risk too.
If you want to take it to the next level, install the Role Manager plugin. It is like user management on steroids.
2. Change the Default admin User
For bloggers who install WordPress manually, the default username with Administrator privilege is admin. Fantastico users are able to pick admin username and password as part of the installation process.
There are more fields to fill in but you will end up with a bit more secure installation of WordPress. Obfuscating the admin user name just makes it a bit harder for people to break in, but you should combine it with strong passwords.
Use the following SQL command to modify the user admin in your MySQL database.
$ mysql -u bloguser -p
mysql> use myblog;
mysql> update wp23jk1_users set user_login='myadm' where user_login='admin';
Now your admin user name is myadm instead of admin.
If you use phpMyAdmin or similar tool, look in the users table inside your WordPress database.
3. Limiting Access to wp-admin Directory
The wp-admin directory consists of all administration files required to manage your blog. Normally, blog readers don’t need to access it, but it is by default available to everyone.
For bloggers who are accustomed to use public computers to access their blog from anywhere in the world, or if their IP addresses change every so often, restricting access to wp-admin is impossible or hard to do.
However, if you have a computer with static IP address, it is possible that you allow access only via one or a range of IP addresses.
Apache, by far the most popular web server, allows you to do that within the main configuration file or the .htaccess file. Instead of putting it inside the root directory of your blog, this should be in .htaccess inside the wp-admin directory.
Order Deny,Allow Allow from ww.xx.yy.zz Deny from all
The IP address may appear as a single full IP address (10.1.2.3), partial IP address (10.1), network/netmask pair (10.1.0.0/255.255.0.0), or network/nnn CIDR specification (10.1.0.0/16).
4. Password Protect wp-admin Directory
WordPress already has its own password protection. You have to enter your user name and password to access the Dashboard. However, for added security, you can create a new layer of protection to authorize admin user at the web server level.
Of course, if you allow any user to register, it is not feasible to use this option unless you want to go through the hassle of maintaining users and passwords in two different and separate locations. In an ideal situation this username and password combination should be different than your WordPress user and password.
If you apply this protection, when you try to access anything within wp-admin, the browser will pop up a dialog box asking for username and password before showing the login screen.
In most web hosting control panel like cPanel, this option is available as part of the built-in feature. In my version of cPanel, it is named Web Protect.
Alternatively, you may also edit .htaccess in wp-admin directory and put the following line.
AuthType Basic AuthName "WordPress Dashboard" AuthUserFile /home/user/.htpasswrds/blog/wp-admin/.htpasswd Require user adminuser
Access to this directory is restricted to the adminuser with the password in AuthUserFile.
You need to generate encrypted password using the htpasswd command.
$ htpasswd -cm .htpasswd adminuser
5. Use Encrypted Channel If Possible for Administration
If your domain is SSL-enabled, you may want to use HTTPS for administrative tasks. Creating your own SSL certificate and signing it yourself is possible and that could be an option if you don’t use it for anything else like for e-commerce.
WordPress allows you to force all logins and admin sessions over HTTPS by defining the right variable in wp-config.php.
If you only want to force all logins to happen over SSL, use the FORCE_SSL_LOGIN variable / constant.
6. Prevent Others from Seeing Content in Any Directory
By default in most shared hosting environment, browsers are able to see the index of files within any directory accessible within the document root.
This may be the behavior that you expect, but it is also a risk because you show which files you put in the directory to the public. In an instance when the plugin that you use pose a security risk, by showing the files, people may know immediately that you are using that plugin.
Other web servers like lighttpd and nginx don’t have this problem because they disable directory indexing by default. To turn this off in Apache, you need to add the following line to .htaccess. If you want to turn it off in all directories within the domain, put the .htaccess file in the root directory of that domain.
Options All -Indexes
7. Hide WordPress Version Number in the Header Tag
Previously, to prevent WordPress from returning pages with WordPress version number as one of the meta data in the header tag, you only need to delete that line from the header.php file of your theme.
Since version 2.5, even if the line is not there in header.php, WordPress will add the line. If your WordPress version happens to be vulnerable, this invites crackers to break in.
It is arguable that people may still try to intrude your blog if they decide to do so, but consider that most of them will use some scripts to scour the blogosphere for certain WordPress version. Why do it manually if it can be automated?
If you disable WordPress version number in the header tag, your blog won’t be found. You still are recommended to upgrade to the newest version though.
How do you do this? You may edit WordPress core directly, but that sounds like a bad idea, because you have to do it each time you upgrade.
My favorite method is to add the following line to functions.php in my activated theme directory.
You may also modify the version number or make it blank by changing the global variable wp_version. Another way to disable WordPress version number is to use a plugin.
8. Limit File Access to wp-content Directory
The wp-content directory consists of your theme files, images and plugins. You may see other data files in there too created by various plugins.
WordPress doesn’t access the PHP files in the plugins and themes directories via HTTP so there is no need for any blog visitor to access them. The thing is, plugins may be one of the problems when it comes to security.
Restricting wp-content may be a good idea for this reason. You should disable access to all files except those with certain file extensions. It prevents people from accessing sensitive files directly.
Include the following lines in .htaccess within wp-content:
Deny from all
Allow from all
9. Upgrade to the Newest Version of WordPress
When new release becomes available, you should always upgrade especially if the release has fixed security problems.
WordPress upgrade, especially minor version upgrade, usually is a painless process. Just to be on the safe side, do the upgrade in the weekend. In a worst case, you will have time to fix thing if it is broken. Of course, most of the time it would only take a few minutes.
10. Backup Your Database and Files Regularly
While this is not directly related to security, it will save you a lot of time and hair loss if incidents really happen.
Install a plugin or use cronjob to dump database every day and copy your files off site regularly. The good news is, you can automate this process easily.
Return to How to Blog for Fun and Profit.
Return to Blog Tips for a Better Blog — Blog Building University.