Security tips for WordPress blogging

WordPress is the most popular blogging system in use on the WebWordPress was used by more than 23.3% of the top 10 million websites as of January 2015. This blog runs on WordPress. WordPress users may install and switch between themes and it plugin architecture allows users to extend its features. It support mobile well: by selecting suitable mobile friendly responsive theme for your site you can make your site look nice for mobile users and for site management there are mobile apps for all major smart phone platforms.

WordPress is very nice blogging platform for users, but because of many options available and huge popularity there are also security issues on the systems. Many security issues have been uncovered in the WordPress software over the years, and new ones come out every now and then.

So how to handle Wodpress security issues to keep your blog safe? Here some of my tips targeted especially for those who run WordPress software on their site (if you use WordPress hosted by for example issues are somewhat different):

Typical hacking and malware problems with WordPress installs, if you’d like to review your own WordPress setup, include: Poor password hygiene, including weak passwords, shared or re-used passwords, and no two-factor authentication. Poisoned third-party content such as adverts served from external servers. Use plugins only from trusted sources.

When you access your site management at Linux shell level, use always secure communications methods. I recommend to access Linux server shell with SSH and files with SCP. It is also a good idea if you use SSH certificates for authentication istead of normal username+password. Do not use telnet or FTP because they are insecure. If possible perform your WordPress administration through web interface throug HTTPS instead of HTTP.

Make sure that you keep the WordPress up to date. You need to be prepared to update your WordPress and plugins when new security issues get published. Update quickly when serious security issues are reported. Unpatched WordPress software or plugins, leaving known security holes open for attackers. If possible, use automatic updating service.

Design a backup procdure to back up your site contents. You will need that in case somone hacks your site or there are serious problems on your hosting side. So make regular backups. Your WordPress database contains every post, every comment and every link you have on your blog. If your database gets erased or corrupted, you stand to lose everything you have written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal. Site backups are essential because problems inevitably occur and you need to be in a position to take action when disaster strikes. You need backups! Spend some time to make an easy, convenient backup of your database will allow you to spend even more time being creative and productive with your website. Do not end up losing a few months of hard work due too no backups. Make sure that the backups you have made really work (that you can restore data from them in case you really need them, non-working backups are just waste of time).

There are several methods of automating the backup process available. Various plugins exist to take automatic scheduled backups of your WordPress database. I have found that Vaultpress a good WordPress automatic backup service: it supports realtime syncing of all WordPress content to the VaultPress servers for a reasonable montly fee. I use Vaultpress for real-time backup and I also make my own backup files (database dump and WordPress directory contents) to another server periodically.

When you run WordPress on your own Linux system or some shared hosting Linux server, it is very important to to set the file and directory permissions right. Generally less permissions you give, the better for security, but if you do not give enough permissions your WordPress does not work. What permission do you suggest for wp-config? article recommends for your own server: Directories 755, files 644, (sometimes, the upload directory will require an exception). Permissions any lower that still permit functionality on your particular server setup is fine (lower number is more secure). If you use shared hosting service, you should make sure that other users can’t read your sensitive files, especially wp-config.php (use 750 permissions). Overly-liberal access controls giving too much power to too many users.

Keep your wp-config-.php file secure bcause wp-config.php that contains your database password and main admin credentials. If you are in shared hosting site (or any server that has many users), the permissions of your wp-config.php should be 750 (lower): It means that no other user will be able to read your database username and password.  Changing permissions to 750 effectively removes both the “read” and the “execute” options for “others” or world. You can be even more restrictive. If the website works with wp-config.php set to 600 (most restrictive – will only work if the file is “owned” by the same Unix user that runs apache), try that. If not, set it to 640 (still fairly restrictive; only the owner is allowed to modify the file, but any users – specifically the apache user – that might be in the group that owns the file can still read it).

Make also sure that web users can’t get the contents of that file accidentally. In normal use if somebody tries to read that from wordpress directory with web browser, the data in goes through PHP system and the user can’t see the source code that has the details in it. But if you accidentally give users possibility to read that file in raw form without going through PHP interpreter, your secrets leak out. This can happen if you accindetally in a way or another disable PHP interpreted on your directory (some configuration error). Other common way to leak wp-config.php contents is that have some backup of your wp-config-php with some other name on web readable directory, common mistakes here are to leave copy of old version or backup with name wp-config.bak or using editor that leves temperary copy after editing like wp-config.php~ If you plan publish your site contents on some open source repositorio (like github), you need to be careful that you don’t publish your wp-config.php contents to the world, because that would allow someone else to hack to your site and even cost you a lot in hosting bill. You can also consider if moving wp-config outside the web root really beneficial.

Consider using some firewall system between your WordPress server and world. There are several options here. One option is to have a separate firewall device or server webween your WordPress server and Internet. It is a good idea to block everyhting you don’t need to access, and maybe route the web traffic thoiugh some proxy server that can filter out dangerous requests. Cloudflare is one well known company that sells cloud service for this (you route your web traffic through their service). If you want to run some protection software on your own server, check out ModSecurity open source application firewall. It has worked for me well (protects agants many nasty stuff), but can have some downsides (for example sometimes causes unexpected Internal Server Error problems when using management interface and the moderated comments contain certain keywords in them).

If your blog is very important to be always on-line (generated lots of money or donwtime causes lots of negative PR) and/or your blog talks on sensitive topics that someone might want to silence, be prepared to plan against DDoS (Distributed Denial of Service) attacks. It is hard to protect agains DDoS (lots of work for good protection), so you first need to think what level of protection you could need. How To Protect Your WordPress Website Against DDoS Attacks article gives some ideas on how to plan DDoS protection. Cloudflare is one well known company that sells cloud service for DDoS protection.

For some more tips read Hardening WordPress and 7 Steps to Secure your WordPress site from Viruses & Malware


  1. Tomi Engdahl says:

    Disable mod security
    Disabling mod security using these .htaccess commands:

  2. Sereyboth says:

    Never set your WP username as Admin, Rename the Wp-admin loging page!


Leave a Comment

Your email address will not be published. Required fields are marked *