How to Implement Basic WordPress Security Measures

Why anyone would persist with an older version is beyond me. Upgrading has always been easy enough, and recent versions reduce the pain to a mere button click! The community of authors work extremely hard and surprisingly quickly to address known security problems

Remove the Powered by WordPress credit details in the footer of your website’s theme – e.g.; /wp-content/themes/the-current-theme/footer.php. This is the fastest way to reduce the chances of the ill-intentioned finding your site in the first place! Try it – do a search on Google for “Powered by WordPress” and you’ll get the picture… At the time of writing, there are 106 million competing page opportunities out there for hackers!

By all means, give WordPress the credit they deserve – but you could do it on your links page, or make it a graphic/image link instead of text…

WordPress themes may also come with a giveaway WP version HTML tag in the Head section which you may see in View / Source.

Obviously, this immediately reveals the WordPress version used on the site. Since some versions are vulnerable to known security flaws, you’ve just told the hackers where they are best to start their evil work…

Removing this giveaway is straightforward enough. Simply open up /wp-content/themes/the-current-theme/header.php and delete the code that’s outputting the Meta Generator tag.

RSS Feed: There is another version identifier tag in the RSS Feed output, e.g.: http://wordpress.org/? v=2.8.4 Removing the RSS version identifier can be done by opening /wp-includes/general-template.php and searching for “function the_generator”

The line immediately below that statement commences with echo apply_filters(‘the_generator’…… Place a # character in front of the word echo, as per #echo apply_filters(‘the_generator’ etc

Doing the above pretty much gets you out of the spotlight and into the shadows. You could also remove links to “Log In” from the current theme’s footer. There are 3.8 million competing page opportunities for a Google search for “wp-login.php” and it’s probably a good thing to not be on that list either.

WordPress also adds two easily accessible files in the directory into which it’s installed; licence.txt and readme.html. Renaming or removing those is important because they also contain WP version information!

If you recklessly use “admin” as the default user ID, you’ve given the hacker half the pieces of the puzzle and they only have one item left to crack – the password.

Don’t make it easy for the hackers! Use super-difficult passwords that are impossible to guess, and not easy to crack. That applies to the hosting account control panel, FTP access AND WordPress administration access. Ideally, high-exposure sites should use different passwords for each of those areas.

Recent versions of WordPress seem to have addressed the issue of directory browsing, by keeping people out of areas they shouldn’t be looking. Securing the wp-admin area via SSL is a lot more complicated than it should be. There are no well-written, easy-to-use plugins available for this – those that do exist appear well past their WP version use-by date. It’s also far too easy to end up locked out of your site while trying to make them work!

There’s an excellent “plug and play” firewall called Block Bad Queries… Then install one of the Limit Login Attempts plugins… and also block XML RPC, there is a plugin for that too!

File system security is important, to prevent easy unauthorised access. There may be times when you have needed to alter permissions to edit files, or copy files into a directory. Did you reset permissions to the correct default afterwards? If not, you’ve left a door ajar… Pull it shut and lock it again!

As a general rule, only install plugins from the official WordPress Extend / Plugins repository. There at least, they are in the spotlight, and subject to some scrutiny. Installing plugins from anywhere else leaves you wide open to malware exploitation! At a basic level, your WordPress security measures should avoid non-official plugins like the plague…

Ok, you can go anywhere and get free themes and make them work… but can you trust the source? Can you be sure that no malware is included? Can you be sure that no security breaches are opened by insecure coding? Personally, if I want a theme, I’d rather go to a reputable source and buy one that is coded for the latest version of WP, and where some assurance is implied as to suitability for the intended purpose.

One of the most fundamental WordPress security measures is using one of the backup plugins that automate the process of backing up your WordPress database and storing the files in a secure Cloud Storage location – GDrive or Dropbox etc. Install and use a reputable backup plugin! They can be a lifesaver, for a variety of other reasons.

Be aware of the configuration of your hosting company’s web server. Is it running old versions of PHP, MySQL, cPanel in a shared hosting environment? If so, that places you at greater risk than being on a hardened server with up-to-date tools and services running.

Never access your WP installation from a non-secure network such as internet cafes, coffee shops or hotel WiFi systems.

Another common-sense measure is to ensure your PC you post from uses current and reputable anti-virus software that also detects malware, spyware and key-loggers. The best option is to request a technical SEO audit and get a full site health check.