WordPress Security 102: Essential Tricks and Tips
In this installation of the “Locking Down WordPress” series covering security, we’ll be looking at specific settings and tricks you can do using the free iThemes Security plugin. For this guide, you’ll need:
- A clean WordPress installation (or at least one you can play around with)
- FTP Access to your WordPress installation
- A copy of iThemes Security (you can install it directly through WordPress or through FTP – it won’t matter)
Before we start, I want to clarify that I am in no way being compensated by iThemes or their owners for this blog post – I simply believe that iThemes is a stellar plugin and one of the “must haves” for any site. The opinions are solely my own, so if I’m wrong then take it out on the comments! 🙂
Now that that’s out of the way, let’s dig in! For the pictures below, I’ll be using a local installation running WordPress 3.9.1 and iThemes Security version 4.2.2. Things shouldn’t change much in the near future, but if it eventually gets to the point this is outdated then holler and I’ll fix it up.
Table of Contents
- Improving Security During WordPress Setup
- Install iThemes Security
- iThemes Security Settings
- iThemes Advanced Security Settings
Note: Users with WordPress already installed can skip down to the “Improving WordPress Security through iThemes Settings” area, as the first section is during initial setup. Don’t worry if you have it already set – we can change most of it later.
Improving Security During WordPress Setup
Using wp-config.php to Keep your Database Safe
It’s a quick, easy fix for this one – while you’re entering your information in
wp-config.php during setup, swing down to
Line 62. There, you should see:
$table_prefix = 'wp_';
wp is the default prefix, most people don’t bother to change it. Not you, savvy owner! Put something else before that underscore to knock out vulnerabilities with a couple keys. This demo will use:
$table_prefix = 'demo_';
During WordPress Installation
When you get to the “Famous 5 Minute Installation” page, you have the great opportunity to follow the other Golden Rule of WordPress (this is for you, Logan!) – putting absolutely anything in the “Username” field aside from
This is surely one of the most easily avoided security issues that WordPress installations face. By setting
admin as the master account for the site, you’re giving any potential hackers or bots half of the solution to total control to your site – and with the well documented top passwords of 2014 being stumpers like
password, it’s only a matter of time before you’re locked out of your site, yelling at your webhost and peddling diet pills and Mexican Viagra (it’s a slippery slope).
It sounds like a little bit of overkill, but the best way is a two step process. First, get a password manager. They may be expensive, but there some free alternatives like KeePass that do a great job. Second, head over to Random.org and use their string generator. For this demo, we’ll use it twice to create the admin username and password:
Username: bg3pwaJyav Password: e8tJmfsWAI
Perfect! It should be noted that there’s a lot of discussion on password security I won’t go into here, but a method that I like to use is to have a sentence as your password (passphrase sounds more secretive, too). Spaces are very difficult for brute force hacking to get by, so the following combination could be just as solid:
Username: fuhackerz Password: Dont hack me bro!
Be sure to run whatever your password is through this awesome tool – even using my examples, we got some interesting results 🙂
Now, we should be able to see the typical dashboard:
Out of habit, I typically create my own user account right after setup and do everything from this point using that second account – a more human-friendly username (i.e.
john.doe) and password (
Is there anyone actually named John Doe? That would suck.). This leaves your admin account as a backup in case you lose your password, and also a way to keep control should something ugly happen.
Install iThemes Security
The first step is obviously installing iThemes. You can do this by either downloading it and uploading it into your
wp-content/plugins directory, or the much easier way of going to Plugins > Add New, searching for
iThemes, and hitting the “Install Now” button. Once it’s installed, activate to your site.
You should be taken back to the Plugins page, where (at least in version 4.2.2) a blue banner regarding iThemes will be on top. You can either click the “Secure Your Site Now” button on that banner, or just click “Security” in the left side of your Dashboard. You might see a popup by iThemes telling you to back up your database – do that if this is a live site, but since we’re a fresh clean demo I’ll just dismiss it. Finally, we’re at the iThemes Security Dashboard!
In the iThemes Dashboard, you’ll see a box called “Security Status”. Here, you can see any issue that iThemes decides could be a threat ranked by severity. There are a ton of options here, and also a ton of ways this could cause issues for your site, so we’ll just go over the essentials that I believe any site should have. I’ve dealt with a lot of sites and seen a lot of security issues – I believe this should cover most scenarios, but if you’re interested in a specific feature then iThemes has some solid documentation to help out. As always, if you think I’ve missed an important feature, let me know in the comments! The purpose of this guide is to help WordPress owners stay safe, so any contributions would be more than welcome.
