How to Secure Your WordPress Blog

Measures to Improve the Security of Your Blog

How to Secure Your WordPress Blog

Although, in the past, I have read of how someone's WordPress blog being compromised and made to deliver malware, include hidden links or redirect to some malicious website, in these last few months,
I have actually personally encountered a number of WordPress-based sites that have been hacked to deliver malware.

Nobody can guarantee that your WordPress installation is 100% secure. However, there are ways to improve the security of your blog so that it is slightly less vulnerable than it otherwise might be. This article discusses some measures an ordinary blogger can take to protect his/her WordPress blog.

Why a Blog Is Vulnerable to Hacking and Other Exploits

All websites on the Internet are vulnerable to hacking and other exploits. There are no exceptions. The reason is simple: unlike your own personal computer, which only connects to the Internet sporadically (such as when you turn it on to surf), websites are hosted on computers that are permanently connected (or so one would hope) to the Internet, exposed to anyone who wants to connect to it be they customers or hackers.
Sites that run blog scripts, content management system (CMS) software or any other type of script, have an additional area of vulnerability to contend with. The software (blog or CMS script) is actually online, along with your content. If there are any security holes in the software, they can be exploited by a person who connects to your website.

Symptoms of a Hacked WordPress Blog

If your blog has never been hacked before, you may wonder what the consequences are. In the past, hacked blogs have exhibited one or more of the following symptoms:

1. The blog may be defaced.
2. The hackers install hidden links on the blog that point to sites they own. Since Google ranks sites according to the number of links pointing to them (among other things), the intention is to make their site appear more important to Google.
3. The hackers may install some sort of malware that will install on the computers of the blog's unsuspecting visitors.
4. As a result of the above things happening, Google may remove the blog from their search engine results. Traffic to the blog will therefore plummet.

Hence, it's not just a matter of defacement if your site is compromised. There are serious side effects that will cost the blogger considerable effort just to clean up and recover.

Measures to Improve the Security of Your WordPress Blog

1. Keep Your WordPress and WordPress Plugins Updated to the Latest Version

   Ultimately, the best security precaution is to have software that have no security holes. None of the other measures suggested in this article can even come close to this. Since perfect software is not possible (we're all fallible after all, even the venerable WordPress developers), the next best thing is to quickly update your WordPress and all its plugins every time a new version is released. New versions often fix holes found in the earlier versions.
   
   I have a feeling that this is one of those rules which everyone knows but few heed.
   Don't get me wrong. I fully empathize with all the people who don't update. WordPress updates are extremely frequent, and it's really a big hassle to upgrade. There are so many files to upload (unless you are able to use my quick method to upgrading, which is not always possible). And if you have customised files, you have to apply your customisations to the new files, not to mention that you need to be careful not to overwrite certain other files.
   
   All in all, it's not a procedure you can do in a few minutes, nor is it one you can do while distracted with other tasks, unless you don't mind overwriting things you shouldn't. Or unless your WordPress blog mostly uses the defaults.
   
   Because of the amount of work one has to do to upgrade WordPress, many bloggers tell themselves that the possibility of hackers discovering their blog is slim. If you think similarly, let me dispel that notion. Hackers do not go around the Internet with a web browser manually visiting site after site, checking for holes. They write computer programs that probe multiple websites en masse for security vulnerabilities. Some of these software make use of the search engines like Google to do the dirty work for them. If your blog can be found in a search engine, or is linked to anywhere, their programs will find it.
   
   In other words, there is really no way around it. When Wordpress issues a new release, especially if it's a security release, you will have no choice but to upgrade. I suspect that even if it's not a security release, you should still upgrade, since I notice that older versions aren't well-maintained, if at all. Staying informed of new releases of WordPress is easy, as you probably already know. Just log into your blog, and it will tell you if a new version is available. Or subscribe to the WordPress' newsfeed (which you can find at the WordPress site).
   
   In addition, if you have downloaded and installed WordPress plugins, make sure that you also keep them up to date. A vulnerability in a plugin is as bad as a vulnerability within WordPress itself.
   
