Crackers are people too.Unfortunately, they’re the wrong type of people; the ones who’ll look for ways to break a site and suck all your hard work into oblivion, all because their imaginary girlfriend dumped them for a PlayStation 3 while they were busy zapping goblins with their level 32 Warlock.
If you’re using the latest version of WordPress, you’re already more secure than many, but there are still ways to be safer. Use these 8 tips to keep your self-hosted WordPress site safe. Note: most of these tips apply to general web development too.
1) Prevent directory listing
In many cases, the default WordPress installation allows hackers to use their web browser as a file browser to look through the contents of the folders on your server.
Why is this bad?
Normally it’s pretty harmless – some web hosts don’t even bother to turn off directory listing by default. Sadly, this means that there are several things hackers can do:
a) If plugin and theme authors have made mistakes in their code that allow unexpected access, hackers can use your directory listing to find out if you’ve got those vulnerable files and then attack your site.
b) Nosey people can browse the non-WordPress contents of your web server to discover folders and projects that you might not be ready to announce, or which contain files that you thought weren’t accessible to the general public.
c) Many directory listings feature a line in the footer telling visitors your server version. Hackers can cross-reference these version numbers with lists of known vulnerabilities and bring your site down or gain illegal access. (Yes – there are other ways to find out what server software you’re running, but lets not make it too easy!)
Check if your site’s affected
Type your WordPress URL into your browser address bar, followed by
“/wp-content/plugins/” like this:
If you see a blank page or get redirected to a 404 (file not found) page, you’re almost certainly safe. If you see a list of filenames displayed as links, get out your bandages and use one of these two fixes:
The weak fix: add a blank index.html file
Note: This simple fix is for non-geeks only. If you’re happy editing .htaccess files, skip to “the geek fix”.
To do the weak fix, simply create a blank file in both your /wp-content/plugins/ and your /wp-content/themes/ folders using your FTP application, and name it index.html. Now visit those locations in your web browser – you should see a blank page instead of a list of files.
It’s good, but it’s not flawless. While hackers won’t be able to see what’s in your /themes/ and /plugins/ directories any more, they’ll still be able to see the contents of any folder that doesn’t have a blank index.html, which includes subfolders and other areas.
You could just put a blank index.html file in every folder on your server, but it’s a bit of a pain, isn’t it? Wouldn’t it be great if you could prevent people seeing inside all your folders using one line of code? Want the good news? You can!
The geek fix: edit your .htaccess file
This is the safest and fastest fix, which requires a tiny bit of geekery.
You need to edit the .htaccess file that lives in your WordPress root directory. (Make sure you’ve set your FTP app to “show hidden files”. If you still don’t see an .htaccess file, create it now in the WordPress root, which should contain a file named wp-config.php).
Next, open the .htaccess file in a text editor, add the following two lines to the bottom, and save the file.
# Prevents directory listing
That’s it! You’re done. Browse to the /wp-content/plugins/ or /wp-content/themes/ URL in your browser again. You should find yourself redirected to a 404 page instead of seeing a list of your files.
Why doesn’t WordPress block directory listings by default?
It’s a good question. The answer is that it’s down to webmasters and web hosts to secure their own sites and servers. That means you.
But not everyone’s a web whiz. We think there should at least be a blank index file in the plugins and themes folders by default. We’ve submitted the suggestion in the WordPress ideas forum. If you want to support it, head over there and give the idea a rating to make your voice heard.
If you don’t have a WordPress.org forum account, you can register for one here. Alternatively, you can send the developers an anonymous note on the WordPress kvetch page. (Keep it polite! They’re a great bunch who give up their time for free.)
2) Use SFTP instead of FTP
Plain old FTP isn’t secure. If you use an FTP application to connect to your site, you’re sending your password in plain, human-readable text every time you log in. Hackers have ways of ‘listening in’ to intercept that information, which they can use to gain access to your site via FTP.
Start using the Secure File Transfer Protocol (SFTP) in place of FTP when you access your site. Connecting by SFTP is simple, and good web hosts (like Eleven2 ) will have it turned on by default. All you need to do is ask your hosting company which port number to use, then change the settings in your FTP application.
If your host doesn’t support SFTP (or something called FTP over SSH), or if they require you to jump through burning hoops to switch it on, just change your web host. FTP is unsafe, and it’s over 23 years old. In computing terms, that’s ancient! It’s time to update to a new standard. That standard is SFTP.
3) Stay up to date
It’s important to keep your themes, plugins, and WordPress installation up to date. If you’re using WordPress 2.6 or higher, updating your plugins is easy. For your theme, make sure you’re subscribed to the theme developer’s site — they should announce any updates that affect security.