Let’s click over to the “Settings” tab to get started.
iThemes Security Settings
Now, you should see a very long page of scary numbers, checkboxes, and questions. We’ll go point-by-point to set up my favorites. When we go through, checking may expose more options – unless I specify, assume that the default settings will work.
For those of you who prefer, I’ve uploaded a screenshot with all of the settings described. From that, you should be able to set up your site, though I definitely suggest reading through – I go into some of the features a little more so you can fit for your needs.
This is more-or-less OK how it is. I would suggest ticking the box to “Allow iThemes Security to write to wp-config.php and .htaccess” – I do trust the plugin author, and it’s frankly not worth the headache to go the long way. Make sure your Notification Email and Backup Delivery Email are both valid (and ideally separate accounts) – this is important.
Check this box to “Enable 404 Detection”. Easy as that. Do note that during development you may want this off – if you were to get a lot of 404 errors in a short period of time, you could be temporarily locked out.
This is a neat feature, but for the most part I like to leave it off. This would lock up your site from edits for either a set amount of time (like you were going on a weeklong vacation) or at regular intervals, such as 11PM – 7AM EST. A cool idea, but even a temporary inability to get to your site can be a huge hassle if you’re under a deadline, need to post, or are just a night owl.
Check both of these boxes. There isn’t really a reason to NOT check them – I haven’t had a problem with it yet.
Brute Force Detection
Enable this. Brute Force attacks are when computers quickly try to guess the password – they’re an extremely common attack and can be effectively stopped here.
For the love of Jebus, check this one. Backing up your database (or failure to do so) can be one of the make-or-break moments of a hack – either you’re able to restore your site with the help of a friendly neighborhood dev, or you have to rebuild from scratch. Save early, save often, and it’s not overkill to use another backup plugin like BackWPUp. Enable scheduled dumps at whatever frequency you feel comfortable – if you don’t update your site often, you can space this out to a week or two, or if you’re a blogging pro then you can make it every night. More robust extensions like BackUPUp allow you to precisely time the backups – I like setting it at 3AM local, so I never have to deal with the slowdowns 🙂
File Change Detection
It’s a nice thing to switch on after you’ve done all your development – I can’t really attest to its usefulness, but it doesn’t hurt to add another layer of notifications.
Hide Login Area
This is an important feature, but also the one to cause the most trouble. In essence, the idea is that it will hide the
wp-login urls with prettier login strings – this not only looks better, but can stop a lot of automated hacking attempts in their tracks.
That feature is a bit of a two-edged sword. The first most common issue this poses is that people tend to forget what that login string actually is – it sounds silly, but I’ve had to troubleshoot this quite a few times and it’s never a fun thing. Since the most direct strings aren’t allowed (i.e.
wp-login.php), it’s up to you to change the settings to something you’ll remember –
userlogin is a good one, both people and computer-friendly.
Note: This feature in specific can cause issues with certain plugins, themes, and extensions. While it really shouldn’t be a problem, it’s important to remember in case you come across conflicts… Try to disable this setting during troubleshooting, or even better enable it just before the site’s public debut.
Secure Socket Layers (SSL)
This is a can of worms I’m a little afraid to touch, so remember that this post is all from my own perspective – your mileage WILL vary. Typically, this feature does nothing, as your web host probably won’t have an SSL available for you to use. If you plan on taking any sensitive information like billing, passwords, what have you, then it’s a good idea to look into enabling SSL for your site – your web host will be able to help you further in this area. Do not make any modifications to this section without talking to your web host or a developer first.
For your personal blog, you can ignore SSL.
Enable this a million times over. When you check the box, another option will appear telling you to choose the role that you would enforce strong passwords. I tend to err on the side of caution, so I would set
Author as the minimum role. Some sites benefit from enforcing it on all users, and if there’s only going to be one or two administrators and the rest users, you can leave this as is, but it should be turned on from day one.
Now we’re getting into the nitty-gritty. My favorite part about this plugin is it lets you do some pretty advanced stuff without having to know all about it – that doesn’t mean it won’t cause issues down the road, though. If you’re unsure of a setting then don’t take my word for it – head straight over to the iThemes site to check out some documentation. If you notice that your site is acting strangely after enabling some of the features below, disable them to see if it helps.
Short and sweet, here’s what I suggest:
- Protect System Files – Unchecked for now. This is a great feature to have once you’ve finished development, but plugins can write to .htaccess pretty commonly so this will cause some issues down the road. Just remember that this is on, so whenever you make software changes you can flip it off first.
- Disable Directory Browsing – Check this. WordPress should do this on its own, but this is great.
- Filter Request Methods – Check it, but remove if it causes any issues. As far as the rest of the settings go, this is small fish in my opinion.
