This is an intermediate level tutorial for WordPress site owners and administrators who are ready to address security concerns on their WordPress website or blog. It is a follow up to my beginner’s level WordPress security tutorial “WordPress Security Tips” . I plan to have an advanced level tutorial follow this one for WordPress developers who really want to lock down a WordPress website with the tightest security possible. Security is an almost never ending issue and needs to be taken seriously, so I recommend following all of the tutorials in this three part series to make the most of secure practices available to you with a WordPress installation.
Since this is an intermediate level security tutorial, there are some things you should know before attempting to do some of the more difficult exercises in this tutorial. The basics of WordPress are a must of course. In addition, it helps to have a decent knowledge of PHP and webserver administration as well as Linux or Windows command line interfaces depending on your server’s operating system.
There is no one single place to get started with Security measures in WordPress, but I would recommend starting with the beginner’s level tutorial I wrote that precedes this one which is linked to in the opening paragraph of this tutorial. Other than that, start with any of the below security measures as they can be done in any order you prefer and only the ones you see fit should be attempted. If they seem above your ability, then hire a WordPress expert to implement them for you and refer them to this tutorial as a guideline for what you want done.
Disable File Edits from the WordPress Admin
Disabling the ability to edit PHP files in your WordPress themes and plugins is one way to keep a persistent hacker from making significant changes to your WordPress website without your permission. Often, the first thing a hacker will go to after gaining access to your WordPress admin is the file editors for themes and plugins. Of course, if you use these features yourself or your developer uses them, then this might not be practical for every one reading this tutorial. However, it can be easily reversed by simply omitting or commenting out the code using FTP access anytime you need the ability to edit files from the admin. Also, you can edit files via FTP and completely eliminate using the WordPress admin to make changes to PHP files in themes and plugins. I generally tend to use FTP just because I can download and backup the file before making changes anyway, so this is a security measure that I always consider implementing on most of my WordPress installations just because I don’t find it absolutely necessary to use the admin PHP file editor anyway. However it generally isn’t something I would implement on a client’s WordPress installation without their knowledge and consent because they may well depend on the ability to edit PHP files from the admin area rather than via FTP. If you think this is a security measure you should implement, here are the instructions for how to accomplish locking down the edit ability of PHP files in the WordPress admin area:
- First, navigate to your wp-config.php file. Since we are locking down the ability to do this from the admin, I suggest you get familiar with doing such edits as we are about to do through an FTP client such as Filezilla. Open a port to your server and navigate to your WordPress root directory. The wp-config.php file will be in the main WordPress directory. Go ahead and download it to your desktop for editing. Be sure to save a backup copy of it on your local machine first just to be safe.
- Now add the following line of code to the wp-config.php file:
- Now upload the file using the same FTP client you used to download the file and allow it to overwrite the original file on the server.
That is it. You are done. Doing the above simple steps may not completely disallow an attacker from uploading malicious files to your server, but it will disable them from easily editing your existing PHP files from the WordPress admin which will be enough to stop some attacks. Consider some additional security measures described below if this isn’t enough for you.
Securing WordPress with the htaccess File
Another method available to anyone whose server uses htaccess files is to secure parts of the WordPress installation with mod_rewrite rules and obscurity techniques available with htaccess. One important thing to remember is that many WordPress installation rely on overwriting part of the .htaccess file. WordPress only has the ability to overwrite the portion of the .htaccess file that falls in between the following two comment lines:
# BEGIN WordPress
# END WordPress
Anything before or after those commented out lines in your WordPress installation’s .htaccess file will not be touched by WordPress when it makes changes to rewrite rules for your blog or website. Therefore, we will put our rules for locking down areas of WordPress we don’t want anyone gaining access to after the “# END WordPress” comment line.
Securing the wp-includes Directory
Now that you know the basics of the WordPress directory’s htaccess file, let’s try a practical example of how to use it to secure your wp-includes directories more sensitive files with htaccess rules. Here is the code you would put after the WordPress commented section in your htaccess file to block access to critical files in your wp-includes directory:
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]s file:
If you are not too familiar with mod_rewrite rules and .htaccess files, don’t worry, you can simply copy and paste the above code into your .htaccess file for you main WordPress folder and you will be fine. The one rule on the fifth line above won’t work for multi-site installations that need to write images, but everything else should work in almost all cases. If you have to comment out or delete the fifth line and you will still have tighter security for wp-includes than you had prior to adding the above code. It does lessen security a little to comment out the fifth line, so only do so if it causes a problem with multiple WordPress sites. If you only have one, it won’t be an issue.
Securing the wp-config.php File
You can also secure access to the wp-config.php file using an addition to the htaccess file. Simply add the following declaration to the file at the top before anything else and no one will be able to access the file via FTP or otherwise:
<files wp-config.php> order allow,deny deny from all </files>
Then to go a step further, you can also move your wp-config.php file up one directory where wp-includes are to further tighten security. This method should probably only be used by those of you that know the implications because it has been talked about extensively and there are several arguments both for and against moving the wp-config.php file up one directory. It is something you can consider if a problem arises however.
In this intermediate level tutorial, we went a step above what I taught many of you in the beginner’s level tutorial on security. I also hope you will read my next advanced level security tutorial on WordPress security. Remember, you can take security as seriously as you need to. Some of you probably have larger sites than others and therefore require more security. If you have had your site online for years and have yet to have a problem, I would be surprised to find out that you haven’t already taken several security precautions. Either that or the site may not have enough traffic to have severe security threats. Whatever the size of your site, look to the future and plan on expanding. That is why you need to have these security measures in place. The more your WordPress site grows, the more important security issues become. Think ahead and prepare your WordPress site today!
Be sure to check out all our helpful WordPress tutorials.