October 8, 2013

Top 5 Quick & Easy WordPress Security Tips

Since its introduction in 2003, WordPress has become the most commonly used CMS for building websites, accounting for over 15% of all websites on the internet. However, the widespread use of WordPress has also made it an easy target for mischievous hackers looking to exploit security vulnerabilities for their own agendas.

Keeping up to date with the latest version of WordPress, your theme and your installed plugins is a good start at limiting vulnerabilities on your website, but there are a few more precautions you can take that will allow you to sleep easy. Taking a proactive approach to your website’s security can save a lot of headache and heartbreak in the long term. Let’s take a look at a couple fairly simple but effective ways to increase the security on your wordpress website.

1. Change the wp-content folder

/wp-content is the default directory where WordPress stores files that relate specifically to your website’s customization. Inside you’ll find your theme, plugins, media, etc. Basically everything that makes your website- your website. Protecting the files within wp-content should be a top priority, since that’s where a large number of potential security vulnerabilities reside.

Luckily, changing the name from wp-content is a quick and simple process. Although, it does not guarantee the security of this folder it is a good starting point and will hopefully be enough to make any threats pass by your website and on to the next one. Let’s take a look:

It is easiest and perhaps best to perform this change before populating your website with content, but if you’re making the change from a populated website, be sure to make a back-up of the current wp-content folder before beginning.

Find your wp-config.php file. It should be located in the root directory of your wordpress install. It is a best practice to make a back-up of this file before doing any editing, in case that something goes wrong.

We will be adding the following lines to the bottom of the file, right above the comment /* That’s all, stop editing! Happy blogging. */

/*Define the New wp-content folder*/
define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/new-wp-content' );
define( 'WP_CONTENT_URL', 'http://your-domain.com/domain-directory/new-wp-content' );

Now, assuming that you’ve already created the new wp-content folder, your website should now be using the files within your new folder. We like to name it something entirely different, without the “wp” prefix so as to help hide the fact that you’re working with a WordPress environment.

You can read more about changing the wp-content folder on the WordPress Codex.

2. Change the plugins folder

Another proactive step in securing your website is to change the name of the ‘plugins’ folder. Again, this is a simple step that can throw off some of the potential threats enough to pass by your website. It is well worth the couple of minutes it may take to institute this on your website.

/*Define the New Plugins Folder*/
define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/your-wp-content/new-plugins-folder' );
define( 'WP_PLUGIN_URL', 'http://your-domain.com/your-wp-content/new-plugins-folder' );

The above is very similar to the code that we used to move the wp-content folder. You can add this right underneath the code we just added, at the bottom of the wp-config.php file. In some cases, changing the plugins folder can cause compabilitiy issues for some plugins you may have already installed.

If you experience such issues, try setting the PLUGINDIR to the full local path of the directory (no trailing slash):

define( 'PLUGINDIR', dirname(__FILE__) . '/your-wp-content/new-plugins-folder' );

Remember, it never hurts to make a back-up of the files you intend to change.

3. Disable the theme and plugins editor

Although wordpress allows you to make edits to theme files and plugin files through the backend by default, it is not uncommon for these file editors to cause problems for a website. More specifically, when your work is done and you hand the site over to a client who thinks they’re a wordpress pro becuase they’ve uploaded a few blog posts, the fact remains that a simple typo in functions.php can take the entire site offline. On the otherhand, if a hacker does somehow gain access to the backend of your website, the file editor is probably the first place they are going to visit to gain even greater control. They could have the ability to run scripts, access your databases, email all users and more. So performing this 5 minute fix might be the best security investment you make for your website.

It is best to disable the file editors right away and work through a SFTP or FTP client, or at the very least disable the editors once the site is complete and no editing needs to be done in the immediate future. Luckily, disabling this feature is a quick and simple fix. Here’s how:

Open up the wp-config.php file (located by default within the root folder of your wordpress install) and we’re going to add the following line of code:

	define( 'DISALLOW_FILE_EDIT', true );

That’s it. If you refresh your admin page, you should no longer have the ability to edit theme and plugin files directly from the backend.

4. Removing the ‘admin’ user

Removing the admin user is a great step in increasing the security of your website. Since the average wordpress user probably doesn’t do this, hackers can assume that a large portion of wordpress websites are running with the default user ‘admin’ which uses the user ID ‘1’. If you’re still using the ‘admin’ user it is best to ammend this by creating a new user. To avoid this problem in the future, you should create a unique user name when configuring the install.

