WordPress Content Management System (CMS) has a lot of useful and advanced features when it comes to site building! All these WordPress plugins give you the freedom to create really great on-page SEO optimized, user-friendly and extremely good looking web-sites! However, there are some actions you will need to take in order to protect and secure your WP project(s). In this tutorial we will discuss most of them.

There is one all-in-one security free plugin called WP Security scan. It will scan your WordPress site and give you the best suggestions regarding the protection of your WP site. If there are some critical issues (hopefully not!) it will e-mail you with the information about it and you will be always updated – which is essential when it comes to your site’s protection!

If you are serious about your web projects I would highly recommend using ONLY ORIGINAL WordPress Themes. I used to have one bad experience with using a theme from unknown source. Two months later the site was hacked and I needed to re-build it once again. Not to mention that it was a project for a client and the second site (which was a bought WP theme) was on me… So whenever you decide to create really good and valuable sites please spend $10 to $30 for a theme which will be protected and won’t have security holes! It’s worth it!

Your Database must be secured! For this purpose download and install WP-DBManager plugin. It will allow you to create backup for your database and if needed send it to your e-mail address.

I would highly recommend one very good plugin made solely for the protection purposes! It is called Security Ninja. It is not free, currently $10, but believe me – you will sleep better if it is installed on your Word Press site(s)!

Make sure to use very good password for your WP-admin area. This is essential! Also it is advisable to protect the administrator dashboard with one special (and free) plugin called Login LockDown.

Also you might want to protect your wp-admin area with custom made .htaccess file – it will additionally strengthen your site and will give you the access to your site only when you change its permissions in through the FTP Manager. You can download such file from the link bellow and upload it to your WP-admin folder.

Download WP protection file for FREE:

>> CLICK HERE TO DOWNLOAD <<

Whenever you decide to change something in your Dashboard simply rename the file – for example – .htaccess.TXT. And when you log out – just remove the “.TXT” part.

Advanced WordPess CMS Protection Techniques and Guide

guide about WordPress cms protection

If you are an advanced web developer or freelancer and you are building WP websites not only for you, but for clients as well, you may need to know how to protect these WordPress sites for sure!

WordPress Security Tips and Tricks:

Check if WordPress core is up to date

Keeping the WordPress core up to date is one of the most important aspects of keeping your site secure. If vulnerabilities are discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attacks, and is one of the primary reasons you should always keep WordPress up to date. Thanks to automatic updates updating is very easy. Just go to Dashboard >> Updates and click “Upgrade”.

Check if plugins are up to date

As with the WordPress core, keeping plugins up to date is one of the most important and easier way to keep your site secure. Since most plugins are free and therefore their code is available to anyone having the latest version will ensure you’re not prone to attacks based on known vulnerabilities. If you downloaded a plugin from the official WP repository you can easily check if there are any upgrades available, and upgrade it by opening Dashboard >> Updates. Remember – always backup your files and database before upgrading!

Check if themes are up to date

As with the WordPress core, keeping the themes up to date is one of the most important and easier way to keep your site secure. Since most themes are free and therefore their code is available to anyone having the latest version will ensure you’re not prone to attacks based on known vulnerabilities. Also, having the latest version will ensure your theme is compatible with the latest version of WP. If you downloaded a theme from the official WP repository you can easily check if there are any upgrades available, and upgrade it by opening Appearance – Themes.

Check if full WP version info is revealed in page’s meta data

You should be proud that your site is powered by WordPress and there’s no need to hide that information. However disclosing the full WP version info in the default location (page header meta) is not wise. People with bad intentions can easily use Google to find site’s that use a specific version of WordPress and target them with 0-day exploits. Place the following code in your theme’s functions.php file in order to remove the header meta version info:
function remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘remove_version’);

Check if WordPress readme.html file is accessible via HTTP on the default location

As mentioned in the previous test – you should be proud that your site is powered by WordPress but also hide the exact version you’re using. readme.html contains WP version info and if left on the default location (WP root) attackers can easily find out your WP version. This is a very easy problem to solve. Rename the file to something more unique like “readme-876.html”; delete it; move it to another location or chmod it so that it’s not accessible via HTTP.

Check if server response headers contain detailed PHP version info

As with the WordPress version it’s not wise to disclose the exact PHP version you’re using because it makes the job of attacking your site much easier. This issue is not directly WP related but it definitely affects your site. You’ll most probably have to ask your hosting company to configure the HTTP server not to show PHP version info but you can also try adding these directives to the .htacces file:
<IfModule mod_headers.c>
Header unset X-Powered-By
Header unset Server
</IfModule>

Check if user with username “admin” exists

If someone tries to guess your username and password or tries a brute-force attack they’ll most probably start with username “admin”. This is the default username used by too many sites and should be removed. Create a new user and assign him the “administrator” role. Try not to use usernames like: “root”, “god”, “null” or similar ones. Once you have the new user created delete the “admin” one and assign all post/pages he may have created to the new user.

