With open source software it is fairly easy for knowledgeable hackers to find vulnerabilities in code. Although vulnerabilities are quickly patched with WordPress due to a very pro-active development team, there are steps that should be taken to secure WordPress against hack attacks.
Securing software and servers against hacker attacks is called “hardening.” The idea is to make any hack attempts as difficult to achieve as is possible.
The WordPress.org site has a section on hardening WordPress. The advice on this page is pretty good.
Here is a summary of the steps that should be taken to harden your blog. We have added a few of our own to those stressed in the Blog Security whitepaper. If you have not yet hardened your blog, it may be vulnerable to a hack either now or in the future. Hardening is good insurance.
1. When setting up a MySQL database user account, set the privileges to the minimum level required for WordPress. That means that the only privileges you will need to grant the user account is SELECT, INSERT, UPDATE, DELETE, CREATE and DROP. Never grant any more privileges for a user account than the minimal amount required for an application to work. This helps to minimize the amount of damage that a hacker who discovers the database user name and password could inflict on your blog.
2. As you set up a WordPress install, be sure to alter the value of the $table_prefix variable in the wp-config.php file. This makes it more difficult for hackers to guess the names of the tables they may want to access to hack your blog. Change the value of $table_prefix variable in the configuration file to something that is difficult for a hacker to guess. The process of changing the table prefixes becomes much more difficult after a site is installed, so make sure you take this step as you are installing a new WordPress site.
3. Change the primary WordPress administrator username to anything other than “admin”. Hackers know that the default administrator username is admin. That gives them one of two pieces of information that they need to break into your blog. The password can typically be cracked with enough diligence. When you change the admin username, you make it much more difficult for a hacker to break into the administrative section of your blog. Unfortunately, WordPress does not allow you to change the primary username in WordPress. You have to do it using phpMyAdmin or through a script. If you use phpMyAdmin, you will find the usernames in the users table.
If you don’t know how to change the primary username using phpMyAdmin, you can cut-and-paste the following code into Windows Notepad and save the file as changeUsername.php. Change the value of $newUsername to your new username. Copy the file to the root directory and run it. Make sure that you delete the file after the username has been changed.
Always make a backup of a WordPress database before you make any alterations.
<?php
$newUsername = "magoo"; // change this to your new username
include("wp-config.php");
mysql_select_db(DB_NAME, mysql_connect(DB_HOST,DB_USER,DB_PASSWORD)) or die(mysql_error() );
$tableName = $table_prefix . "users";
$sql = "UPDATE $tableName SET user_login = '$newUsername' WHERE ID = 1";
mysql_query($sql) or die(mysql_error());
echo "Finished!";
?>
4. Password protect the WordPress administrative area using the instructions in the Blog Security whitepaper. This will create a server-level password for the admin area, which will require that you log in twice. Two different usernames and passwords make it exponentially more difficult for a hacker to use a brute force attack to break into the administrative area.
5. Make sure that any and WordPress users are set up with the minimum access level that they require to accomplish their tasks. If there are multiple people with access to the admin area, only one or two highly trusted people should have full administrator access. Also, make sure that everyone is using strong passwords. Never, ever under any circumstances use passwords such as “mydogspot” or “password1” or “12345678”. Passwords should never use words found in the dictionary unless they are intentionally misspelled or special characters are substituted for letters. Dictionary passwords and simple passwords made up of words and numbers are relatively easy to crack using automated tools that hackers commonly use. Use a mix of upper and lower case characters, numbers and special characters, such as the question mark, brackets, exclamation point and other characters found on your keyboard.
6. It is important to keep your WordPress blog up-to-date with the current version, especially if newer versions contain security updates. The same goes for plugins. Plugins are frequently updated due to newly discovered security holes and also to keep them compatible with current versions of WordPress. Yes, the frequency of WordPress updates can be a pain to deal with, but if the update contains a security update, the pain is mall compared to the time you will waste cleaning up a hacked blog.
7. No amount of web site hardening will prevent a hacker from accessing your blog if your server security is lax. Be sure to use a strong password for the FTP access to your site. Also, if you are using FileZilla, be aware that if your PC becomes infected with certain Trojan viruses, there is a bug in FileZilla that may allow a Trojan virus to transmit the FileZilla usernames and passwords to hackers.
If you follow all of the guidelines laid out in the Blog Security whitepaper, you will greatly diminish the chances that your blog will become the victim of a hacker.