Hack-proofing WordPress: Simple Basic Steps

Originally Published on May 16, 2011

For the past couple years, most of the websites I’ve made have been built on top of WordPress. I’ve found WordPress is super easy for clients to use, there is frequent updates fixing or adding features and almost endlessly customizable. The only downside (of any off-the-shelf system, really) is that the more people use it, the more people are looking to exploit it.

I’ve had to deal with client’s WordPress installations getting hacked a couple times. It’s never a good feeling, especially if you’re the one who set it all up. I’ve put together a little mental check-list of things to do for protection and since then, haven’t had a hacked site since. (Disclaimer: I know there are way more elaborate protection methods. Google search “hack-proof WordPress” and you’ll have a ton at your disposal. This is just what I’ve found to work and doesn’t get in the clients way. I haven’t needed anything else.)

Protection before installation

First things first, install WordPress into a subfolder. Automated bots will have a harder time trying to find the vulnerabilities when it’s not sure where the WordPress installation is located. It’s very easy to have WordPress point back at the root folder. I tend to use “/cms/” as it’s vague but still makes sense.

There’s an option in wp-config.php to change the database table prefix. The more random the prefix, the better. It beefs up protection against SQL injection and other not-fun things.

Protection during installation

During installation, it’s wise to make sure the default admin account is not called “admin.” Change it to the client’s name or your name, anything else really. Anyone trying to brute force their way in to the admin panel will have double the effort if the name is also something they need to figure out. Needless to say, don’t use “password” for the password either…

Protection after installation

Remove the install.php file from /wp-admin/. WordPress automatically gives connection error messages when the database is having problems. If the MySQL server drops completely though, WordPress treats it as not being installed and displays the install file, if it’s there, allowing people to hijack your website. Simply removing the file halts that and if you ever need it back, you can just re-download WordPress.

Remove the generator meta-tag. I still don’t understand why this tag is still even included. I don’t see a benefit at all to having it and it just helps people looking for vulnerabilities know what’s still available for them to use. A quick addition of this code to your theme’s functions.php file will cut that out.

remove_action( 'wp_head', 'wp_generator' );

Keep WordPress and your plugins updated. Honestly, this is pretty basic. WordPress is updated every few weeks and any worthwhile plugin is as well. Keep them fresh and let their developers close up security holes.

Set your login to stealth mode with Stealth Login. This is the only plugin I’ll mention and it serves a dual-purpose. It allows you to give a custom permalink to redirect to the login page and admin panel. http://yourdomain.com/admin/is a lot easier to remember then http://yourdomain.com/cms/wp-admin/. Also, it’s stealth mode option makes sure users can’t access wp-login.php directly and protects against off-server brute-force login attemps.

Go Forth and Protect

As I mentioned before, these are just the tips that I’ve personally used and found that works. All of these things are easy to do for existing WordPress installations as well. For heavy-traffic sites, you might need to dig a little deeper into it but if you do these things, you’ll have a good base security for your WordPress site.