In this tutorial we will be looking at ways to improve the security of your Wordpress installation by making it harder for any intruder to gain access to your site without your permission. There are a number of different factors to consider when securing a Wordpress site, from simple things like the strength of your password to more complicated matters, such as setting permissions that determine what files in your site can be accessed remotely. A lot of these procedures can be simplified by using plugins and although there are countless plugins that will work to protect a Wordpress installation, there are numerous hurdles to overcome - for example some plugins will be difficult to set up with others, or you may discover that a plugin is using too many resources or causing conflicts. We have put together this guide to securing a Wordpress installation that uses our favourite plugins and practices; although it should be noted that there are other plugins available and there are other valid methods to secure your site.
##Avoiding Default Values and Using Strong Passwords.
All Wordpress installations can be accessed by the wp-login page, and all self-hosted Wordpress installations tend to use the same default username: ‘admin'. With these two pieces of information, malicious scripts can attempt to force their way into your site by trying to guess the missing value - the password. In addition, all the information about your site is stored in a database which is usually easily identified by a ‘wp_' prefix, and again it is easy for hackers to plan attacks that target this default value. A simple script designed to target Wordpress sites will use the most common default values, and although it is not a foolproof method of protecting your site, there is no reason to make it easy for attackers.
The best way to increase your sites resilience to these attacks is to make sure you are not using the default values - the ‘admin' username and the ‘wp_' table prefix. In this section we will discuss the best way to initially install Wordpress in order to avoid the default settings, and we will look at how you can change the settings on an existing installation.
###Avoiding Default Values when Installing Wordpress Using Softaculous: When installing Wordpress using Softaculous in your cPanel account you will have the following options:
The value you should change here is the table prefix, and any value is fine so long as it doesn't begin with ‘wp_'. I'd suggest changing it to a random combination of letters or numbers, but you may also prefer to name it something you can identify, so that if you happen to add more sites later you will be able to recognise which database belongs to which site. For this tutorial we will rename it to ‘hp_'.
Next you should change the default values in these fields:
First change the username to anything other than admin. Later you will be able to set a nickname that visitors to the site will see when reading your blog posts, while your admin name is hidden, so your admin name can be anything and it doesn't have to make sense or look attractive, so long as you can remember it. We will set the username to ‘Myusername'.
Next you can see that the default password is just ‘pass'. This is one of the worst passwords as you can imagine. An automated script that runs through the most common passwords will guess it very quickly.
Next to the password field is a key symbol, click that to generate a secure password.
Make a note of this username and password and then finish the installation.
###Avoiding Default Values when Doing Wordpress' Famous Five Minute Installation. If you are installing Wordpress by transferring the files over FTP then there is just one screen to watch out for, when you click the ‘let's go' button you will see this screen:
When you get to this stage of the installation you will be prompted to change the details that will allow you to connect to your MySQL database. As you can see the default value for the field ‘Table Prefix' is filled in as ‘wp_'. It's a good idea to change this to a different prefix, anything is fine so long as it doesn't include ‘wp_' at all.
On the next screen you will see the following fields:
The default username is ‘admin', which needs to be changed, whatever value you choose will not be visible to your visitors if you later set a nickname, so there is no need to pick something that you think will look good. Make sure not to pick the username ‘admin', but anything else is OK. For extra security you should also not use your first name, or a similar value that is easy to guess.
You also will be asked to pick a password. There is no option to automatically generate a password, but there is an indicator to show how strong your password is. Please see the next section for tips on picking a secure password.
###Avoiding Default Values when Installing Wordpress Through Another App or Service
Some web hosts offer different apps that will install and configure Wordpress for you, most of which will be launched through the admin area, or through cPanel. Depending on the app you use you may find that not all configuration options are available to be edited, but if you are able to see a field for ‘Table Prefix' and the value is currently ‘wp_' then it is a good idea to change it. If you are not given the option of changing the prefix when installing Wordpress then don't worry, if can be changed afterward.
###Changing value for ‘Table Prefix' in an existing Wordpress installation:
There are a few ways to change the value for Table Prefix if you were not given the option when installing, or if you have an existing installation that you want to make more secure.
We must stress is that editing a database is a risky procedure, if you make a mistake you will make your site inaccessible. If you have an existing Wordpress site and you are worried about losing content then it is very important that you backup the database before continuing.