To keep WordPress itself up to date, we recommend the automatic upgrade plugin, which streamlines the process a little.
4) Learn the correct file permissions
You probably shouldn’t be messing around with file permissions once WordPress is installed, but just in case you’ve meddled with them and want to double check, here’s a quick primer:
All folder permissions should be set to 755. Files should be set to 644. Files that you want to edit in the WordPress Theme editor should be 666. Never use 777 for WordPress permissions – you’re letting all users on the server do whatever they want with your site. On a shared or badly configured server, that can mean trouble.
If that was gobbledygeek to you, move along. Your life is probably better off without this stuff.
By default, WordPress installations don’t allow visitors to register for a guest account on your site. While there are advantages to this if you’re building a community site, it’s best to keep registration turned off if you can, since some of the latest exploits use it to hack WordPress. (It’s fixed in the latest version. )
To check that you’ve got registration turned off, log in to your admin area, click “settings” and be sure that “anyone can register” is unchecked next to the “Membership” heading.
6) Limit WordPress admin access by IP address
Right now, anyone with web access can visit your WordPress login page and take a guess at your admin password. If they get it right, they’ll have full control of your site.
Restrict the WordPress admin folder to allow access only from your computer, or a small group of computers. To limit access by IP, create an .htaccess file in your /wp-admin/ folder (not directly in your WordPress root!) containing the following code:
deny from all
# allow my home IP address
allow from XX.XX.XXX.XXX
# allow my work IP address
allow from XX.XX.XXX.XXX
Don’t forget to replace the Xs with your IP address, which you can find using a site such as What’s My IP when you’re at the computer you want access from.
Once you’ve done this, visitors without the allowed IP address will see a 404 message if they try to access your admin area or login. Try accessing the Wordprezzie admin area to see it in action. You should see an error page (unless you’re on our computers, which are kept at the bottom of a well). Credit where it’s due: I adapted this tip from Matt Cutts’ suggestion, which is here.
You should know that IP addresses can be reassigned by your ISP without warning, so use this tip with caution unless you’ve paid for a static IP. Don’t worry, though – if you find yourself locked out, you’ll still be able to gain access by SFTP (you are using that, right?) to delete or edit the .htaccess file with your new IP.
Note: If you travel a lot, then this tip’s probably not for you. Consider password protecting /wp-admin/ at the directory level instead so that you’ll be able to access it wherever you are using an additional password. Most hosting control panels have an option to add a password to a folder, or you can search the web for “htpasswd”.
7) Encrypt your web browsing session
This tip is for security nutcases and the ultra-paranoid only. You can encrypt your entire browsing session so that your WordPress login info is sent over the net as a scrambled message when you log in to your admin panel, rather than in plain text.
It’s a little fiddly to set up, but it’s probably the strongest way to make sure your password isn’t intercepted by those nasty packet-sniffing web addicts who lurk in dark alleys on the net. To get started, check out this guide on Lifehacker.
8) Use your common sense
Finally, three points of common sense:
Don’t use stupid passwords.
We help a lot of people tweak their established WordPress sites, and we’re still amazed by the number who use terrifyingly simple passwords.
One high-profile blogger was using their domain name as the WordPress admin password. (We changed it for them – no point trying to guess who or what it was!)
To change your password, go to the “users” tab, click the username that you use to log in with, scroll to the bottom of the page and fill in a new password, then click “update profile”.
Be careful in public places.
I once watched a blogger accidentally type his password into the username box whilst live on a 5 metre screen and presenting to 200 people. If you’re out and about, be careful. Likewise, don’t leave a logged-in machine unattended; you’re asking to get stung.
Back up often and have a recovery plan. We’ll be writing more about this soon, so subscribe and stay tuned!
If you only have time for one
Don’t have time to do everything in this list? Take our advice: change your password to a stronger one (see point 8 for the instructions). It should be at least eight characters long and include numbers mixed with characters in uppercase and lowercase.
If you can find it in a dictionary, you’re using the wrong password. If it’s the name of your dog, daughter, or dentist, you’re using the wrong password. “Secret” is a poor choice. So is “letmein”. So is “motherducker”. Even if you think it can’t be guessed, chances are that you’ll be unpleasantly surprised. Choose a mixture of random letters and numbers and you’ll be much safer. Can’t remember all your passwords? Try PassPack.
Need help? Just ask us
Don’t forget! We offer design, coding and security help if you need it, starting at only US$80 for quick fixes, tweaks and code help. (That includes messing around with your .htaccess files if you don’t feel brave enough!) Hire us here.
Add your own tips below
Got a WordPress security tip you’d like to share? Help us all stay safe by adding your comments below.