WordPress (WP) is the internet's most popular Content Management System (CMS), but that also means it's one of the internet's biggest targets for attackers! We'll help you run a tight ship, though, to help keep your site safe. Check out our helpful tips below on how to a secure your WordPress site in no time.
Step 1 (Easy): Update
WordPress says that the most common way their platform is hacked is through vulnerabilities that are publicly known and have been patched in updates. The WordPress code is open-source and available for anyone to download, which means that would-be attackers have your site's source code. Whoops. If your site is kept up-to-date all the time, then you'll have the latest security patches in place, which makes you pretty durn safe.
The first and last word in WordPress security is 'Update'! Say it, believe it, live it. See more about why you should keep WordPress updated and learn how to update your plug-ins here.
Note: disabled plugins/themes are still accessible to would-be attackers, since they're in your 'public_html' folder, so they should be updated too, or deleted completely.
Step 2 (Intermediate): Secure Sensitive Data
WordPress is mostly written in PHP, which is processed on the server side. When people visit your index.php, they don't see your code, they see your site. If there are files in your account that don't end in '.php' though, they might not work that way and might be readable in a browser (i.e. they see code and not your site). If you change the extension of a .php file, like in renaming 'wp-config.php' to 'wp-config.php.backup', then it will be viewable by strangers on the internet as plain text (HTML)... that's like giving out your password to everyone in the world!
Here's a messy WordPress folder with some very publicly accessible sensitive data:
Can you spot all the problems?
'wp-config.php.broken' will load as plain text in the browser, because it doesn't end in '.php', which means that your site visitors will see PHP code, not your site. Since it's a copy of the 'wp-config.php', it contains the MySQL database information, including the password.
'disabled-htaccess' will load as plain text too, because it no longer starts with a dot (.) and it may contain information useful to an attacker.
'OLD-SITE-BACKUP' may not contain any exposed data, but the files in it are still accessible, and since it's from 2010 exploits that have been patched by updates to the current version of the site are not patched in this old one. Which means-YOU GUESSED IT-it could be attacked.
'daniel_wpdb.sql' is a plain text dump of the WordPress database. Not only does it contain all the site's text-based content, it also contains the MySQL username and password, and all the admin logins. A big no-no in regards to security.
'cpmove-daniel.tar.gz' is a full backup of the Daniel user's cPanel account, which contains all of Daniel's data, including his passwords and even his private emails. Ruh roh.
To easily correct most of these issues...
Rename 'wp-config.php.broken' to 'wp-config.broken.php'. Because it ends in '.php', no one can view its source code anymore.
Rename 'disabled-htaccess' to '.htaccess-disabled'. Since it starts in a dot (.) it's now a hidden file and can't be accessed by strangers.
Change the 'OLD-SITE-BACKUP' permissions from 755 to 000. Files and folders with 000 permissions are inert and are not accessible in a browser.
Move 'daniel_wpdb.sql' up to the home directory, or delete it. A '.sql' file isn't an active part of the website; it's just a backup of a databases used for archiving or transferring data. It probably isn't needed, but either way it shouldn't be in the 'public_html' folder.
Move the 'cpmove-daniel.tar.gz' file up out of the 'public_html' to the home directory '/home/daniel/'. The 'public_html' folder isn't a safe place for a backup of anything. Of course, there are other ways to hide it, but it probably shouldn't even be here.
Phew! Now the account looks like...
Step 3 (Advanced): Secure Admin Area
According to WordPress, the second most common way people gain unauthorized access to WordPress installations is through Brute Force attacks. A brute is someone who continually guesses your username and password until they get into your site. While we have a lot of protection against brutes getting into various services, we have limited ability to protect individual pages on your site from these kind of brute attacks.
The best way to protect your wp-admin area (your WordPress dashboard) is to create '.htaccess'-based protected areas. Now, let's create a username and password and the files necessary to protect your admin area.
Create a username and password (just make them up)
Find the encrypted version of your password so that we can put it right in the '.htpasswd'
There are a bunch of tools on the internet to help you find your encrypted password, but here is a simple one that you can try out: http://www.htaccesstools.com/htpasswd-generator/.
For this example, we're using the username 'admin' and the password 'password'. YOUR username and password better be stronger/more secure than that. Here's what we get from the generator:
Once you have your encrypted password, we can get to work!
Using FTP, File Manager, shell access, or your favorite method of access, create a '/home/username/.htpasswd' file, where 'username' is your cPanel username
Edit the file and add in the encryption line you got from the password generator, just like this:
Save that file and create another one here: '/home/username/.htaccess'
Note: it may already exist, which is okay; just add the following stuff to the bottom of it in that case.
ErrorDocument 401 default
AuthName "secure login area!"
Tip! Make sure you change 'username' in the path '/home/username/.htpasswd' to your cPanel username.
That's it! The '.htaccess' file you just made will protect every 'wp-login.php' in your entire cPanel account.
If you're having trouble creating these files, or with any other part of this, contact our Support ninjas and we'll be glad to help!
Also check out our Why You Should Update WordPress article for more info.