Posted on August 9, 2011 by Rich Cooper

Securing WordPress

WordPress is a great product and very secure out of the box, assuming you follow some basic rules and procedures. We will attempt to describe these below.

There are many things that can affect the security of WordPress sites, we have recently experienced a hack attempt at one of our .gov.uk domains. The hack was simply to write a file to the /wp-config/ folder, which happened to be file mode 777 (public writable). In the newest version of WordPress, only one folder needs global write permissions - /wp-content/uploads/.

Fixing this vulnerability is a simple matter of changing the folder permissions of all folders in your WordPress install to mode 755.

find [your path here] -type d -exec chmod 755 {} \;

As for the /wp-content/uploads/ folder – you simply need to set the permissions back to 777 and create an .htaccess file with the following content:

<FilesMatch "\.(php|html|htm|js)">
  Order allow,deny
</FilesMatch>

This will deny access to any uploaded scripts or pages (.php/.html/.htm/.js) minimising the risk of a successful hack.

Other important factors to keep your site safe and sound:

  • Keep your password secure
    WordPress can tell you if your password is a strong one, but cannot tell you if it contains dictionary words. Try to make this a mix of numbers and letters.
  • Keep WordPress and its plug-ins up to date
    This may sound obvious, but as soon as a vulnerability is found in one plug-in, news spreads fast and your site is at risk. Most plug-in developers will release new versions of their plug-ins once the security hole is found. Keep them updated!
  • Make sure you are hosting on a secure server
    You may have a friend down the pub who has a web server, but does he really know how to keep this secure? Find a reputable hosting company to house your website.
  • Lastly – KEEP REGULAR BACKUPS!
    It may sound obvious, but having a rollback point of your site files and database is the best way to recover from a hack.

More information and further tips can be found here on the WordPress website:
http://codex.wordpress.org/Hardening_WordPress

Posted in Tips and tricks, WordPress news |

Leave a Reply