Check for display of unnecessary information on failed login attempts

By default on failed log-in attempts WordPress will tell you whether username or password is wrong. An attacker can use that to find out which usernames are active on your system and then use brute-force methods to hack the password.
Solution to this problem is simple. Whether user enters wrong username or wrong password we always tell him “wrong username or password” so that he doesn’t know which of two is wrong. Open your theme’s functions.php file and copy/paste the following code:
function wrong_login() {
return ‘Wrong username or password.’;
}
add_filter(‘login_errors’, ‘wrong_login’);

Check if all security keys and salts have proper values

Security keys are used to ensure better encryption of information stored in the user’s cookies and hashed passwords. You don’t have to remember these keys. In fact once you set them you’ll never see them again. Therefore there’s no excuse for not setting them properly. Security keys (there are eight) are defined in wp-config.php as constants on lines #45-52. They should be as unique and as long as possible. WordPress made a great script which helps you generate those strings. Please use it!

Test the strength of WordPress database password

There is no such thing as an “unimportant password”! The same goes for WordPress database password. Although most servers are configured so that the database can’t be accessed from other hosts that doesn’t mean your database password should be “12345″. Choose a proper password, at least 8 characters long with a combination of letters, numbers and special characters. To change the database password open cPanel, Plesk or some other hosting control panel you have. Find the option to change the database password and be sure you make the new password strong enough. If you can’t find that option or you’re uncomfortable changing it contact your hosting provider. After the password is changed open wp-config.php and change the password on line #25:
/** MySQL database password */
define(‘DB_PASSWORD’, ‘YOUR_NEW_DB_PASSWORD_GOES_HERE’);

Check if database table prefix is the default one (wp_)

Knowing the names of your database tables can help an attacker dump the table’s data and get to sensitive information like password hashes. Since WP table names are predefined the only way you can change table names is by using a unique prefix. One that’s different from “wp_” or any similar variation such as “wordpress_”.
If you’re doing a fresh installation defining a unique table prefix is easy. Open wp-config.php and go to line #61 where the table prefix is defined. Enter something unique like “frog99_” and install WP. If you already have WP site running and want to change the table prefix things are a bit more complicated and you should only do the change if you’re comfortable doing some changes to your DB data via phpMyAdmin or a similar GUI.

Check if site debug mode is enabled

Having any kind of debug mode (general WP debug mode in this case) or error reporting mode enabled on a production server is extremely bad. Not only will it slow down your site, confuse your visitors with weird messages it will also give the potential attacker valuable information about your system. General WordPress debugging mode is enabled/disabled by a constant defined in wp-config.php. Open that file and look for a line similar to:
define(‘WP_DEBUG’, true);
Comment it out, delete it or replace with the following to disable debugging:
define(‘WP_DEBUG’, false);
If your blog still fails on this test after you made the changes it means some plugin is enabling debug mode. Disable plugins one by one to find out which one is doing it.

Check if database debug mode is enabled

Having any kind of debug mode (WP DB debug mode in this case) or error reporting mode enabled on a production server is extremely bad. Not only will it slow down your site, confuse your visitors with weird messages it will also give the potential attacker valuable information about your system. WordPress DB debugging mode is enabled with the following command:
$wpdb->show_errors();
In most cases this debugging mode is enabled by plugins so the only way to solve the problem is to disable plugins one by one and find out which one enabled debugging.

Check if JavaScript debug mode is enabled

Having any kind of debug mode (WP JavaScript debug mode in this case) or error reporting mode enabled on a production server is extremely bad. Not only will it slow down your site, confuse your visitors with weird messages it will also give the potential attacker valuable information about your system. WordPress JavaScript debugging mode is enabled/disabled by a constant defined in wp-config.php open your config file and look for a line similar to:
define(‘SCRIPT_DEBUG’, true);
Comment it out, delete it or replace with the following to disable debugging:
define(‘SCRIPT_DEBUG’, false);
If your blog still fails on this test after you made the change it means some plugin is enabling debug mode. Disable plugins one by one to find out which one is doing it.