- Filter Suspicious Query Strings in the URL – Check it.
- Filter Non-English Characters – Check it, assuming you’re an English site.
- Filter Long URL Strings – Check it.
- Remove File Writing Permissions – Be careful about this one. It’s a great security measure, but this is a huge headache if it decides to go wrong – I would hold enabling this until after you’ve done any development.
- Disable PHP in Uploads – Check it. Typically there’s no reason a PHP script should be running from the uploads directory, so it shouldn’t interfere with anything.
This is another section of checkboxes, so we’ll go quickly. Like before, read over the options to see if they’re right for you – these aren’t likely to cause long term problems or conflicts.
- Remove WordPress Generator Meta Tag – Check it.
- Remove the Windows Live Writer header – Check it. You’ll know if you need it.
- Remove the RSD header – The description does a good job of helping here, but for most cases you can check it. If for some reason you ever need that feature you can switch it back on in a pinch.
- Reduce Comment Spam – Check it.
- Display Random Version – I don’t really think this is all too helpful, but it doesn’t hurt most of the time. Go ahead and check it.
- Disable File Editor – I actually leave this unchecked. Although I don’t use the File Editor (through Appearance > Editor or Plugins > Editor) all the time, it IS a nice way to make a quick and dirty code change without having to go through FTP. Non-developers can go ahead and check.
- XML-RPC – Just leave this to “Off”. I really don’t think this would matter to most sites, but if you start pissing off a hacker group then it could help… You’d have bigger problems at that point, though.
- Replace jQuery With A Safe Version – This is a bit of a silly feature, in my opinion. jQuery will change depending on your theme – if you’ve bought a theme from a reputable vendor, then you don’t have to worry about it. Ignore it.
- Disable Login Error Messages – Leave this unchecked.
- Force users to choose a unique nickname – Check it. Kind of cool in certain situations, this is probably one of the less handy features. This might add another hoop for users to jump through, but I believe the idea behind this is that it makes it easier for bots to pull emails, so in theory reducing spam.
- Disable Extra User Archives – Check it.
WHEW! That was a lot of clicking! Be sure to hit the Save All Changes button. Don’t break out the champagne just yet – we have a few more advanced settings to go over.
iThemes Advanced Security Settings
In your iThemes dashboard, you should see an Advanced tab – click on it to get a whole new page of options! This one is much shorter, but actually much more critical – be sure that you have a backup of your site before you change any of these settings. This shouldn’t bring your site to its knees, but if any part of this guide would then it’s right here.
For users with a fresh installation, we handled part of this early on by not going with
admin as a username. Still, the user ID for the admin is
1, so this could be and often does get exploited. Read the instructions and notes, check the Enable Change Admin User box, check the newly appeared Change User ID 1 box, and then hit Save Admin User. You’ll be logged out, so log back in and head back to the Advanced Settings panel.
Change Content Directory
Read the information shown in your iThemes dashboard. Finished? Read it again. This is ultra-critical information – this option will break your site 100% of the time if you have content already included. To be perfectly honest, I would avoid this option entirely – it’s a nice idea, but in practice will be a constant source of stress.
Change Database Prefix
For new users, we changed this earlier on in the guide. If you have an existing site, then I would also avoid this – like changing the content directory, this will break your site. If you forgot to switch the database prefixes when you installed but it’s a fresh site then you can go ahead with this, but it’s best to contact a developer beforehand to let them handle it.
Your WordPress site is now locked down, with all of the essential security features and a ton of great additional features – all for just a few minutes of your time (and no hit on your wallet!)
Keep in mind that this won’t entirely absolve you of any security issues. Software should be kept up to date, routine maintenance shouldn’t be forgotten, and site owners always have to be vigilant for suspicious activities, but your site will start seeing the benefits immediately. Even if it’s not visible to the naked eye, a secure site is a happy site, and a happy site is a happy reader.
5/20/14 – As a testament to the above (just in case you wanted it!), the site just went through a relatively large ‘attack’… I woke up to find 152 failed login notifications from a series of brute force attempts over a few hours:
Security is important, everyone! 🙂
I hope you liked this overview on security! If you have anything you’d like to add or features you want me to explore, then post in the comments with your ideas and I’ll look into either modifying or expanding this post, or even adding a new section entirely. As always, if you have any questions then feel free to contact me!
Other Parts in this Series:
Have any questions or comments about this article, or ways you think it can be improved?
Join the conversation in the comments below, or sign up for my newsletter to recieve periodic updates!
Another fantastic rundown of running a secure WP site. Thank you for your work and for putting this all in one place!