Since its introduction in 2003, WordPress has become the most commonly used CMS for building websites, accounting for over 15% of all websites on the internet. However, the widespread use of WordPress has also made it an easy target for mischievous hackers looking to exploit security vulnerabilities for their own agendas.
Keeping up to date with the latest version of WordPress, your theme and your installed plugins is a good start at limiting vulnerabilities on your website, but there are a few more precautions you can take that will allow you to sleep easy. Taking a proactive approach to your website’s security can save a lot of headache and heartbreak in the long term. Let’s take a look at a couple fairly simple but effective ways to increase the security on your wordpress website.
/wp-content is the default directory where WordPress stores files that relate specifically to your website’s customization. Inside you’ll find your theme, plugins, media, etc. Basically everything that makes your website- your website. Protecting the files within wp-content should be a top priority, since that’s where a large number of potential security vulnerabilities reside.
Luckily, changing the name from wp-content is a quick and simple process. Although, it does not guarantee the security of this folder it is a good starting point and will hopefully be enough to make any threats pass by your website and on to the next one. Let’s take a look:
It is easiest and perhaps best to perform this change before populating your website with content, but if you’re making the change from a populated website, be sure to make a back-up of the current wp-content folder before beginning.
Find your wp-config.php file. It should be located in the root directory of your wordpress install. It is a best practice to make a back-up of this file before doing any editing, in case that something goes wrong.
We will be adding the following lines to the bottom of the file, right above the comment /* That’s all, stop editing! Happy blogging. */
/*Define the New wp-content folder*/ define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/new-wp-content' ); define( 'WP_CONTENT_URL', 'http://your-domain.com/domain-directory/new-wp-content' );
Now, assuming that you’ve already created the new wp-content folder, your website should now be using the files within your new folder. We like to name it something entirely different, without the “wp” prefix so as to help hide the fact that you’re working with a WordPress environment.
You can read more about changing the wp-content folder on the WordPress Codex.
Another proactive step in securing your website is to change the name of the ‘plugins’ folder. Again, this is a simple step that can throw off some of the potential threats enough to pass by your website. It is well worth the couple of minutes it may take to institute this on your website.
/*Define the New Plugins Folder*/ define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/your-wp-content/new-plugins-folder' ); define( 'WP_PLUGIN_URL', 'http://your-domain.com/your-wp-content/new-plugins-folder' );
The above is very similar to the code that we used to move the wp-content folder. You can add this right underneath the code we just added, at the bottom of the wp-config.php file. In some cases, changing the plugins folder can cause compabilitiy issues for some plugins you may have already installed.
If you experience such issues, try setting the PLUGINDIR to the full local path of the directory (no trailing slash):
define( 'PLUGINDIR', dirname(__FILE__) . '/your-wp-content/new-plugins-folder' );
Remember, it never hurts to make a back-up of the files you intend to change.
Although wordpress allows you to make edits to theme files and plugin files through the backend by default, it is not uncommon for these file editors to cause problems for a website. More specifically, when your work is done and you hand the site over to a client who thinks they’re a wordpress pro becuase they’ve uploaded a few blog posts, the fact remains that a simple typo in functions.php can take the entire site offline. On the otherhand, if a hacker does somehow gain access to the backend of your website, the file editor is probably the first place they are going to visit to gain even greater control. They could have the ability to run scripts, access your databases, email all users and more. So performing this 5 minute fix might be the best security investment you make for your website.
It is best to disable the file editors right away and work through a SFTP or FTP client, or at the very least disable the editors once the site is complete and no editing needs to be done in the immediate future. Luckily, disabling this feature is a quick and simple fix. Here’s how:
Open up the wp-config.php file (located by default within the root folder of your wordpress install) and we’re going to add the following line of code:
define( 'DISALLOW_FILE_EDIT', true );
That’s it. If you refresh your admin page, you should no longer have the ability to edit theme and plugin files directly from the backend.
Removing the admin user is a great step in increasing the security of your website. Since the average wordpress user probably doesn’t do this, hackers can assume that a large portion of wordpress websites are running with the default user ‘admin’ which uses the user ID ‘1’. If you’re still using the ‘admin’ user it is best to ammend this by creating a new user. To avoid this problem in the future, you should create a unique user name when configuring the install.
In order to eliminate the existing ‘admin’ user, follow the steps below:
Alternatively, if you’re feeling a little more ambitious, this process can be taken care of even quicker if you have access to the server and are comfortable making changes to the databases stored within phpMyAdmin.
As always, it would be a particularly good idea to make a database backup right about now.
Ok, lets get started. If you’ve got more than one website being hosted on the server, chances are that you’ll have a number of databases to choose from in the left hand menu. If you’re unsure which database belongs to the wordpress site you’re editing, you can find out by looking in the wp-config.php file of the wordpress install or locating it within ‘MySQL Databases’. Once you’ve selected the correct database, locate the wp_users table (assuming you’re using the wp_ prefix). You’ll see a list of all the users, ID’s, email addresses, etc.
You’ll need to locate the user name you’d like to change and click “edit”. Once the details of that user are loaded, you’re looking for the ‘user_login’ column, you can enter the new user name you’d like to use and click ‘Go’ at the bottom.
That’s it. Go back to your site’s login page and login with your new user name.
Attempts to gain access to your site are often made through “backdoors”, which are typically created by files disguised as wordpress core files within your wp-includes/ or wp-content/uploads/ directories. In order to prevent any backdoor attempts from being successful, we will disable the ability for .php files to be executed within that specific directory. Here’s what we need to do:
Open up your text-editor of choice and create a blank document title .htaccess, paste the following code into that file:
<Files *.php> deny from all </Files>
Save the file and upload it to your wp-content/uploads/ directory and also your wp-includes directory.
This file checks for .php files within the directory and denies access to them, eliminating any potential backdoor files from being executed on your site.
Note: this article is the first of a series in WordPress security. We’ll be updating our blog with more articles in this series soon.