We use cookies to ensure that we give you the best experience. If you continue using this website, we'll assume that you are happy about that.

When you install a WordPress site, there are a number of things you should consider updating before you set your site live. Please continue reading for some top tips to help make your site more secure. We’ll keep updating this page and we find more useful security tips for your install.

File Editor

The file/plugin editor in WordPress can be disabled by adding:

define('DISALLOW_FILE_EDIT', true);

to your themes functions.php file – Should someone gain to access your admin area, files are exposed by leaving this on. It is rare that you would need to go in and make changes here. The same changes could be made via FTP when required.

WordPress version is visible

The version of WordPress that you are using by default is visible from all pages on your site, which allows potential hackers to find exploits for that exact version of WordPress. Remove this by adding :

function no_generator() { return ''; }   add_filter( 'the_generator', 'no_generator' );

to your theme’s functions.php file.

WordPress readme.html file

It is also possible to see which version of WordPress you are using by navigating to the readme.html file which by default is installed at the top level of your directory. – This file can be removed without impact on your site.

Install script is present

The file wp-admin/install.php is left on your site after install and should be removed.

Failed login messages

When a user/potential hacker fails to login to your WordPress admin, WordPress presents them with the reason why the login was incorrect. Display less information in the errors to help prevent hackers from brute force attacking you at login.Add:

function explain_less_login_issues(){ return '<strong>ERROR</strong>: Entered credentials are incorrect.';} add_filter( 'login_errors', 'explain_less_login_issues' );

to your theme’s functions.php file

Prevent Malicious URL Requests

Create a file called blockmaliciousqueries.php and add this to your plugins directory. Paste the following code inside the PHP file:

<?php
/*
Plugin Name: Block Bad Queries
Plugin URI: http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Description: Protect WordPress Against Malicious URL Requests
Author URI: http://perishablepress.com/
Author: Perishable Press Version: 1.0
*/
if (strpos($_SERVER['REQUEST_URI'], "eval(") ||
strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
strpos($_SERVER['REQUEST_URI'], "base64"))    {
@header("HTTP/1.1 400 Bad Request");    
@header("Status: 400 Bad Request");    
@header("Connection: Close");    
@exit; 
}
?>

then activate the plugin as normal through the WordPress admin section

Database Prefix

By default, your website was installed with the default database prefix of wp_ which is widely known to hackers. Change the tables in MySQL to have a new prefix: (Note bGthrEEs224 could be any short string of letters and number you want)

  • Rename table wp_commentmeta to bGthrEEs224_commentmeta
  • Rename table wp_comments to bGthrEEs224_comments
  • Rename table wp_links to bGthrEEs224_links
  • Rename table wp_options to bGthrEEs224_options
  • Rename table wp_postmeta to bGthrEEs224_postmeta
  • Rename table wp_posts to bGthrEEs224_posts
  • Rename table wp_terms to bGthrEEs224_terms
  • Rename table wp_term_relationships to bGthrEEs224_term_relationships
  • Rename table wp_term_taxonomy to bGthrEEs224_term_taxonomy
  • Rename table wp_usermeta to bGthrEEs224_usermeta
  • Rename table wp_users to bGthrEEs224_users;

Update this in config.php to bGthrEEs224_ and also make the following changes to table. Edit table wp_usermeta (now bGthrEEs224_usermeta)

  • Change the record for wp_capabilities to bGthrEEs224_capabilities
  • Change the record for wp_autosave_draft_ids to bGthrEEs224_autosave_draft_ids
  • Change the record for wp_user_level to bGthrEEs224_user_level
  • Change the record for
wp_usersettings to bGthrEEs224_usersettings

Disclaimer

Please note that these are only general suggestions and we cannot be held responsible for any consequences of any suggested changes or consequential loss or damage resulting from such a change.  The report provided above offers advice on a limited selection of security vulnerabilities.

Further security issues may exist in which case please feel free to discuss a full security audit of your site.

By | 2013-01-20T11:15:35+00:00 January 20th, 2013|Wordpress|