   
   Update: Wordpress 3.7 and later will automatically update itself. Note though that it will only update to later minor versions. Although I can't find a precise definition of "minor version" on the WordPress site, I gather that this means (for example) that version 3.8.1 will update itself to 3.8.2 and other 3.8.x versions, but not to 3.9. In addition, by default, this auto-update only applies to the main WordPress installation itself. Plugins that you install will not be automatically updated. So you are not absolved from regularly checking for new versions and installing them.

2. Password Protect Your wp-admin Directory

   Although the above measure is the only real solution to protecting your site, by plugging the security hole, there are other less effective methods that you can use in addition to keeping WordPress up-to-date.
   
   One of them is to password protect your wp-admin directory on your site. This is different from setting a password for your WordPress user account. When you password protect your wp-admin directory, any attempt to directly load a page from that directory will cause a "401 Unauthorized" error unless a specific user name and password combination is supplied.
   
   Like all other measures in this tutorial, password protecting the directory does not guarantee anything. However, it may help if hackers discover that one of the scripts in the wp-admin directory contains a security hole, and the WordPress developers have not yet issued a fixed version. Let's say for example that the admin.php script has a hole so that hackers can break into your system by accessing (say) "http://www.example.com/wp-admin/admin.php?exploit-security-hole". If you password protect your wp-admin directory, that exploit will not succeed unless the hacker also knows your username/password for that directory.
   
   The procedure for password protecting a directory can be found in my article How to Password Protect a Directory on Your Website. If, after doing that, you find that you can no longer log into your blog, you will also need to set up a 401 error page for your site. To do that, see my tutorial How to Access Non-Drupal Folders on Your Drupal Website. Although that tutorial talks about Drupal, the procedure for setting up a 401 handler is the same if your blog is on an Apache web server (which is true for most sites). You can ignore the section "Enabling Support for other Directory Index Files" in that article -- it's not relevant for our purposes here.
   
   There are a few things you should note about protecting your wp-admin directory:
   
   • When you log into your WordPress blog, you will be asked to enter two sets of username/passwords pairs, one by the web server that is guarding your wp-admin directory, and one by WordPress for your blog user account.
   • For better security, you should set a username/password combination that is different from that which you use for your WordPress blog account. That way, if one pair is compromised in some way, at least you won't lose everything.
   • This password protection is not 100% foolproof.
     Firstly, the username and password is transmitted by your browser to the web server without encryption, so that anyone sniffing your traffic will be able to find out your password. That goes for your WordPress blog account as well.
     Secondly, there's no guarantee that the buggy script resides in the wp-admin directory. It may well reside in your main blog directory or one of your theme files or plugins. For example, at one time, the "xmlrpc.php" file, which is found in your main blog directory, was found to have a security flaw. Password protecting those other directories is out of the question, since it will cause other types of problems including the very important one that no one except you can read your blog.

3. Prevent the Listing of Your WordPress Directories

   We now descend into the realm of dubious security measures. In particular, we will apply what security experts disdainfully call "security by obscurity". This method is the online equivalent of trying to protect your life savings by hiding it under your mattress. However, although it is really not much of a security measure, if at all, I still think that it's a good idea to implement it in addition to all the other things described in this article. Not doing it is like hanging a sign on your front door saying "Security Hole Available Here".
   
   To know whether you need to take this measure, try this experiment. If your blog is located at, say, http://www.example.com/, type http://www.example.com/wp-content/plugins/ in your browser.
   
   If you see a listing of all the plugins you've installed in your blog, this section applies to you.
   At first glance, you may think that a listing of your plugins and other directories is not such a big deal. However, allowing hackers to see your list of plugins (and other scripts) gives them the opportunity to check what you have installed against their own list of plugins (and scripts) known to have security holes. Armed with that knowledge, they can then compromise your blog. Although preventing the directory listing does not stop them from exploiting those holes, at least you are not advertising your vulnerable scripts to all and sundry.

