April 21, 2015

Posted in:


Best Practices for Securing WordPress

WordPress is one of the easier to use and more popular CMS’s out there. Unfortunately due to its popularity, it is also one of the more targeted software as well. That’s the bad news. The good news? There are recommendations to follow for securing WordPress, which will mitigate the risk of a compromise.

First and foremost, ALWAYS keep your software up-to-date. This includes plugins, themes, and the core software itself. That alone can be enough to turn off an attacker. If there’s an update: apply it.

Other recommendations include:

    • Lock down WordPress Admin to trusted IP addresses. Better yet, use Duo Dual Factor Authentication. You’ll need to download a plugin to WordPress and setup an account with Duo but it is worth it. Having either of these will greatly reduce the risk of a brute force attack.
    • Related, use strong passwords and do not use reuse passwords. Can’t remember your strong password? Use a program such as LastPass to remember it for you.
    • Remove old users. If a user isn’t active, you can delete the user and attribute the posts to another user.
    • Remove unused plugins, themes, and backups. Keeping any of these on a web-accessible folder is generally a bad idea. If you’re not using it, delete it.
    • Disable XMLRPC and pingbacks. For more information see our blog post on the subject.
    • Change the default “admin” user to a different name. Every WordPress installation comes with a default user which everyone knows. Having half of that information, an attacker can brute force the password if needed (unless you’ve locked down WordPress admin as stated above).
    • Use plugins such as Sucuri to regularly check for malicious injections in your WordPress core files.
    • Don’t set directories and files to world writable. It can be trivial for an attacker to upload to these directories. To check for world writable files, run the following on your server (Linux only) and change those to 644:
find /path/to/your/site -not -name "*.log" -type f  -perm 0777

Go back