###Changing your username and/or password
It's important not to have ‘admin' as your username, but unfortunately there is no quick way to just rename the account. Instead you need to make a new account and then delete the admin account. Here's how to do that - first you want to go ‘users' in your Wordpress admin area. You will see the admin account listed.
Click ‘add new user' and fill in the fields. You can set the username to anything you like, but we recommend not picking your name because it is easy for a hacker to guess, here we have picked ‘Myusername' - but we are sure you can think of something better!
Make sure to pick a strong password, the indicator will show you when you have go a secure one. For tips on secure passwords, please see the next section. Also make sure to set the role to Administrator.
Next you need to log out of the site and log in using the new user you created. On the login screen enter the new username (‘Myusername' or whatever you chose) and the new secure password.
Click ‘Users' in the sidebar and then hover over the user ‘admin' - the option to edit or delete will appear. Choose ‘delete'. This screen is very important if you have existing content on your blog, make sure to set ‘Attribute all content to' is set to the new user you created, otherwise it will all be deleted.
Now you have a new secure username and password it is possible to set an attractive username so that your visitors will see that posts are written by you. Click ‘Your Profile' on the side bar and then fill in the field for nickname - I've chosen ‘Jake' which I hope is more appealing for visitors than ‘Myusername'. Then you can set ‘Display name publicly as' to your new nickname.
###Changing the value for ‘Table Prefix' with ‘Bulletproof Security'
For everyone that is worried about editing their MySQL database or that doesn't feel comfortable using PhpMyAdmin there is a convenient alternative. Bulletproof Security is one of our favourite security plugins and it has the capability to change your database prefix. We will be coming back to Bulletproof Security later in this tutorial, as it also has lots of other great features. To use Bulletproof Security to change your database prefix, To install the plugin first go to ‘Plugins' and ‘Add New' on the sidebar of your admin area, then search for ‘bulletproof security'.
(You will likely have a few alert messages when the plugin is active, ignore or dismiss these for now).
When the plugin is active, go to DB Backup in the sidebar, then pick ‘DB Table Prefix Changer' from the tabs across the top.
You can then just click the ‘Change DB Table Prefix' button to use the randomly generated new prefix. Or if you prefer, you can enter a new prefix manually - this can occasionally be useful if you have more than one site and if you like to be able to see which database is used.
###Changing the value for ‘Table Prefix' with ‘Change DB Prefix'
The prefix can also be edited by using a simple plugin from the Wordpress Plugin Directory. This plugin will change the value for you and it has the advantage that you can then delete it afterwards.
To install the plugin first go to ‘Plugins' and ‘Add New' on the sidebar of your admin area. Then you can search for the term ‘Change DB Prefix' in the search box. The plugin will be listed first and you can pick ‘Install Now'.
Now go to ‘Settings' and ‘Change DB Prefix'
Enter a value for ‘New Prefix' - anything is OK so long as it doesn't include ‘wp_' at all. You can only use letters or numbers and it must end in an underscore. Once you click ‘Save Changes' you are done!
As this plugin has a single use it should now be deleted. We'll come back to deleting plugins later in the tutorial.
###Changing the value for ‘Table Prefix' - The hard way
To change the table prefix without using a plugin you will need to use PhpMyAdmin to edit the database manually. We strongly recommended that you backup your Wordpress site before making any alterations to your database.
The first thing to do is edit your wp-config.php file. This file is found in the root directory of your Wordpress installation. You will need to use an FTP programme to connect to your server and browse to the file, or you can use File Manager in cPanel to edit it. For this example we will use File Manager. Launch File Manager in your cPanel interface.
Navigate to your wp-config.php file. This will be in the directory that you installed Wordpress to, usually the web root or public_html folder. Select the wp-config.php file and pick ‘code editor' from the top option bar, then pick ‘edit' from the popup window.
Navigate to the line that shows your current table prefix and select it. You should then enter the new table prefix, in this example I have chosen replaced ‘wp_' with ‘hp_'. Then click ‘Save'.
Your site will be inaccessible when you make this change, but don't worry. The next stage is to use PhpMyAdmin to update the database to match. PhpMyAdmin can be accessed through your cPanel (or equivalent) interface.
