By Amy Jo Yates
NOTE: Although most hosting companies offer automatic WordPress installation, we prefer a manual installation of WordPress, as it gives us more control over the setup. For those of you who use an installations script provided by your hosting company, you may not be able to apply all of these steps.
Step 1: Install the latest version of WordPress into a subdirectory, instead of your root.
Giving your WordPress its own directory will not only keep the clutter out of your root directory, if someone does hack into your site, your root directory is protected.
You can find instructions for a manual installation at http://codex.wordpress.org/Installing_WordPress
Some hackers target WordPress sites specifically, when installing WordPress, consider changing the default table prefix from wp_ as an advanced strategy for protecting your site. If you use the Wp-Security-Scan plugin we mention later, it will also suggest this when evaluating your site for security holes.
Step 2: Change Your Index.php location
Changing your index.php location allows your blog to remain in the root directory, and creates a cleaner url.
Sign in to your wordpress site, and go to Settings, then General and change your “Blog address (URL) to the root url. For example: www.mywebsite.com.
Open your FTP client and copy the index.php file to from the subdirectory (where you installed WordPress), into the root directory.
Edit your index.php file to add in the WordPress subdirectory. For example:
/** Loads the WordPress Environment and Template */
If you have questions about this, there is link right next to this field that will give you all the details you need to do this right.
Step 3: Protect Your wp-includes folder
This step is simple, just copy your .htaccess file in to the wp-includes folder. You may need to set your FTP client to view hidden files in order to see this file.
Step 4: Protect your wp-admin folder
Upload your .htaccess file into the wp-admin folder
Upload .htpasswd into the root directory
Go to http://www.htaccesstools.com/htpassword-generator/ to create a password.
Edit the .htaccess file to have the proper path to your .htpasswd file.
Step 5: Upload and activate security plug-ins
Currently, we use the following security plug-ins to protect our site.
Login-Lockdown: this plugin helps prevent “brute-force password discovery” by disabling the login function if a certain number of login attempts and failures are detected from a given IP address.
WP-Db-Backup: this plugin will backup your core wordpress database and other tables (usually created by the plugins you are using). You can schedule your backup or issue an “on-demand” backup when needed.
WP-Security-Scan: this plugin will scan your wordpress site for security vulnerabilities (most of which should be fixed by following the steps we have posted here.
Wp-MalWatch: This plugin scans your site every night for signs of foul-play and will alert you where to go look if it finds a problem.
We are also evaluating WordPress Backup by Blog Traffic Exchange, as it will backup the upload directory, the plugin directory, and the current theme directory. It is important to note that the database backup plugin we listed only backups databases, and that backing up the theme and images, etc should not be overlooked (see step 11 for more)
Step 6: Change your Admin User
“Admin” is the default user that is assigned when installing WordPress. To change it you must use phpMyAdmin and then update your config.php file.
Step 7: Use a Strong Password
You’ve heard it before, but it must still be said. Use a strong password, that includes letters, numbers, and even punctuation where appropriate.
Step 8: Choose a supported theme
There are a lot of WordPress themes available that are free, but before you use it make sure you can get help if you need it. This also is an indicator that the theme will be updated and not become a problem when upgrading to the latest version of WordPress.
Step 9: Choose Plug-in’s wisely, the fewer the better
WordPress plug-in’s are available by the truckload, but that doesn’t mean you need to use all of them. The fewer you use, the better. Plug-ins tend to be more vulnerable to hackers than your WordPress software, so hackers go there to infiltrate and take you down.
Step 10: Hide your Plugin directory
Anyone can see a list of your plug-ins by going to http://mydomain.com/wp-content/plugin. To hide this folder, just open your text editor, create a blank index.html page, and upload it via FTP into the wp-content/plugin folder.
Step 11: Setup your Backup!
There are two things you need to backup, your database (all your posts and pages) and your design (your theme, layout, etc).
How often you backup is determined by how much you are willing to use. We recommend that you set your auto-backup for as often as you post. So if you post weekly, backup weekly, etc.
You should also run an “on-demand” database backup prior to upgrading software (both WP and plugins), just in case something breaks.
In addition, plan on using your FTP to download your site periodically – especially before and after you make significant changes to your site structure, theme, etc (this kind of backup does not include your database).
Ask your host how often they backup as well, there have been times that we have been able to go directly to the host and have them restore the entire site from a specific date. Some guarantee their backup, others do not, so go find out!
If your site is hacked, and you have a recent backup, you can have your site up and running in no-time.
Step 12: Protect Your Files and Folders
Setting proper file and folder permissions can make a big difference. You may not realize this, but if a file or folder is writable, then it is also considered insecure. Your host will have its own level of security, so you may want to consult with them. In general, we use the following file permissions
- Directories permissions of 755
- All files should have permissions of 644
- Theme files 666 (if you want to use the built-in editor)
Occasionally a plug-in will require something else to function. You can review that on a case by case level.
The simplest way to change these permission is to use your FTP client, like Filezilla.
Step 13: Change to “No Indexes”
Most people don’t realize this, but anyone interested can browse your directory and see all the files and folders you have, unless you change your index manager to “No Indexes.” If you don’t see it, then contact your Host support.
You can also make changes to your .htaccess file. This is a sensitive file, so make sure you download it completely off your site, make a copy, and then make the changes.
For more information on directory browsing and how to change your .htaccessfile, go read this article at “The Internet Patrol”.
Step 14: Keep Your Software Current!
If you don’t upgrade your site to the most recent version, it is vulnerable. It really is that simple. If you can only do one thing to protect your site, upgrading your WordPress and WordPress plug-in software should be it.
Some web developers are concerned about upgrading to a new version without testing it with the current sites functionality. This is a valid concern, but it shouldn’t keep you from waiting too long to upgrade. We have had very few problems doing immediate updates, but it is not impossible.
However, if you have a very sophisticated site, then I definitely recommend setting up a test site. Upload your current site into a test site, and simulate the version updates to ensure everything is going to work smoothly.
If you have a good Virtual Assistant, or Virtual Programmer, they can do the testing for you. Incremental testing is the best approach. That means you update one thing at a time so if something breaks you can tell what triggered it.
Regardless of whether you do a live update, or test the software first, you should do a complete backup. This will give you peace of mind and save you from potential headaches that could come up.
Although, following these steps does not guarantee that your site will never be hacked, if you follow them it will strengthen your WordPress site security and reduce the risks.
Since applying these steps to our WordPress sites at the end of 2009, we haven’t had to repair any sites due to malicious attacks.
Some of the Resources Reviewed for this