Securing WordPress – Part II

Posted: 02 Feb 2013 01:26 AM PST

We last talked about the significance of securing all computers involved in managing and serving your WordPress site. We mentioned how all programs involved should be secured, which means the OS, Apache, Php, MySQL, etc… Then we outlined a plan for creating and securing randomly generated, secure user names and passwords. Now we continue with additional steps to take in order to secure your WordPress.

Backup for Security Purposes

You should always create backups regularly. Complete backups must be maintained on a less frequent basis than incremental ones. However, do not ignore the need for complete backups, since any files that get infected can ruin a backup and you might need to restore everything. You should not have to go too far back to do so. The more frequently you back up, the more recent the data will be that you are restoring to replace a hacked WordPress.

FTP Security

Never sign up with a hosting provider that does not provide SFTP (Secured FTP). This is the only way you should be FTPing to your server, since everything you send is encrypted both to and from the server. No one will ever see your password being sent as plain text. They will only see an encrypted mess that they will be unable to decipher. If a hacker breaks into your FTP then they will have access not only to your WordPress site, but to your entire hosting account for that domain.

WordPress Vulnerabilities

When considering securing your WordPress you probably think first of the vulnerabilities in WordPress itself. There are security releases for WordPress all the time, because they are constantly on the watch for weaknesses and are patching them up as they arise. That is why it is so important to keep WordPress up to date. This is easiest done through a plugin called Automatic Updater for automatic updates to be applied. You can even choose to update more than just WordPress Core. You can have it automatically update your themes and/or plugins.

Securing Your Database

Every site you run should be accessing separate databases and have separate database users with unique and secure passwords. Consider creating random user names as mentioned in Part I of our series. One of the most important features of MySQL that should be turned off, unless you need it yourself for special purposes, is the remote TCP connections. To properly secure MySQL you must understand MySQL security more thoroughly. These steps we have already outlined provide only a basic security. Further education and application should be exercised by whoever will be administering your databases. Most likely this will be a joint effort between you and your hosting provider’s technicians.

Obscurity Provides a Level of Security

Obscuring information is an excellent secondary security strategy. Consider obliterating the admin account from WordPress and using a randomly generated name instead. If you already have a WordPress site, then create the new user from a randomly generated alphanumeric combination and give them administrative rights. Make sure to give it a different nickname than the actual name. Hackers will scrape your blog for signs of the nickname in comments and posts, then use it for a brute force attack. Also, give it an email address based on the nickname, rather than the login name. So then log out of admin and log back in under this new user. Now delete the admin account. You will be prompted as to who the admin’s posts are to be attributed to now that you are deleting the user named admin. Just choose your new user from the dropdown box.

The database table prefix should also be changed to something less guessable. This will prevent a hacker from automating any sort of SQL injection based on the default wp_ prefix. WARNING: do this only for new WordPress installations or utilize a plugin to accomplish this complicated task on an existing WordPress site..

Obscurity provides a level of secrecy to prevent access, especially if combined with 50-character mixed character passwords and randomly generated user names. An ideal security plan will institute security by design, open security, and security through obscurity.