In order to eliminate the existing ‘admin’ user, follow the steps below:

  • Login to the site and go to Users -> Add New
  • Add a new user with the ‘Administrator’ role, ensuring you’ve used a strong password
  • Logout of the site and log back in with the new user you just created
  • Navigate to Users -> All Users and remove the ‘admin’ user
  • Any posts that were authored by ‘admin’ will need to be re-assigned to the new user, in order to not be lost

Using phpMyAdmin to Change the User Names

Alternatively, if you’re feeling a little more ambitious, this process can be taken care of even quicker if you have access to the server and are comfortable making changes to the databases stored within phpMyAdmin.

As always, it would be a particularly good idea to make a database backup right about now.

Ok, lets get started. If you’ve got more than one website being hosted on the server, chances are that you’ll have a number of databases to choose from in the left hand menu. If you’re unsure which database belongs to the wordpress site you’re editing, you can find out by looking in the wp-config.php file of the wordpress install or locating it within ‘MySQL Databases’. Once you’ve selected the correct database, locate the wp_users table (assuming you’re using the wp_ prefix). You’ll see a list of all the users, ID’s, email addresses, etc.

You’ll need to locate the user name you’d like to change and click “edit”. Once the details of that user are loaded, you’re looking for the ‘user_login’ column, you can enter the new user name you’d like to use and click ‘Go’ at the bottom.

That’s it. Go back to your site’s login page and login with your new user name.

5. Disable PHP execution in specific wordpress directories

Attempts to gain access to your site are often made through “backdoors”, which are typically created by files disguised as wordpress core files within your wp-includes/ or wp-content/uploads/ directories. In order to prevent any backdoor attempts from being successful, we will disable the ability for .php files to be executed within that specific directory. Here’s what we need to do:

Open up your text-editor of choice and create a blank document title .htaccess, paste the following code into that file:

	<Files *.php>
		deny from all

Save the file and upload it to your wp-content/uploads/ directory and also your wp-includes directory.


This file checks for .php files within the directory and denies access to them, eliminating any potential backdoor files from being executed on your site.

Note: this article is the first of a series in WordPress security. We’ll be updating our blog with more articles in this series soon.

Filed under:  Tutorials Web Development  ||  Tagged under:

Dylan Dunlop

When he isn’t honing in on his coding skills, Dylan’s either mastering various styles of guitar playing or bird watching.
Leave a comment
comments powered by Disqus

Base Terminology

SEO is the process of affecting the visibility of a website or a web page in a search engine's un-paid ("organic") search results.
The semantic web refers to the next stage of the world wide web and aims to ascribe semantic meaning to all web content through a collection of systems of classification. This means that, in the future, machines will be able to better understand the content we produce, resulting in better search results, new applications and an Internet that is fundamentally different from the one we use today!
What if each of the objects around you had a unique identifier that can be connected to the Internet? The goal of the Internet of things is to equip all objects in the world with tags that allow them to be digitally organized or manipulated. The implications? Less theft, less waste and the ability to control your surroundings in a manner never before possible.
Conversion optimization is the practice of modifying the parameters of a lead-generating system to stimulate a higher success rate as defined by goals. Most conversion optimization is structured to create an increase in ROI (return on investment). We frequently use multivariate and A/B split testing when optimizing conversion, wherein we test two or more systems at the same time, analyze their performance and deduce precisely what action items will bring us closest to the set goals in the least amount of time.
Market diagnostics or analytics is the process of collecting and analyzing business data — especially consumer data. This allows us to assess and improve the effectiveness of a marketing campaign.
In many applications today, there is such a phenomenal quantity of data available that it's difficult to collect and process with traditional database tools. The field of collecting, manipulating and drawing conclusions from massive quantities of data from a particular source is known as big data.
What started as a CMS (content management system) that was only meant to create and edit blog content has grown at a tremendous rate to become the most ubiquitous system for developing websites on the internet. WordPress accounts for an incredible 15% of all sites on the web.

RT @PicardTips: Picard engineering tip: Use the metric system.

2 months ago

RT @PicardTips: Picard management tip: Suppress your inner alarm. Be the calmest person in the room.

1 year ago

RT @dakami: i'm not saying everything you need to know about hacking, machine learning, and hacking machine learning is in this photo https…

1 year ago

Request Our Portfolio

  1. Which option best describes you? *

  2. Are you a key decision maker in the business you represent? *