Click ‘SQL' on the top tab and you will see a data field. Enter the following code:
RENAME table `wp_commentmeta` TO `hp_commentmeta`; RENAME table `wp_comments` TO `hp_comments`; RENAME table `wp_links` TO `whp_links`; RENAME table `wp_options` TO `hp_options`; RENAME table `wp_postmeta` TO `hp_postmeta`; RENAME table `wp_posts` TO `hp_posts`; RENAME table `wp_terms` TO `hp_terms`; RENAME table `wp_term_relationships` TO `hp_term_relationships`; RENAME table `wp_term_taxonomy` TO `hp_term_taxonomy`; RENAME table `wp_usermeta` TO `hp_usermeta`; RENAME table `wp_users` TO `hp_users`;
We are renaming every table that begins with wp to instead begin with hp. You can use any prefix, so long as it matches what you entered in the wp-config.php file. Press ‘Go' and then refresh the page.
Next, enter the following code in the same text field area:
SELECT * FROM `hp__options` WHERE `option_name` LIKE '%wp_%'
For every result listed, double click the entry in the ‘option_name' column. Rename the entry from ‘wp_' to the new prefix ‘hp_'.
Once you have done this, again click the SQL tab and enter the following code:
SELECT * FROM `hp_usermeta` WHERE `meta_key` LIKE '%wp_%'
Go down the ‘meta_key' column and again rename every entry from wp_ to the new prefix.
Note you only need to rename these when the value begins with wp, not when it has it in the middle, for example ‘dismissed_wp_pointers' does not need to be renamed.
You are done! The site should now be back up and running.
##Preventing Brute Force Logins and Hiding your Admin Area
Scripts that attempt to guess your password will generally be trying combination after combination in the hope of getting lucky, this is called a Brute Force attack and this is why it is so important not to use a common password, a default password or a short password. With a strong password this stage may not be necessary, however we prefer to take every precaution.
We can use the Bulletproof Security plugin to limit the amount of times any visitor is allowed to guess. After three incorrect guesses the visitor is banned for an hour. At this rate it would be almost impossible for someone to guess your password. To install the plugin first go to ‘Plugins' and ‘Add New' on the sidebar of your admin area, then search for ‘bulletproof security'.
Once the plugin is installed, pick ‘Login Security' from the side bar. The default options are fine, so just click ‘Save Options' when you are ready.
Another default value of all Wordpress installations is the location of the admin area. Just like the ‘admin' username and the ‘wp_' table prefix it is a value that will be targeted by default. Even though visitors will be locked out by Bulletproof Security if they attempt to guess the password, it is still possible for a network of attacking scripts to target the login page - each bot will get locked eventually, but the effect of an attack like this can still cause the website to go slow or even crash.
Although it is harder to change the location of the admin area, it is easy to add a trap so that attacks will be redirected away from the page harmlessly. To do this we use a plugin called Stealth Login Page. You can find it by going to ‘Plugins' and ‘Add New' on the sidebar of your admin area, then search for ‘stealth login page' and click install and activate.
In the sidebar choose ‘Stealth Login Page' under ‘Settings' and then tick the box next to ‘Enable Stealth Mode'. In the field called ‘Enter an authorization code' pick a code that will act like a pin number for your site (here we have used 3718 but you can use anything you like). You can then also enter a URL to redirect attackers to, I have picked google.
Now when you click save you will find a new field on your Wordpress site's login screen. All users will need to enter the pin number, even if they use the correct password and username, or they will be redirected away from your site.
##Password Security and Best Practises
Everything we have done so far will count for nothing if your password is not secure. And if you have multiple users with admin access on your site, then all their passwords must also be secure, or they are potentially a weak link.
###The Administrator Role
All users with a role of Administrator are particularly important to keep safe. If possible you should limit the number of users with the Administrator role, ideally to just yourself. To do this go to ‘Users' in the sidebar of your admin area, then select ‘All Users'. Hover over the name of the user you want to change and the edit option will appear:
Click this and then use the ‘Role' dropdown to change the user from Administrator to one of the other available roles. Which roles are suitable depends on how you use your site, but anything below Administrator will not be able to change the site's options, but will still be able to write new content.
It is still important that you and all your users have strong passwords. Wordpress does show the password strength indicator when you edit or set your password, but it is dependent on you entering a good password in the first place. A lot of people are reluctant to use a password that is unpronounceable, or is made up of random characters and symbols because they don't feel that they can reliably remember it or easily type it in. Infact, a password of this sort can end up being less secure, because you might need to keep it written down (hopefully not on a post-it attached to your monitor!).
