Wordprezzie
About Us Header

We make beautiful WordPress themes
to help you look great, sell stuff, and build buzz. Read more...

Fade

WordPress Security Tips

Crackers are people too.

Unfortunately, they’re the wrong type of people; the ones who’ll look for ways to break a site and suck all your hard work into oblivion, all because their imaginary girlfriend dumped them for a PlayStation 3 while they were busy zapping goblins with their level 32 Warlock.

If you’re using the latest version of WordPress, you’re already more secure than many, but there are still ways to be safer. Use these 8 tips to keep your self-hosted WordPress site safe. Note: most of these tips apply to general web development too.

1) Prevent directory listing

The problem

In many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folders on your server.

Why is this bad?

Normally it’s pretty harmless – some web hosts don’t even bother to turn off directory listing by default. Sadly, this means that there are several things hackers can do:

a) If plugin and theme authors have made mistakes in their code that allow unexpected access, hackers can use your directory listing to find out if you’ve got those vulnerable files and then attack your site.

b) Nosey people can browse the non-WordPress contents of your web server to discover folders and projects that you might not be ready to announce, or which contain files that you thought weren’t accessible to the general public.

c) Many directory listings feature a line in the footer telling visitors your server version. Hackers can cross-reference these version numbers with lists of known vulnerabilities and bring your site down or gain illegal access. (Yes – there are other ways to find out what server software you’re running, but lets not make it too easy!)

Check if your site’s affected

Type your WordPress URL into your browser address bar, followed by
“/wp-content/plugins/” like this:

http://wordprezzie.com/wp-content/plugins/

If you see a blank page or get redirected to a 404 (file not found) page, you’re almost certainly safe. If you see a list of filenames displayed as links, get out your bandages and use one of these two fixes:

The weak fix: add a blank index.html file

Note: This simple fix is for non-geeks only. If you’re happy editing .htaccess files, skip to “the geek fix”.

To do the weak fix, simply create a blank file in both your /wp-content/plugins/ and your /wp-content/themes/ folders using your FTP application, and name it index.html. Now visit those locations in your web browser – you should see a blank page instead of a list of files.

It’s good, but it’s not flawless. While hackers won’t be able to see what’s in your /themes/ and /plugins/ directories any more, they’ll still be able to see the contents of any folder that doesn’t have a blank index.html, which includes subfolders and other areas.

You could just put a blank index.html file in every folder on your server, but it’s a bit of a pain, isn’t it? Wouldn’t it be great if you could prevent people seeing inside all your folders using one line of code? Want the good news? You can!

The geek fix: edit your .htaccess file

This is the safest and fastest fix, which requires a tiny bit of geekery.

You need to edit the .htaccess file that lives in your WordPress root directory. (Make sure you’ve set your FTP app to “show hidden files”. If you still don’t see an .htaccess file, create it now in the WordPress root, which should contain a file named wp-config.php).

Next, open the .htaccess file in a text editor, add the following two lines to the bottom, and save the file.

# Prevents directory listing
Options -Indexes

That’s it! You’re done. Browse to the /wp-content/plugins/ or /wp-content/themes/ URL in your browser again. You should find yourself redirected to a 404 page instead of seeing a list of your files.

Why doesn’t WordPress block directory listings by default?

It’s a good question. The answer is that it’s down to webmasters and web hosts to secure their own sites and servers. That means you.

But not everyone’s a web whiz. We think there should at least be a blank index file in the plugins and themes folders by default. We’ve submitted the suggestion in the WordPress ideas forum. If you want to support it, head over there and give the idea a rating to make your voice heard.

If you don’t have a WordPress.org forum account, you can register for one here. Alternatively, you can send the developers an anonymous note on the WordPress kvetch page. (Keep it polite! They’re a great bunch who give up their time for free.)

2) Use SFTP instead of FTP

The problem

Plain old FTP isn’t secure. If you use an FTP application to connect to your site, you’re sending your password in plain, human-readable text every time you log in. Hackers have ways of ‘listening in’ to intercept that information, which they can use to gain access to your site via FTP.

The fix

Start using the Secure File Transfer Protocol (SFTP) in place of FTP when you access your site. Connecting by SFTP is simple, and good web hosts (like Eleven2) will have it turned on by default. All you need to do is ask your hosting company which port number to use, then change the settings in your FTP application.

