Latest Article

Installing WordPress Securely

Going Beyond the Famous 5-Minute Installation

One of the most attractive features of WordPress is how it allows almost anyone to setup a CMS-powered website in a matter of minutes. WordPress’s famous 5-Minute Installation isn’t a joke. In fact, once you’ve done it a few times, you can cut that time down to 1 or 2 minutes. Unfortunately, if you only follow WordPress’s basic installation instructions, your site will be left vulnerable to attackers.

WordPress Database Tables
WordPress Database Tables

Installing WordPress so that the CMS is more secure doesn’t require a computer science degree. However, it does require that you are okay editing a few Apache configuration files, typing in a few things on the command line, and maybe installing software on a web server. I’m also going to assume you’ve installed WordPress at least once before and are already familiar with the 5-Minute Installation procedure. By spending some extra time on your installation, you will lay a sturdy foundation for a secure WordPress site.

Choose Your Web Host Wisely

Before we even talk about installing WordPress, make sure you are going to be hosting your site on a high-quality, secure server with a reputable hosting company. Going for the cheapest deal on the Internet will do absolutely nothing towards helping keep your WordPress site secure.

Managed WordPress Hosting

I almost always recommend a managed WordPress hosting service. These types of servers are configured especially for WordPress and have the best performance and security. In fact, some of the things I am going to go over in this article don’t need to be done if you’re on a managed WordPress host like WP Engine. If you prefer to “set it and forget it”, this is the option for you.

VPS and Dedicated Hosting

If you prefer a more hands-on approach, a virtual private server (VPS) or dedicated server is what you’re looking for. These types of hosting environments allow you full control over your server’s configuration. VPS is a nice in-between option that gives you control but at a much less expensive price. MediaTemple and DigitalOcean are great hosts that offer VPS options which don’t break the bank. However, depending on the VPS package you choose, you may be solely responsible for setting up your server’s security. Unless you enjoy doing that kind of thing, I recommend a managed VPS server where most of the major security configurations are the responsibility of the host. Server security is best left to the professionals, as far as I’m concerned!

Download WordPress

When installing WordPress, always begin with a fresh set of files for the latest version.

Set Up the Database

When creating the MySQL user and database for your WordPress site, some general rules-of-thumb will help keep attackers out of your database.

Use a unique MySQL user and database for each WordPress site

If you host multiple WordPress sites on your server, create a different MySQL user and database for each and every site. If one site’s MySQL user is compromised, the attacker could do damage to every other site on your server if they share that user.

Choose random MySQL user and database names

Don’t name your MySQL user or database “wordpress”, “wp”, or anything else that could be easy to guess. I often use a password generator to create random strings of letters and numbers which I then use for my user and database names. There’s no reason to make them memorable because once you’ve setup your wp-config.php file, you rarely need to handle them again.

define('DB_NAME', '43btEMQ9');
define('DB_USER', '8qN8DRP7');
define('DB_PASSWORD', '3ZyWZ3j4XjU?;n');

Configure WordPress

Before we run the WordPress installation, we need to make a few changes in wp-config.php. The following edits and additions will go into that file.

Use a custom table prefix

We’re going to create a custom table prefix for our database so that if an attacker tries to insert data using the default wp_ prefix, they will fail.

$table_prefix = 'wp_';

Edit this line and change the value to a random string of letters and numbers.

$table_prefix = 'dRev4m_';

Generate (and regenerate) the security keys

Whenever you log in, WordPress generates cookies in your browser to keep you logged in. It’s possible for an attacker to get a hold of these cookies and use them to discover your password. The security keys in wp-config.php are used to create random hashed strings that are then added to your cookie names, making them virtually impossible to guess.

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

Always generate these security keys when installing WordPress. There is a handy web page which will do this for you. You should also regenerate these keys whenever you migrate the site to another server or suspect that a user account has been compromised.

Disable the backend file editor

I’m not sure why this editor even exists, but if an attacker compromises an administrator user, they will be able to execute their code here. You should disable the editor by adding the following line:

define('DISALLOW_FILE_EDIT', true);

Require authentication for theme and plugin installations

An attacker can also install malicious code as a plugin or theme. To prevent this, you can require that FTP credentials must be entered for all installations. This is done by adding the following to wp-config.php:

// If you use SFTP
define('FS_METHOD', 'ssh2');

// If you use FTPS
define('FS_METHOD', 'ftpext');
define('FTP_SSL', true);

Now, whenever you try to install or uninstall a theme or plugin, WordPress will require you to enter your FTP credentials.