Check if display_errors PHP directive is turned off

Displaying any kind of debug info or similar information is extremely bad. If any PHP errors happen on your site they should be logged in a safe place and not displayed to visitors or potential attackers.
Open wp-config.php and place the following code just above the require_once function at the end of the file:
ini_set(‘display_errors’, 0);

Check if WordPress installation address is the same as the site address

Moving WP core files to any non-standard folder will make your site less vulnerable to automated attacks. Most scripts that script kiddies use rely on default file paths. If your blog is setup on www.site.com you can put WP files in ie: /var/www/vhosts/site.com/www/wp-core/ instead of the obvious /var/www/vhosts/site.com/www/.
Site and WP address can easily be changed in Options – General.

Check if wp-config.php file has the right permissions (chmod) set

wp-config.php file contains sensitive information (database username and password) in plain text and should not be accessible to anyone except you and WP (or the web server to be more precise). What’s the best chmod for your wp-config.php depends on the way your server is configured but there are some general guidelines you can follow. If you’re hosting on a Windows based server ignore all of the following.
try setting chmod to 0400 or 0440 and if the site works normally that’s the best one to use
“other” users should have no privileges on the file so set the last octal digit to zero
“group” users shouldn’t have any access right as well unless Apache falls under that category, so set group rights to 0 or 4

Check if install.php file is accessible via HTTP on the default location

There have already been a couple of security issues regarding the install.php file. Once you install WP this file becomes useless and there’s no reason to keep it in the default location and accessible via HTTP. This is a very easy problem to solve. Rename install.php (you’ll find it in the wp-admin folder) to something more unique like “install-876.php”; delete it; move it to another location or chmod it so it’s not accessible via HTTP.

Check if upgrade.php file is accessible via HTTP on the default location
There have already been a couple of security issues regarding this file. Besides the security issue it’s never a good idea to let people run any database upgrade scripts without your knowledge. This is a useful file but it should not be accessible on the default location. This is a very easy problem to solve. Rename upgrade.php (you’ll find it in the wp-admin folder) to something more unique like “upgrade-876.php”; move it to another location or chmod it so it’s not accessible via HTTP. Don’t delete it! You may need it later on.

Check if “anyone can register” option is enabled

Unless you’re running some kind of community based site this option needs to be disabled. Although it only provides the attacker limited access to your backend it’s enough to start exploiting other security issues. Go to Options – General and uncheck the “Membership – anyone can register” check box.

Check if register_globals PHP directive is turned off

This is one of the biggest security issues you can have on your site! If your hosting company has this this directive enabled by default switch to another company immediately! PHP manual has more info why this is so dangerous.
If you have access to php.ini file locate
register_globals = on
and change it to:
register_globals = off
Alternatively open .htaccess and put this directive into it:
php_flag register_globals off
If you’re still unable to disable register_globals contact a security professional immediately!

Check if safe mode is disabled

PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren’t very realistic, many people, especially ISP’s, use safe mode for now. If your hosting company still uses safe mode it might be a good idea to switch. This feature is deprecated in new version of PHP (5.3). If you have access to php.ini file locate
safe_mode = on
and change it to:
safe_mode = off

Check if expose_php PHP directive is turned off

It’s not wise to disclose the exact PHP version you’re using because it makes the job of attacking your site much easier.
If you have access to php.ini file locate
expose_php = on
and change it to:
expose_php = off

Check if allow_url_include PHP directive is turned off

Having this PHP directive will leave your site exposed to cross-site attacks (XSS). There’s absolutely no valid reason to enable this directive and using any PHP code that requires it is very risky.
If you have access to php.ini file locate
allow_url_include = on
and change it to:
allow_url_include = off
If you’re still unable to disable allow_url_include contact a security professional immediately!

Check if plugins/themes file editor is enabled

Plugins and themes file editor is a very convenient tool because it enables you to make quick changes without the need to use FTP. Unfortunately it’s also a security issue because it not only shows PHP source but it also enables the attacker to inject malicious code in your site if he manages to gain access to the admin.
Editor can easily be disabled by placing the following code in theme’s functions.php file.
define(‘DISALLOW_FILE_EDIT’, true);

That’s it! Now you already know how to protect your WordPress site(s) and projects and can concentrate on more important things in life! How to make money from your protected sites for example! :-)

what to do if your wordpress site is hacked - infographics

Join the discussion about protecting your WordPress site form hackers and especially from brute-force attack hackers – join here – http://forum.tutorials7.com/233/bruce-force-attack-on-wordpress-sites or this forum thread – http://forum.tutorials7.com/286/my-wordpress-site-is-hacked-message-leading-to-spammer-shop.

Here is also one video review and tutorial about one very useful security reporting tool! See it HERE.

To learn how to use WordPress see our WordPress Video Course.