Other Methods Not Elaborated On In This Article

For those who are enamoured with "security by obscurity", there are numerous other measures you can take. Most of these are, however, probably not worth the time it takes to implement them, and as such will not be discussed at length here. There are also certain (not so desirable) side effects to those measures.

For example, you can replace all the default WordPress directory names (wp-admin, wp-content and wp-includes) with obscure names in all the WordPress files that reference them. Steps like these, while they probably more effectively hide your WordPress from security probes, are more work (and trouble) than the average person is willing to undertake. It's also probably beyond the technical capability of many. And the work does not just occur once. Every time WordPress issues a new release, you'll have to go through the whole rigmarole of modifying those files again. If you already thought upgrading WordPress was unpleasant, it will now become a nightmare.

In addition, you can also enhance the password protection of the wp-admin directory by restricting its access to only certain IP addresses, such as to the IP address you have when you connect to your blog. In plain English, this means that someone in other parts of the world, even if they discover your password to that directory, won't be able to connect to that directory. The problem with this is that most people don't have a fixed IP address, even if they only connect to their blog from one place (eg their home). Their broadband (or dial-up) provider issues them a different address each time they connect. If you miss out one of the IP addresses that you use, you will be locked out from your blog from that address until you can adjust your .htaccess file. Since it's probably too much of a hassle for most people to discover all the IP addresses that they may use to log into their blog, I have not included instructions for this here.

I'm sure it's possible to go on adding security measures to your blog ad infinitum. However, there is a trade-off in terms of the time you're willing to invest, the additional hassle you will face when you access/upgrade your blog, and the increased security you actually get. Beyond a certain point, the additional security you gain is minimal compared with the amount of trouble you have to go through to get it. And remember, ultimately, the best security measure is actually a program that is bug free. Which means you have to keep it updated. All the other things suggested here are, at best, half-baked measures designed to make things slightly more inconvenient for hackers so that, hopefully, they'll go to greener pastures with easier blogs to hack.

Keep Regular Backups

While not specifically a security tip, you should make regular backups of your site and database. Yes, I know. Everyone says that. But it's really important to do it. Remember what I said earlier about how there's no guarantee that the security measures here are effective in repelling hackers? I really mean it. All the measures in the world are merely miniscule stop-gap measures that raise the security bar just a little, hoping to make it slightly harder for your blog to be compromised. It doesn't mean that it's now safe.
If you don't make regular backups of the files on your site, as well as your database, recovery from a hack can be an unmitigated disaster. A backup is not only the fastest way to restore your site to working order, it is also sometimes the only way.

Do not rely on your web host to make daily backups of your website. Their backups are not really meant for restoring your site in event of a hack. They are primarily meant to restore the entire web server in the event that their hard disk fails. In addition, the backup may not be the most up-to-date possible for your site.
If you don't know how to backup your MySQL database, find out how. Don't wait till a disaster strikes to regret that you've not backed up anything. In the meantime, if you have never backed up the database, at the very least log into WordPress and export all your posts. (You can find it in the "Export" tab in the "Manage" section.) The file exported contains all your posts, their web addresses as well as comments made on your blog. It's not quite the same as backing up your MySQL database, but at least you have something.

Another thing you should do is to make sure you keep a complete and up-to-date copy of all the files you uploaded to your website. Remember that the files on your site are not identical to those found in a pristine WordPress archive. Besides your customised "wp-config.php" file, there are also the plugins and themes you have added to your site. In addition, if you uploaded pictures or other files through WordPress' web interface, they will also have been added to your web directory. When you have a complete up-to-date set of files on your own computer, you don't have to spend time reconstructing everything when you need to recover from a hack (or a server hard disk crash for that matter). All you have to do is to re-upload everything.

Conclusion

Hacked WordPress installations are becoming increasingly common on the Internet. Don't let your blog become the next victim. Keep the software up-to-date and implement the three main measures mentioned in this article to secure your WordPress blog.