Installation

Username and Password

Now that your database and configuration are set up, browse to your site to start the WordPress installation. The most important things to do here are to choose a good username and password.

Your username should not be easily guessable. Avoid the obvious ones like admin and administrator. You should also avoid using your domain name. For example, if your site’s domain is central-services.com, don’t make your username central-services. In my brute-force logs, I’ve seen bots use this approach all the time.

It goes without saying that you need a secure password or passphrase. If you’re able to memorize a password, you’ve either got one hell of a brain or that password is not very secure. Your administrator password should be at least 14 characters long and use a combination of uppercase and lowercase letters, numbers, and special characters. You can also use a passphrase containing at least 4 words, one of which can’t be found in a dictionary. If the WordPress password strength meter reads “Strong” during installation, then you’re all set.

Complete Administrator Profile

After installation is complete and you’ve logged in for the first time, go to Users → Your Profile. Your nickname will automatically be the same as your username. You should change this to something different. Also change Display Name Publicly As to something other than your username.

Securing Your Server

Security plugins can be classified by two major catagories: Prevention and Detection. Prevention plugins are designed to keep attackers from ever reaching your server. The detection plugins are the ones that monitor your server and notify you after a hack has happened.

Prevention

Brute Force Attacks

Brute force attacks happen when a user or a bot repeatedly attempts to log into your server or website using guessed usernames and passwords. We can prevent this by either using a WordPress plugin or, better still, software that blocks this traffic before it hits WordPress at all.

The Limit Login Attempts plugin is the easiest option out there. Install it, activate it, and you’re done.

Using a WordPress plugin to handle brute-force attacks is easy and works very well, but it can be a strain on server resources if you have a very busy site. This is because those plugins store their data in the WordPress database which must then be queried with every login attempt, even when that user has already been blocked from the site. Ideally, we want the server to drop the attacker’s traffic before it even hits WordPress, thereby saving database queries and reducing server load. Fail2Ban is the tool we need to accomplish this. It scans server log files for multiple bad login attempts and then drops traffic from those IP addresses for a certain amount of time using the server’s firewall. This happens at the OS level, so the WordPress database is not involved. To learn how to set this up, check out my other article on preventing WordPress brute force attacks with Fail2Ban.

Malware

Malware is almost always the end result of a WordPress hack. If the attacker isn’t brute forcing your site, then they are probably trying to exploit WordPress or PHP so that they can inject their malware into your site files or database. We need to prevent this injection by taking steps to block these common exploits.

Using the iThemes Security plugin is the easiest way to implement this. The plugin will guide you through securing your WordPress site and will generate a block of .htaccess rules that are designed to prevent several common WordPress exploits.

Detection

In the unfortunate event that your site is hacked, you need to know it’s happened as soon as possible. If you have malware on your site sending spam or generating pharma links, it’s only a matter of time before someone like Google takes notice and blacklists your site. After that, you’ve got even more work on your hands to clean up your reputation.

I keep mentioning iThemes Security and for good reason. It’s the best (free) option out there for easy prevention and detection. It has a good malware detection solution using the VirusTotal API as well as file change detection. Both of these are essential measures to take when trying to detect a site hack.

If you have the money, Sucuri is definitely the best option out there. Their WordPress plugin is free, but if you want their malware detection, firewall, and cleanup services, it’s going to cost you at least $10 per month. Don’t get me wrong, that’s totally worth it to avoid having to deal with website hacks yourself. However, if I’m going to pay a premium for security, I’d rather use that money toward a managed WordPress host who takes care of all these things for me. For example, WP Engine and MediaTemple’s managed WordPress hosting plans already come with backup, firewall, and malware detection and removal services.

In Conclusion…

By implementing these measures on your WordPress site, you’ve moved its security up several notches, hardening it against almost all common, low-level attacks. Do you have any other steps you recommend to improve the security of your WordPress installation? Sound off in the comments!

Adam Walter

Adam Walter is a front-end developer, lover of WordPress, and Director of Development at Vital in Portsmouth, NH. Read more about me →