With WordPress powering more than 20% of the modern web, sites created on the platform are increasingly under attack by hackers. While the core WordPress platform is strictly audited for security, it’s easy to make mistakes in your own WordPress installation that could lead to serious vulnerabilities. Clef and BruteProtect have put together this WordPress Security Checklist to help you ensure you’re following best practices when you deploy your site. Follow along and be safe!
- Check that you have the latest version of WordPress. Learn more.
- Check that automatic updates are turned on. Learn more.
- Check that you have the latest version of all plugins. Learn more.
- Check that you have strong passwords. Learn more.
- Check that you have 2-factor enabled. Learn more.
- Check that you have a plugin to protect you from brute force password attacks. Learn more.
- Check that, if you’re using passwords to login, your login form is HTTPS only. Learn more.
- Check that there’s no account named admin for your site. Learn more.
- Check that you are not developing over an insecure channel (like FTP). Learn more.
- Check that the folders in your WordPress installation have the correct permissions. Learn more.
- Check that the files in your WordPress installation have the correct permissions. Learn more.
- Check that your separate WordPress sites use separate databases. Learn more.
- Check that your database is not using the default wp_ table prefix. Learn more.
- Check that your database user has the minimum necessary set of permissions. Learn more.
- Check that your wp-config.php file is protected. Learn more.
- Check that your wp-includes folder is protected. Learn more.
- Check that you have a secure .htaccess file. Learn more.
- Check that file editing from the dashboard is disabled. Learn more.
- Check that you actually know that you’re doing (we all make mistakes). Learn more.
If you follow all of these steps correctly, your WordPress site will be protected from 99.9% of the attacks around — then you can focus on the important things.
How do I do all this stuff?
Check that you have the latest version of WordPress
With every release, the security and stability of the WordPress platform improves — ensuring you have the latest and greatest is the most important thing you can do.
Visit your WordPress dashboard, hover over the Dashboard menu item, and click Updates — if you see a new version of WordPress, download and install it!
Check that automatic updates are turned on
Since 3.7, WordPress will automatically apply security updates for your site. While these updates are rare, getting them fast is essential to the security of your site.
Install the Background Update Tester and ensure your site is configured correctly.
Check that you have the latest version of your plugins
While WordPress core has a team of security experts constantly auditing the platform, the said can’t be said for every platform you install. Updating to the latest version of your plugins will ensure that your site gets fixes for any known security vulnerabilities in your plugins.
Visit your WordPress dashboard, hover over the Dashboard menu item, and click Updates — if you see any plugin updates, download and install them!
Check that your login is secured
More often than not, attackers compromise WordPress sites through the easiest route — simply logging in. Weak passwords will leave you extremely vulnerable and even strong passwords can fall to large-scale brute force attacks.
1. Install a two-factor authentication WordPress plugin like Clef or Duo Security.
2. Install a brute force attack prevention plugin like Brute Force.
3. Ensure that, when you do use passwords, you use strong ones. Luckily, since WordPress 3.7 (which you should most definitely have) there’s a great password strength meter built in.
4. If you’re using passwords to log in to your WordPress installation, enable HTTPS on your site and force HTTPS logins at all times.
Check that you there’s no account named admin on your install
The admin account is the most targeted account in brute force attacks against WordPress sites. Deleting it will make a huge swath of these ineffective.
If you have an admin account, create a new administration account and delete admin.
Check that you’re accessing your WordPress installation for development in a secure way
If you’re not accessing your WordPress installation for development through SFTP or SSH, you’re doing it wrong. Like logging in over HTTP (rather than HTTPS), accessing your site for development through an insecure protocol can expose your credentials (and other information) — leaving you vulnerable to attack.
Ensure that you always use SFTP or SSH to access your server remotely. Never use FTP.
Check that the files in your WordPress installation have the correct permissions
If you have too lenient permissions on the files in your WordPress installation, a small breach can quickly escalate into a full-scale takeover. Ensure that you lock down your file permissions as much as possible and only loosen permissions on specific files when you need them.
1. If you have shell access to your server, run these commands. If you don’t have shell access, change them using your SFTP (yes, SFTP not FTP) client.
2. Verify that you have the correct permissions with a handy plugin.
Check that your database is secure
Hackers are going to target the most important part of your site — the database. Securing it is of the upmost importance in preventing small breaches from growing.
1. If you run multiple blogs on the same server, ensure that you use separate databases for each one.
2. Make sure you’re not using the default `wp_` table prefix. If you are, change it.
3. Ensure that your WordPress user has the as few database privileges as possible — revoke any ones that you don’t absolutely need (like DROP, ALTER, and GRANT).
Check that you have a secure .htaccess file
If you don’t know what a .htaccess file is, you may want to leave this one to your developer. Essentially, the .htaccess file dictates which files people visiting your website can and can’t see — an insecure .htaccess file can directly lead to a site compromise.
1. Secure wp-includes by adding these lines to your .htaccess file.
2. Secure your wp-config.php by adding these lines to your .htaccess file.
3. For a more exhaustive guide to securing your .htaccess file, follow this Moz post.
Check that you have disabled file editing
If an attacker gets into your site, the first thing they will try to do is edit your PHP files through the Dashboard interface. Preventing this can limit the breadth of an attack.
Add the line `define(‘DISALLOW_FILE_EDIT’, true);` to your wp-config.php file.
Check that you know what you’re doing
Security is hard. WordPress takes a lot of the concerns away, but even small thing can drastically reduce the security of your site. When you’re taking steps to secure your site, you need to ensure that you’re making good choices — even the best of us can make mistakes.
1. Run your security setup by an expert. This can be a technical friend who’s been building WordPress sites for longer than you, or a paid consultant. Either way, getting a second set of eyes on your configuration is extremely important.
2. If the tasks above scare you, let the experts handle it for you. Add a free plugin like Better WP Security, a paid plugin like Sucuri or pay an expert to setup the security side of your site. These solutions will keep you secure and allow you to focus on the parts of your site that you care about.
If you found this guide useful, share it on Twitter or Facebook — spreading the love keeps our whole community more secure.
If you have an suggestions or questions about this guide, please don’t hesitate to email email@example.com.