I’m a big fan of WordPress. A WordPress site I run is responsible for putting food on the table for my family! And if you remember, I’m One of the 3 Most Important People in WordPress–and I have the certificate to prove it. (I’m not really; long story).
WordPress is great because it is simple and accessible for almost anyone to use. And because of that, LOTS of people use WordPress to run websites these days. Maybe you do too.
What’s less simple is keeping your WordPress installation secure from those who want to turn your site into an Adult-themed Drug Store. WordPress Security is a HUGE topic. And there is a lot you should be doing (and even more you could be doing) to keep your site secure. And if you know what those things are, this post isn’t for you.
However, if you consider yourself to be a newbie when it comes to WordPress security, read on. I’m going to walk us through one of the simplest ways to secure any WordPress site using–what I consider–the best WordPress security plugin out there!
The plugin in question is called Better WordPress Security. Its developed by Chris Wiegman of Bit51. And this free plugin is the first plugin I install on any WordPress site I work on. I kid you not.
However, setting this plugin up correctly is important. And there are many things you can do to completely bork your site. So… read along and find out how this guy (I’m using my thumbs to point at myself right now) uses this plugin to harden all my WordPress installations!
Pre-steps: Update your Installation
Update your WordPress installation and all your plugins and themes. You should be doing this anyway. While you are at it, go ahead and delete all the themes and plugins you aren’t using. You should be doing this anyway too.
Next, make sure you have your permalinks up and running (Settings -> Permalinks) and make sure you have your timezone properly set (Settings -> General).
Okay! You are ready to go!
Step 1: Install
Easy enough. Go to Plugins -> Add New. Search for “Better WP Security”. It’ll be the first option most likely. Install and Activate.
Security Bliss is just around the Corner!
Step 2: Backup Your Site
Go to Better WP Security either from the plugin page or from your menu on the left. Since version 3 the first option this plugin gives you is to backup your database. DO IT. Do it even if you are using some other backup tool–or think you are.
Always Backup Yo!
Step 3: Give Better WordPress Security God-like Powers
I know. You’re scared. You should be. But do it. You can still use this plugin without doing this, but you will have to do many of the operations manually. And since you are reading this post, chances are you don’t want to do these things manually.
Great Powers come with Great Responsibility... or something.
Step 4: Secure your Site from Basic Attacks
You’ve finally reached what will become the regular “home” page of Better WP Security, the Dashboard. Except, you are going to be prompted to “Secure your Site from Basic Attacks”. The answer is YES of course. Its easy. Just click the button. Do it.
One-click is all it takes!
Step 5: Fine Tune your System Status list
Congratulations! You’ve come a long way, in 4 easy steps. Your site is already much more secure than it was just 15 minutes ago! But there’s even more you can do (and should do) to bring your WordPress install into Security Nirvana (that doesn’t truthfully exist, but its my blog so I can say whatever I want).
Your System Status list will look something like this:
Red, Yellow, Blue and Green! I can do colors mom!
You want this list to be as green as possible. Beside each numbered Status there is a “Click here to fix” link. That’s the easy way to address these issues.
But, for the purposes of this tutorial we are going to go through Better WP Security’s menu options.
Lets use the Menu instead of the System Status list
Admin User
WordPress used to create the first user as “Admin” by default in the installation. You had no choice in the matter. This made it easy for people who wanted to access your installation because they already knew what to put in the user field. If you still have an “Admin” user, its time to change that.
If you’re not using the Admin user because you setup another Administrator on the system and always login with that other account, go to “Users” and delete the Admin user (be sure you don’t delete any posts associated with them).
If, however, you still ARE the Admin user. Lets change that here. Better WP Security makes it super easy to do so. (You will want to make sure you have backed-up of your database as well as given Better WP Security God-like Powers in Steps 2 & 3 or this won’t work.)
Admin, it was fun while it lasted.
Note: If you are / were logged in with the Admin user you will now need to logout and log back in using your new username!
Away Mode
The first thing you need to make sure you do is in your WordPress Dashboard Menu go to Settings -> General and make sure your Timezone is correctly setup. Don’t know your UTC/ GMT? Go find that here.
The basic idea with Away Mode is you don’t need to access the admin area of your website 24 hours a day. So, for instance, when you sleep, you can lock it down. I lock all my sites down between midnight and 6AM. You may want to use different hours. Whatever choice you make, remember, you can’t access your site’s Admin Dashboard at that time.