A good trick for writing a secure password is to use a sentence or phrase. Rather than using unusual characters, symbols and number substitutions which can be hard to remember, instead construct a series of 4 or more random words that you will be able to remember, perhaps because they have some obscure importance to you - the important thing is the length. For example, ‘Pre5T02014' might look like a reasonable password, but it is actually weak compared to something like ‘wizardpurpleprestowebsite'. You can use the tool on this website to check the strength of your password: https://password-checker.online-domain-tools.com/
###Don't reuse Passwords
Additionally, even if you use a strong password you should use a different password for every site - this is because if a hacker manages to break into one site where you are signed up and steal your details, they can then use those details to break into your Wordpress site - or your banking, social media, etc. This happens frequently as large organisations, companies and shops fail to protect their databases adequately. The only protection is to use a different password for every site. Even with a good system for making strong passwords that you can remember, this can become impossible to stay on top of, particularly if you use the internet for a lot of shopping.
###Password security using Lastpass
Lastpass is a web service that remembers your passwords for you, and will automatically fill them in on websites when you need them, similar to the autocomplete function found in some browsers, like keychain in Safari. However Lastpass has the advantage in that it can be used across multiple devices and it keeps the information you enter extremely safe - you have one single password and you use it to log on to your Vault.
When you download Lastpass from https://lastpass.com/ you will be able to pick your operating system, and the installer will automatically add Lastpass to your most used browsers.
In order to add a site to Lastpass you simply click the Lastpass icon in your web browser (here we are using Chrome) and choose ‘Sites' then ‘Add Site'.
The next screen will allow you to store the details of your site, we have entered the URL to our Wordpress admin page, and the username and password. Here we have used the easy to remember password, but the advantage of Lastpass is that you will never need to enter it - so if you prefer you can use an automatically generated one.
###Clef - an Alternative to Passwords
Clef is a plugin for Wordpress that bypasses the need to use passwords at all (after the initial set up at least). Clef is a combination of a mobile phone app and a replacement login screen for your site - so long as you have your mobile phone you can log in simply by holding the phone up to the computer monitor.
To set up Clef, first you should download and activate the plugin from Wordpress by going to ‘Plugins' then ‘Add New' in your Wordpress admin area. Then search for ‘clef'
Next you need to set up Clef, which includes getting an app on your mobile device. You can either find the app in your app store, or you can use this interface to send yourself a link by clicking ‘Get Started' and then ‘Get the Clef App'.
Pick the flag that applies to your area then enter your mobile number and click ‘Text me a link to Clef'.
When you get the text message follow the link to the app store, and install the app. You will then need to follow the set up instructions on your mobile screen to create an account.
This stage also involves setting a pin number, make sure you can remember it.
Once you have done that, you can go back to your Wordpress site and click ‘I'm ready to sync'. You will see the Clef wave on your computer screen and on your phone. Simply hold your phone up to your screen until the wave patterns synchronise.
Once you have synced you will be given the option to invite all your users to install Clef too. You can edit the email and chose what roles to send the message to. If you are the only user then there is no need to do this stage, but if there are other users, particularly those with Administrator roles, then it is a good idea, after all the site is only as secure as the weakest link, and even though your account will be protected by Clef, if someone else is using a weak password the site will still be easy to break in to.
Now when you log in to your site you will see the Clef wave instead of the password fields. In order to log in, launch the Clef app on your phone, enter your pin number and then hold the phone up to the screen as before.
Clef has some additional settings that are worth looking at. If you go to ‘Clef' in your admin area you can see the following option screen:
The first option ‘Disable passwords for Clef users' will remove the password field for all your users that have Clef active - in other words, it is possible to have Clef alongside the regular option to login by password, but it is better to disable passwords. The next option gives you a drop down where you can disable passwords based on user role.
Please note that it is unlikely you would want to force users with the ‘subscriber' role to use Clef, because subscribers have very limited access - they can only manage their profile - and this role is really just for people that want to follow your blog. For more information about roles please read the following link: https://codex.wordpress.org/Roles_and_Capabilities
For this tutorial we will set ‘Disable Passwords for Clef Users' and ‘Show Clef wave as primary login option' to ticked. The site is now protected by Clef.
If you lose your mobile phone then you can deactivate Clef. Just visit https://getclef.com/lost/ and fill in the form:
##Conslusion Now you have completed the first part of this tutuorial you will have secured your Wordpress admin area and logins from several different attack methods. Part 2 of this tutorial looks into securing the rest of your installation, such as the plugins and themes you have installed.