How to Install WordPress Securely

Web Hosting

Many WordPress users are looking for the easiest way to install and setup WordPress. It can be as easy as clicking a button, if your web host provides that option, but if the install our site vulnerable to attack – the ease of setting it up quickly fades.

Here are a few steps we can do to tighten up the security for our WordPress websites.

Always, Always, Always Upgrade to the Latest Version

WordPress’ popularity makes it a big target for security attacks. At the same time, its popularity requires that security gets better and better. The latest version of WordPress will be the most secure. Upgrade WordPress as soon as possible when a new version come out.

Install WordPress to a Subdirectory

Since WordPress installs are so common, the default naming convention for files/folders/databases, etc. are well known. One way to make your install different from the guy next door is to install your WordPress into a subdirectory off your root directory. This can be done without exposing the name of your subdirectory to the general public.

After installing WordPress to a subdirectory, move the index.php file from inside this subdirectory to the root directory. This not only keeps your root directory clean, your subdirectory name will not be used in the URL for your site.

Use Obscure Database Name and Table Names

The other way to make things less obvious is to name your database something besides wordpress or wp. Call it sometopic_wp, or wp_somenumbers, or somethingmoreobscure. Along the same lines, give the prefix for your database tables something else besides wp_. Try wp_numChars or wpnumChars.

If you are using a self-installer, you will be prompted for this information. Plug in your obscure names.

If you are not using a self-installer, set these parameters inside the wp-config.php file.

Set the database name in the following line:

For the table prefix, change the following line

to

Use Obscure Database User Name

In carrying through with the idea security through obscurity idea, use an obscure database user name, too.  A unique combination of letters and numbers hides the obvious.

Disabling Directory Views

If directory views are enabled the contents of your website directories will be listed for your visitors to see if that directory does not have a index file. Not good! If someone has access to your wp-config.php file, they could quickly compromise your site. Many hosts already disable directory view, but if it hasn’t been disabled, you can take care of it rather quickly.

In the htaccess file of the root directory add this line near the top of the file

If htaccess is not an option, you can add a blank index.htm or index.php into each of your WordPress directories. Instead of seeing a directory listing, a blank page will appear (the index file).

Protect wp-config.php File

WordPress uses the wp-config.file to connect to the database and set various preferences. Valuable information is contained within this file. At a minimum, set the permissions of the wp-config.php file to 644 (read and write for the owner, read for group, read only for the world).

To further secure the file, you could update the htaccess file and limit the IP address that can access the file. Visit themelab for more info. (Note: In themelab’s example, they show how to limit access for the wp-login.php file. Substitute wp-config.php for the file name.)

Permissions for File and Directories

It’s likely that your web host has already set up optimal permission settings and access rights. Directory permissions should be set to 755, file permissions to 644.  You might run across exceptions to this when configuring files or directories with plugins, but for the most part these settings should work across the board.

Change Admin Username

Most self-installers let you specify an admin name and password upon installation. Never use ‘admin’ as the user name. Be a bit more creative! If the install automatically adds the admin user, update this immediately after installation to a different username.

This gives you a good foundation in securing down your site. What are some of the steps you’ve taken to keep your site secure from the bad guys?

If you enjoyed this post, make sure to subscribe to WPMayor’s RSS feed.

About Carma Leichty

Carma Leichty is a trainer in WordPress and web design. A converted Dreamweaver user, she is crazy about WordPress. She's done websites for the past upteen years and most enjoys helping others promote their Creative Work.

8 Responses

  1. lorenzo
    lorenzo November 9, 2011 at 10:31 | | Reply

    Many thanks for this short list of ‘safety tips’

    Very good, and easy to follow, indeed.

  2. saqib
    saqib November 9, 2011 at 11:20 | | Reply

    Thanks Carma,

    All the points mentioned are really useful and few of these were new to me.

    I just like to mention one thing that beginners could have trouble in installing WordPress in a subdirectory. So it would be nice to add a link to http://codex.wordpress.org/Giving_WordPress_Its_Own_Directory

    Regards

    1. Jean Galea
      Jean Galea November 9, 2011 at 11:40 | | Reply

      Good point Saqib, thanks.

  3. Carma Leichty
    Carma Leichty November 10, 2011 at 01:12 | | Reply

    Lorenzo – Glad you found the points easy to follow!

    Saqib – Thanks for the link! Very helpful.

  4. Roger
    Roger November 11, 2011 at 15:44 | | Reply

    Also, don’t forget to remove the references to WordPress in theme php coding, etc. It’s one thing to use obfuscation for directory structure, etc. but it’s also important to not give out too much information.

    Additionally, what about monitoring? Sites like WebSiteDefender allow people a free account to monitor and scan the security of their WordPress based sites. If something changes, or an update is needed, etc. They get an alert.

    Don’t forget, users should also configure the salt (secret keys) in their wp-config.php file. ;)

    Another HUGE issue is that users should be advised to use strong passwords. It’s easy to access the admin area if a simple “easy” password is used.

    One very large point that could me mentioned… Do not use “admin” as the username, (some people still do that for some strange reason).

    What about plugins?

    * Block Bad Queries
    * WordPress Firewall
    * Login LockDown
    * WP Security Scan

    The above are just some plugin examples, there are more available at WordPress.org

    All to often, I find that there is no .htaccess file in the admin folder. To help with securing WordPress, there really should be! Below is one example of such an .htaccess file:

    # BEGIN WordPress
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress

    Backup, backup, backup… Don’t forget that backups are an important aspect of security.

    I hope this comment helps someone, somewhere! :)

  5. Carma Leichty
    Carma Leichty November 11, 2011 at 16:06 | | Reply

    Great points, Roger! I especially like the plugin list. I was familiar with a couple of them, but not all of them. Thanks for sharing!

  6. wisai
    wisai February 16, 2012 at 06:00 | | Reply

    I am looking for this topic advice.
    Thank you.

  7. Mark Moore
    Mark Moore July 3, 2012 at 23:55 | | Reply

    One of my favorite modifications is to change the location of wp-content. It throws some bots. I think that the majority of users are hacked because of improper file ownership and group permissions. More suggestions at http://nwlinux.com/hardening-wordpress-on-ubuntu-lamp/

Leave a Reply