Tag Archives: WordPress

Securing a new WordPress installation, part 3: Advanced tips

Posted on by
Reply
In this three-part series we will explore the most common tasks to secure a new WordPress installation in a shared hosting environment.

In the third and last part of this series we will explore additional ways of securing our self-hosted WordPress installation. This includes some security tips regarding the database, plugins and themes, and maintaining WordPress up to date.

Move wp-content out of its default location

Since version 2.6 of WordPress you can move the wp-content directory out of its default location. The objective is, as we did with the wp-config.php file in the second installment of this series, Securing a new WordPress installation, part 2: Login process and Admin area, to prevent attacks by obscuring the location of the files. Note that in this case, as the contents of the directory must be public (that is, accessible from the web server) we can’t move the wp-content directory outside the web root as we did with the wp-config.php file. But we can change it’s name/location, which is good enough to discourage a bit more a possible intruder.

Keep in mind that this can easily present some problems with badly programmed plugins that use hard-coded directory routes, which nobody should be using anyway but, hey, you never know.

The process of moving wp-content is quite simple and involves creating (modifying, actually) the WP_CONTENT_DIR and WP_CONTENT_URL variables in wp-config.php. You can see the details at the WordPress Codex Page. Continue reading

Securing a new WordPress installation, part 2: Login process and Admin area

Posted on by
Reply
In this three-part series we will explore the most common tasks to secure a new WordPress installation in a shared hosting environment.

In this second part of the series we will explore ways of hardening the Login Page and Admin area. The entry point in a WordPress installation is the login page. That’s probably the first place where anyone trying to hack your WordPress installation is going to look. It’s like checking how hard the front door is secured before looking out for a backdoor.

Proper username and password

In order to make it harder for hackers (and for script kiddies alike), you have to choose a proper username for the WordPress superuser. No, admin isn’t one. Because all WordPress installations since the beginning of Earth history default to the admin username for the most privileged account, and until recently you couldn’t even choose a different name, the admin user it’s the first one that your potential hacker is going to try to break. Any name will suffice, but please don’t be silly and use root instead of admin. After all, you do have some creativity in you, don’t you?

Continue reading

Securing a new WordPress installation, part 1: wp-config.php

Posted on by
Reply
In this three-part series we will explore the most common tasks to secure a new WordPress installation in a shared hosting environment.

A couple years ago WordPress was well known for having a less-than-impressive security record. New critical bugs and vulnerabilities were being discovered very frequently and the platform was constantly being updated by the developers while trying to get rid of the newly found bugs. The configuration that most cheap hosting companies applied to its shared servers didn’t help much to achieve a proper level of security. WordPress huge popularity didn’t help much either, as it’s easy install process didn’t encourage people to secure the installation afterwards.

Many people criticised WordPress for all of this (WordPress insecure by design?) and finally Automattic take hand in the matter, raising the quality and security of the software to the level of other similar packages. We’re in 2011 and nowadays WordPress is a fairly secure software but, as with every software completely exposed to the internet, you have to do your homework and also make sure your hosting does theirs. A faulty WordPress configuration, either yours or from the hosting, can be disastrous, especially if your business is strongly tied to it.

In this series we will explore several tips to help us secure our WordPress installations. The tips are independent from one another, meaning that you can pick the ones that suits you the best and forget about the rest. Note that these tips will only make harder for hackers to get into our WordPress install, but they are not fault-proof. The only way to have a completely secure WordPress install is disconnecting the server from the Internet altogether. If someone experienced wants to hack you, these tips will only delay the end result, but hopefully they will drive away juniors and script-kiddies towards more feasible targets.

Continue reading