If your host doesn’t support SFTP (or something called FTP over SSH), or if they require you to jump through burning hoops to switch it on, just change your web host. FTP is unsafe, and it’s over 23 years old. In computing terms, that’s ancient! It’s time to update to a new standard. That standard is SFTP.

3) Stay up to date

It’s important to keep your themes, plugins, and WordPress installation up to date. If you’re using WordPress 2.6 or higher, updating your plugins is easy. For your theme, make sure you’re subscribed to the theme developer’s site — they should announce any updates that affect security.

To keep WordPress itself up to date, we recommend the automatic upgrade plugin, which streamlines the process a little.

4) Learn the correct file permissions

You probably shouldn’t be messing around with file permissions once WordPress is installed, but just in case you’ve meddled with them and want to double check, here’s a quick primer:

WordPress permissions

All folder permissions should be set to 755. Files should be set to 644. Files that you want to edit in the WordPress Theme editor should be 666. Never use 777 for WordPress permissions – you’re letting all users on the server do whatever they want with your site. On a shared or badly configured server, that can mean trouble.

If that was gobbledygeek to you, move along. Your life is probably better off without this stuff.

5) Keep WordPress visitor registration turned off

By default, WordPress installations don’t allow visitors to register for a guest account on your site. While there are advantages to this if you’re building a community site, it’s best to keep registration turned off if you can, since some of the latest exploits use it to hack WordPress. (It’s fixed in the latest version.)

To check that you’ve got registration turned off, log in to your admin area, click “settings” and be sure that “anyone can register” is unchecked next to the “Membership” heading.

6) Limit WordPress admin access by IP address

The problem

Right now, anyone with web access can visit your WordPress login page and take a guess at your admin password. If they get it right, they’ll have full control of your site.

The fix

Restrict the WordPress admin folder to allow access only from your computer, or a small group of computers. To limit access by IP, create an .htaccess file in your /wp-admin/ folder (not directly in your WordPress root!) containing the following code:

order deny,allow
deny from all
# allow my home IP address
allow from XX.XX.XXX.XXX
# allow my work IP address
allow from XX.XX.XXX.XXX

Don’t forget to replace the Xs with your IP address, which you can find using a site such as What’s My IP when you’re at the computer you want access from.

Once you’ve done this, visitors without the allowed IP address will see a 404 message if they try to access your admin area or login. Try accessing the Wordprezzie admin area to see it in action. You should see an error page (unless you’re on our computers, which are kept at the bottom of a well). Credit where it’s due: I adapted this tip from Matt Cutts’ suggestion, which is here.

You should know that IP addresses can be reassigned by your ISP without warning, so use this tip with caution unless you’ve paid for a static IP. Don’t worry, though – if you find yourself locked out, you’ll still be able to gain access by SFTP (you are using that, right?) to delete or edit the .htaccess file with your new IP.

Note: If you travel a lot, then this tip’s probably not for you. Consider password protecting /wp-admin/ at the directory level instead so that you’ll be able to access it wherever you are using an additional password. Most hosting control panels have an option to add a password to a folder, or you can search the web for “htpasswd”.

7) Encrypt your web browsing session

This tip is for security nutcases and the ultra-paranoid only. You can encrypt your entire browsing session so that your WordPress login info is sent over the net as a scrambled message when you log in to your admin panel, rather than in plain text.

It’s a little fiddly to set up, but it’s probably the strongest way to make sure your password isn’t intercepted by those nasty packet-sniffing web addicts who lurk in dark alleys on the net. To get started, check out this guide on Lifehacker.

8) Use your common sense

Finally, three points of common sense:

Don’t use stupid passwords. We help a lot of people tweak their established WordPress sites, and we’re still amazed by the number who use terrifyingly simple passwords.

One high-profile blogger was using their domain name as the WordPress admin password. (We changed it for them – no point trying to guess who or what it was!)

To change your password, go to the “users” tab, click the username that you use to log in with, scroll to the bottom of the page and fill in a new password, then click “update profile”.

Be careful in public places. I once watched a blogger accidentally type his password into the username box whilst live on a 5 metre screen and presenting to 200 people. If you’re out and about, be careful. Likewise, don’t leave a logged-in machine unattended; you’re asking to get stung.

Back up often and have a recovery plan. We’ll be writing more about this soon, so subscribe and stay tuned!

If you only have time for one

Don’t have time to do everything in this list? Take our advice: change your password to a stronger one (see point 8 for the instructions). It should be at least eight characters long and include numbers mixed with characters in uppercase and lowercase.

