Fortifying Security in WordPress, Part 1

It's a dreaded nightmare: One day you open up your website and see that you've been hacked. If you're running a simple personal blog, it might be just an annoying incident. If you're hosting a website of a client, your day might turn into a rough, stressful day. If you're running a high-selling e-commerce website, it might trigger a panic attack. Whatever the case might be, you won't be using happy emojis to share the news. So, you need a game plan to prevent the attacks before they happen.

And you're in the right place. In this two-part mini-series, I'm going to show you the way to make your WordPress projects as secure as possible.

A Word on WordPress Security

Do you think WordPress is secure? It's OK if you don't, because many people think WordPress is an insecure content management system, yet it's very far from the truth... at least today.

What do Microsoft Windows, Android, Google Chrome and WordPress have in common? They all are extremely popular software, and people find security holes in them all the time. Even though they're all patched regularly against bugs and security flaws, does having security holes make them insecure?

I'm sorry if you think the other way, but it doesn't. Frequent patches don't necessarily mean that a piece of software is poorly coded against security threats. The game of cat and mouse between developers and hackers will always go on, and hackers will always find a way to hack software. And if the software is extensible, as WordPress is, the chances of hackers will rise as well.

The important thing here is to be responsive and preemptive, and that's something that WordPress excels at. You'll have to wait a few days for Google Chrome to plug a security hole, or even weeks for Microsoft to release a security fix, but the huge community of WordPress developers will be able to fix zero-day security flaws before the end of day one. Plus, there's a whole team working on securing WordPress core, so we're in good hands on that one too. As far as themes and plugins are concerned, it might be a bit easier to find bugs and flaws and it might take more time to fix them, but the community's got developers' backs.

Yet, nothing is a hundred percent secure. We're living in times in which scientists are about to crack the code in our brains! Nothing is impenetrable, including our brains apparently, and WordPress is no exception. But the impossibility of 100% security doesn't mean we shouldn't go for 99.999%.

Ramping Up Security in WordPress

From personal experience and some further research, I've put together several security measures that you should take, if you haven't already. Without further ado, let's get to know them right now!

Securing the .htaccess File

Let's start off easy.

If your WordPress website is hosted in a web server powered by Apache, and you've enabled "pretty permalinks" in Settings, WordPress will generate a file named .htaccess to store the basic WordPress permalink instructions. If you don't enable pretty permalinks, the .htaccess file won't be generated by the core, but the tips I'm going to show are still applicable—you just need to create the file yourself.

Nano-tip: If you're going to create the .htaccess file on your own, but are having a hard time creating a file without any name but with the .htaccess extension, simply upload an empty file with any name (like Untitled.txt) and change the name and the extension within your FTP client.

The first thing that comes to my mind is to protect the htaccess file. And it's the easiest thing to do among the tips and tricks I'm going to show you. All you have to do is add the following lines to the file:

# protect .htaccess
<Files .htaccess>
   order allow,deny
   deny from all
</Files>

It's a harmless trick to protect the htaccess file from anyone (or anything) that wants to access it.

Next, let's disable showing the contents of folders:

# disable directory browsing
Options All -Indexes

This will prevent strangers from seeing the contents of your folders when they want to access, for example, myblog.com/wp-content/uploads/. Normally, they would have been able to see the uploaded files or navigate through the subfolders in the /uploads/ directory, but with this little trick, they will see a 403 Forbidden response from the server.

My next trick involves shutting down the administration panel against everyone except you—or your IP address, to be exact. But you have to be sure that you have a static IP address assigned to your modem. (For example, in my country (Turkey), dynamic IP addresses are assigned to internet users by default; that's why I can't use this trick without paying for a static IP address.) If you're sure that you have a static IP address, paste the following lines into a new htaccess file in your /wp-admin/ directory:

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
# don't forget to change the 321s with your own IP address below
allow from 321.321.321.321
# duplicate the line above to grant access to more than one IP address
</Limit>

And finally, I want to refer to a great "blacklist" from Perishable Press: The 5G Blacklist. This blacklist protects your website against many kinds of malicious activities, from harmful query strings to bad user agents.

That's it for the htaccess tricks. Now, let's move on to wp-config.php tricks.

Security Tricks for the wp-config.php File and Its Contents

The wp-config.php file is probably the most important file in your whole WordPress installation, in terms of security. And there's a lot you can do with it to harden your website.

Let's start with an interesting trick: Did you know that you can place your wp-config.php file up one level in your WordPress root? If it's not going to confuse you, go ahead and do it right now. Most of the time, I install WordPress in public_html directories and I like placing the wp-config.php file inside the user root directory. Not sure if it's a snake-oil recipe or not, but at least it feels more secure. Some folks over at Stack Exchange had a good debate on this topic.

By the way, let's get back to the root .htacccess file and add the following lines to deny access to the wp-config.php file:

# protect wpconfig.php
<files wp-config.php>
    order allow,deny
    deny from all
</files>

Here's an interesting idea: How about removing the permission to edit theme and plugin files? All it takes is to add the following line to the wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

Feeling even more paranoid? Paste the following line beneath the one above to disable theme and plugin installations and removals altogether:

define( 'DISALLOW_FILE_MODS', true );

Two more tips on hardening WordPress: Change the database prefix, and add security keys (or salt keys) in the wp-config.php file.

The first one is easy: Check if you set the database prefix as the default value by finding this line:

$table_prefix  = 'wp_';

If it's set to wp_, you should change it to something other than this default value. You won't need to remember it, so you can type anything. I like using combinations like wp_fd884vg_ to keep it both safe and readable.

Changing the security keys is also very easy. See if the keys are empty by locating the following lines:

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

If they're all saying 'put your unique phrase here', it means that they're not set yet. In that case, simply head over to this URL (that's also referenced in the code comments) and change the lines generated in that page with the lines above.

Nano-tip: If you're wondering about what these "salt keys" are, WPBeginner has a great article on the benefits of this security measure.

That's it for the wp-config.php tricks! Let's call it a day today.

Wrapping Up for Today

I hope you enjoyed these .htaccess and wp-config.php tricks today. In the next part of this mini-series, we'll be looking at some security plugins and other crucial tips on hardening WordPress. If you have any questions or comments, feel free to shoot them in the Comments section below.

See you in the next part!