With around 200 million users worldwide, Wordpress is not only the most popular blogging tool there is, it's also become one of the most successful content management systems on the web.
So it's no wonder that we periodically hear about rounds of attacks on the platform. The bigger the target, the more likely people are to aim for it.
There are few things more sobering than to wake up one morning and find that your sites have apparently disappeared or that they're suddenly serving malware. It needn't be that way if you maintain control of your Wordpress installation and make it as exploit-proof as possible. It doesn't require constant vigilance – just a bit of tweaking after installation and a secure routine from then on.
After installation, there's some immediate housekeeping that you'll be prompted to do. Don't put it off – do it straight away.
The most important change is to delete or disable the 'install.php' file in the wp-admin folder. That's the file used to connect Wordpress to a database and create a configuration file. It can be removed, or you can FTP to your website and rename it to something like 'installOLD.xxx'.
Web design blogger Jeff Starr suggests a more lateral solution: replace install.php with a fake file that generates an error message and sends you an email informing you there's been a hack attempt. To download his replacement, install.php from his website.
With the installation file safely removed, it's time to turn your attention to the 'admin' user. By default Wordpress creates a user named 'admin', with supreme power over your blog. It also nags you to change the automatically generated password for that user.
Having an administrator with a generic name is a security risk, so change that, too. Log into your Wordpress dashboard first, then go to Users and click 'Add New'. Fill in the short form with a username, password and email address as prompted. Crucially, in the Role dropdown menu, choose 'Administrator'. Then click the 'Add User' button.
Log out of and then back into your Wordpress blog as the new user. Go to the Users section again, this time choosing 'Authors and Users'. Hover your mouse over the 'admin' user and, when the link appears, click [Delete]. All gone.
Here's another default to alter. When Wordpress installs, it adds the prefix 'wp_' to every table it creates in its database. At the time of installation, you have the opportunity to change that. So, if you're installing a fresh version of Wordpress, change 'wp_' to xcw_ or ff134d_ (or anything but 'wp_'). This will slow down script kiddies intent on SQL injection attacks tailored to Wordpress.
You can still change the table names if you've already installed. Go to Plug-ins in your Dashboard and choose 'Add New'. Search for WP Security Scan and install it – this can change your database prefix. Go to the new Security entry in your navigation bar and choose 'Database'. Enter any new prefix and click 'Start Renaming'.
The wp-admin folder in general could be a target for hackers. You need to retain access to it though, so the only solution is to password protect it. Most hosting plans come with a control panel to manage your server, usually cPanel. Consult your web host's documentation and connect to your cPanel if it's available.
You should find an item labelled 'Password Protect Directories' in the Security section. You'll now be prompted to select a folder. Select 'wp-admin' and then create a password and username.
To manually protect the wp-admin folder, start by creating a plain text file called .htpasswd. This file should contain one line, with a username and password pair, something like the following cryptic string:
The password here has been encrypted (the real password is 'meatballs'). You can encrypt passwords for use in .htpasswd files with an online tool such as the one at www.htaccesstools.com/htpasswd-generator.
The next step is to upload the .htpasswd file to your server. If possible you should place it in a folder above the root folder of your site. If that's not possible, put it in a folder that's parallel to your root folder.
To password-protect the wp-admin folder now, create a new .htaccess file containing the following content:
AuthType Basic AuthName "Authorised Users Only" AuthUserFile /path to/.htpasswd Require valid-user
The path in line three should be the full server pathway to the file .htpasswd. When you've created the file it should be placed in the wp-admin folder on your server.
Protect your plug-ins
Your Plug-ins folder is vulnerable to exploits. This is particularly the case if the server configuration leaves it open to being listed. There are two fixes for this.
First, an .htaccess file can be used again. Create a plain text file and add the line Options-Indexes. Upload this to your '/wp-content/plug-ins' folder and rename to .htaccess. The second method is even easier.
Create a blank text file named index.html and upload that to your Plug-ins folder. Result? A blank page instead of the directory listing.
A sure sign that your site has been compromised is that files have been changed. We use the plug-in WP Exploit Scanner to generate a list of altered files in our installation. This works well, but it takes a fair amount of time to read through its full output.
Another approach is to monitor files for signs of unauthorised changes. You can do this with another plug-in, Wordpress File Monitor. Both are worth installing and can be found here.
Make frequent database backups
Even with your Wordpress installation as secure as possible, you can't predict with certainty that your site won't ever be compromised. Frequent database backups are advisable.
Recent versions of Wordpress make this easy. Go to your Dashboard, then to the Tools section and choose 'Export'. This enables you to back up all your posts, comments, categories and tags as XML.
To make automatic, regular backups, go to the Plug-ins section, click 'Add New' and search for WP DB Backup. This adds a Backup page to the Tools section that can be used to download your database and select additional tables as MySQL.
Article continues below