If you can find it in a dictionary, you’re using the wrong password. If it’s the name of your dog, daughter, or dentist, you’re using the wrong password. “Secret” is a poor choice. So is “letmein”. So is “motherducker”. Even if you think it can’t be guessed, chances are that you’ll be unpleasantly surprised. Choose a mixture of random letters and numbers and you’ll be much safer. Can’t remember all your passwords? Try PassPack.

Need help? Just ask us

Don’t forget! We offer design, coding and security help if you need it, starting at only US$80 for quick fixes, tweaks and code help. (That includes messing around with your .htaccess files if you don’t feel brave enough!) Hire us here.

Add your own tips below

Got a WordPress security tip you’d like to share? Help us all stay safe by adding your comments below.

 

18 comments


  • Lucifr
    July 30, 2008

    A great guide! I’ve just noticed the directory list problem.

     


  • desu
    August 6, 2008

    i fixed my directory listing as well, thanx for the tip!

     


  • Kudungga
    September 11, 2008

    thanks a lot for sharing. Good luck for you

     


  • Rod
    September 17, 2008

    This is a very good, practical list – thank you. I’ve very recently come across a couple of hacked sites, and don’t want it happening to me!

     


  • Escoofield
    September 19, 2008

    WOW this is cool thanks for this tips it is absolutely useful!!
    This is truly amazing and very good! gaga..,,,..
    Check my site it’s also a great site!
    It has alot of funny pics and it has alot of fun! hehe thanks!

    Escoofield –
    http://alotofit.com

     


  • xok (indie clothing)
    September 19, 2008

    Nice tips for WordPress users, and great looking blog! I should come back more often!

     


  • Epiblogger
    September 20, 2008

    Great tips, I think I have given most of them out myself. If you need to keep your admin folder access open to more IP addresses, you can use a plugin such as Login Lockdown to help prevent unauthorized access. That way people only get so many tries to login before getting blocked. Stops repeated attacks.

     


  • J Fowler
    September 23, 2008

    you guys rock. thanks for the simple yet powerful wisdom.

     


  • Jeremy
    October 28, 2008

    Good tips and suggestions. I’m sure many will find this and benefit from it.

     


  • André
    January 6, 2009

    The geek tip for Prevent directory listing still dont work for me, if i enter it into the .htaccess i get an 500 error. Any solutions?

    greetings

     


  • Nick Cernis
    January 6, 2009

    Make sure that the -Options line is at the top of the .htaccess file. If it’s still not working, it’s possible that your web host doesn’t allow the -Options directive at all, so I’d check with them.

     


  • Adrin
    January 16, 2009

    Good Article!!!!

     


  • fgwf
    February 23, 2009

    Re your tip 6) Limit WordPress admin access by IP address

    I can see your wp-login page….no error page

     


  • Nick Cernis
    February 23, 2009

    Yes — we switch off directory protection if we know we’ll need to access the site while travelling. Well spotted, though!

     


  • Juno
    March 5, 2009

    I’ve got a question about editing the .htaccess file.

    What kind of tags do I need to put around Options – Indexes? At the moment I only have a few lines in the .htaccess file, but they are surrounded by some kind of tag in diamond brackets (IfModule something). Do I need any tags in diamond brackets to go around Options – Indexes, too? If so, can you maybe tell me which tags that would be?

    Thanks!

     


  • Mick Lauer
    April 14, 2009

    Thanks so much! So clear, so easy! Exactly what I needed :)

    check out the website you helped if you like :

    thg.yppevents.com

    cheers!

     


  • Graeme Pearce
    April 20, 2009

    That was great, I’m now off to fix my site. Thanks for the tips.

     


  • Keith Davis
    November 5, 2009

    I’m no geek but I could follow this great post.

    Lots of wordpress warnings on the web, worm attacks, sql injection…. I shall be going through your list this weekend.

    Thanks for explaining things so clearly.

     

12 people linked here

Comments are now closed.

Latest theme

Meet the team

We're a web duo from the UK who are passionate about the WordPress platform.

Read more here.

Our themes

Check out our growing range of WordPress themes

Custom design

We do custom themes too. Get a free estimate here.

Need help?

Our support page is here. Our email address is help@wordprezzie.com

In the wild

Zen to Fitness

Write for your Life

Bröllopskvitter