Locked Down Daily: Midnight to 6AM
Ban Users
The ability to Ban Users (via IP address) and Ban User Agents is a powerful feature. If you know who the bad actors are, you simply don’t let them access your site. Its easily one of my favorite features of this plugin (especially the Ban User Agents feature). But, as with some of these features, you should probably skip this unless you absolutely know what you are doing! After all, most of the time, you actually WANT people to get to your site!
If you’d like a list of the Users and User Agents I personally ban, email me.
Content Directory
I love this plugin, but this particular feature is bad news. Its the easiest and quickest way to bork your site. Just don’t do it. Move along people, there’s nothing to see here other than heart-ache and pain. We are talking 7th circle of hell people. Are you getting my point? Run from here. RUN!
Database Backup
If for some reason you didn’t Backup your database in Step #2, you get a second chance here. Do it. Back it up daily. Seriously.
Database Prefix
Much like the Admin user, the default for WordPress installations used to create MySQL tables with the prefix “wp_”. So your comments table would look like, “wp_comments”. Turns out, that made it easy for anyone to know exactly what your table names were in your database. Not good.
So here is where you change that. But, before you do: MAKE A BACKUP IF YOU HAVEN’T ALREADY!
Being Random is one of the Laws of Security.
Hide Backend
Note: You’ll need to have your permalinks setup in Settings -> Permalinks for this feature to work correctly.
Although this feature doesn’t bring as much pain and destruction as the “Content Directory” option above, I don’t use this on many of my sites because I have had some issues when upgrading plugins and WordPress itself. I’d skip this.
Intrusion Detection
The Intrusion Detection area attempts to block bad actors from your site if a certain criteria is met. The area has 2 sections: 404 errors (attempts to reach a webpage that doesn’t exist) and file modifications (files that have been edited in some way).
Both of these will be turned on by default if you’ve followed along on this tutorial. However, for my real estate site I have really scaled down the 404 detection. Why? I literally have 1000s of 404s on my real estate site from my indexible IDX (houses that were for sale, googlebot indexed, and are now sold and not listed on my site anymore). Googlebot comes and checks those listings out every day and was regularly getting blocked from my site.
Obviously not what I am going for. So I’ve decreased the Check Period and increased the Error Threshold. For 99.9% of you I’m guessing you won’t have to do that. Unless you have a real estate site too.
As well, under the File Change detection, I exclude many directories under my wp-content directory. In particular my caching plugin’s cache folder and my uploads folder. I know that’s me and not some bot inserting malware. I don’t need to hear about it.
Login Limits
Everyone knows where to login to WordPress (although you can change that default with this plugin, see above “Hide Backend”). And its been demonstrated many times that WordPress isn’t immune to Brute Force attacks. That’s where login limits come in!
My typical password looks something like this: ]64Ysv<LQ84bnHXZGe. I’m not typing that in. I copy and paste it in. Its going to be right the first time every time. I setup this page accordingly. I’ve got one chance to login or I’m locked out. You should setup these options in a way that works and makes sense for you.
SSL
If your server / host supports Secure Socket Layers this option is a no-brainer. If it doesn’t, then move along. Nothing else to see here!
System Tweaks
Another name for this option could be, “everything else”. Haha. But lots of great stuff in here. However, many of these options could cause problems else where, so make sure you test. Here’s how I setup my sites.
Server Tweaks
Using .htaccess to protect files and directories
Header Tweaks
You’ll probably know if you are needing Really Simple Discovery for your site.
Header what?
Dashboard & Password Tweaks
All pretty straight forward. You shouldn’t be letting people register on your site anyway unless there is a particular reason to do so.
Crazy long passwords.
Other Tweaks
The miscellaneous section of the miscellaneous section. So random its probably illegal in the South. But some important stuff in here!
One note, on my none real estate sites–or on sites I don’t use special URLs for Google Analytics tracking–I have the “Prevent Long URL” box checked. Like on this site.
Wow. That's a long Screenshot.
Step 6: Troubleshoot
If you run into issues–and you might–head on over to the plugin’s forum and ask your questions. One of the reasons I love this plugin is because the author is very engaged with it.
That’s it! Go get a beer! We are all done here!
Think I missed something important? Let me know about it in the comments.
Great writeup Seth! Mind if I add a link to this on the Better WP Security page?
Thanks Chris! Did I miss anything? And of course I would love for you to link to this post! Haha! 😉
Looks like you’ve got it all to me. I’ll add it as another explanation after the video on the page sites.
[…] http://www.sethneal.com/blog/the-zen-of-wordpress-security/ Share this:ShareTwitterFacebookStumbleUponDiggRedditLike this:LikeBe the first to like this. […]