Pedrera Blog

The Simple Guide to WordPress Security: The Core - Part 1

March 9, 2016 by Matt Vona

The internet is a vast world. That world is filled with a lot of different types of sites, most managed by WordPress. According to the W3Tech site1, 26% of all websites are being managed by WordPress. I gave a talk late 2015 at a WordPress event, and at the time that number was around 24%. It has gone up 2% in under a half a year. Why is WordPress so popular? People like simplicity. They want it to just work. They also want what is popular. Here are some steps for keeping WordPress secure. While we cannot secure anything 100%, it's better to add some layer of protection. Making it more difficult to break in decreases your chances of being infiltrated.

Remove the Admin Account

WordPress used to add the default administrator account called 'admin.' This is highly insecure as many users ended up going with the default settings. Attackers run bots that loop through passwords. They set the username as admin, because it has a higher success rate. The fix is easy, and luckily new installs of WordPress set your email as the default admin account, or a combination of your name and a number. Also, while working with user accounts, always use complex passwords. Long sentences with spaces or using password generators that spit out long complicated characters are two ways to make strong passwords.

Change the Table Prefix

By default, WordPress will prefix the mysql tables as wp_, so naturally, when you start a new WordPress installation, you should always change the table prefix to something other than wp_. It could be wpc_, wpsite_acronym_, anything that is easy for you to manage and decipher what it is and what site it belongs to. sw_1_table-prefix

Keep Everything Updated, Always

This one is a huge struggle for most WordPress users. If you cannot update it “because something will break”, something is already broken and you need to fix it. WordPress is constantly being examined by malicious users hoping to find security holes or vulnerabilities, however the WordPress team is constantly updating the WordPress code to help protect you. We understand that nothing is perfect. We need people to find the vulnerabilities so we can fix them. By keeping your WordPress site up to date, you ensure you have the latest fixes for the latest bugs and vulnerabilities. This also goes for themes and plugins. Keep it all updated.

Back Up Everything, Always

This one is necessary as a just in case situation. Usually your hosting provider will offer a service that will back up your site as well as your database. Ensure everything is backed up multiple times a month, at least. Keeping your files backed up will allow you to revert back to older versions, in case a plug in updated incorrectly, someone hacked in your site, etc. I would not recommend using a plugin for this. I would find an alternative solution, such as backing up the files and database yourself, every once in a while, use a server script, or contact your hosting provider to learn of the back up solutions they may offer. It is better to store back ups on your own local server, or an independent storage system with security not tied to your current one. If a hacker can access the server with your main site as well as the back ups, what good is it?

Disable front end theme file editing

sw_2_editor On every WordPress site there is an option under the Appearance Settings titled, 'Editor', that allows you to edit core and theme files of your site, on your site. A large amount of users do not know this is a massive vulnerability and flaw in WordPress. This should be disabled by default entirely, and be kept disabled. Having this option enabled is like storing every dollar you own in the middle of the floor of your house so when someone breaks in, they easily have access to everything. If a user gains access to your website by guessing your password, they have full access to modify any file they please. Luckily, WordPress provided an easy way to remove this. In your wp-config.php file found at the root directory of your WordPress site, add this line: define( 'DISALLOW_FILE_EDIT', true ); This allows you to remove this editor from your site. This is a great layer of protection.

Hide Login Errors

sw_3_credentials_1Normally when you sign into WordPress and fail, the error message shown displays which credentials were typed incorrectly. If it was your password, it will say "Incorrect password." If it was a wrong username, it will say "Invalid username." Placing this code in your theme -> functions.php file, will allow you to edit the error message that is returned. function error_message_failed_login() { return 'The username or password is incorrect.'; } add_filter('login_errors', 'error_message_failed_login'); In some cases, such as for a client, you might want to leave the error message how it is by default. Other times, especially if your site is large and has multiple users, it might be a good idea to change the error message to prevent people from guessing usernames and passwords. In the next few parts of this series I will talk about Plugins and File protection. Knowing which plugins to use and which ones to look out for, and keeping your WordPress files secure at the file level using htaccess.

Part 2: WordPress Plugin Security

Click here to continue to Part 2

Philadelphia WordPress Developers

Learn more about Pedrera Philadelphia's WordPress Development Services 1

Learn More

To learn more about Pedrera and how we might help with your project, please contact us.