Securing WordPress

Jan 28.09 | Technology   

I have my presentation all set for next Monday’s (2/2/2009) WordCamp ED: Northeast. And I’m really psyched too. I found a number of helpful resources that came together very nicely into a pretty simple and concise set of steps that can be followed to lock down a WordPress installation. And if you can’t make it to the presentation here are the highlights of what I found:

WordPress right out of the box is pretty secure. I’ve been running WordPress for my personal blog for years and outside of comment spam (now mostly tames) have never had any security issues. But with a little common sense and minor tweaking it can be made even better:

• First WordPress needs to be running in a secure environment, on a platform that itself is secure. A web server running in your brother-in-law’s closet with old versions of Apache and PHP doesn’t cut it. You want the latest stable version of all server software, with any security patches, and configured according to industry best-practices — i.e. no folder broswing in Apache, PHP error messages turned off.
• Next when you install WordPress change as many of the default settings as possible — create a unique database name (not ‘wordpress’ or ‘wp’), set your own table prefix (not wp_), create your own admin account name (delete ‘admin’) and set your own user uploads directory (not /wp-content/uploads)
• Limit login access — the database user account should have the minimal settings (local scope, selectinsert/update/delete/dreate/drop/alter only), blog user accounts for daily use should not have admin rights (use special accounts for that access.)
• Minimize security footprint — don’t host files in your directories that are not needed. For example remove all readme.html and license.txt files — remove sample files (wp-config-sample.php) — remove inactive plug-ins and themes
• Use .htaccess files to limit public access — deny access to inc|php|sql files in wp-content, wp-includes and your user/uploads directories. These are not accessed by the public browsers might be exploited to gain access to your installation. Deny access to wp-config.php. Set you wp-admin directory to only allow access to select IP addresses and/or require https:/secure access.

In the presentation I will be leading the group through an actual WordPress installation and illustrate how to manually accomplish these points. We may have a video available — if so you know I’ll post a link here. And I’ve attached a copy of the presentation with more detail. In my research I also found these sites of great value:

• WordPress Security Whitepaper, Blogsecurity.net, Philipp Heinze – Primary Author, David Kierznowski – Co-author
• 11 Best Ways to Improve WordPress Security, Pro Blog Design, Hendry Lee
• WordPress Security — How to Install WordPress Securely, BlogBuildingU.com, Hendry Lee,

Wordpress Security Handout

Related Posts

• Parent-Child theming in BuddyPress
• More from WordCamp NYC – Harvard Gazette site transformation
• Son of WordPress Themes on WordPress TV
• Where is the new Edu-tech frontier?
• WordCamp – Making a WordPress Intranet

Tags: Security, WordCamp, WordPress


Author: Randy

In my day job I serve as Information Technology Director for the Yale School of Drama. Otherwise I garden, play guitar, build stuff out of wood, take photos, play around with technology and have been blogging since 2003.

Share on: LinkedIn

Stay Informed!

Did you enjoy this post? Then subscribe to my email newsletter and have the daily posts delivered directly to your inbox. Enter your email address here:

Comments / 2 COMMENTS

Hi Randall,

Thanks for leading Wordcamp this week. It was an excellent presentation.

I was wondering if Ken and Yianni’s presentation was available anywhere? I’d like to show a colleague examples of how faculty at Yale are using WP.

I appreciate any information, and thanks again for Wordcamp!

Russ Cobb
rcobb@keene.edu

Russ Cobb added these pithy words on Feb 04 09 at 2:16 pm

Thanks for the feedback. I am working to gather links to all the speaker presentations. Look for an email to attendees (like you!) by early next week. And for others I’ll also post a note on this blog.

Randy added these pithy words on Feb 06 09 at 1:57 am

ADD YOUR COMMENT
Comments are moderated.

Name (required)

Mail (will not be published) (required)

Website

Adjacent Posts

« Sharepoint patterns | Bottom-up IT strategies »

Welcome to RodeWorks

Randall Rode's online home for thoughts, notes, and experiments with a wide range of technology topics. Visit the about page for info on my recent projects and professional background. I welcome your comments!

Coming Soon

Open Source Way in creating community

Drupal 7 promises big UX improvements

Site Topics

• Enter your email address to have my latest posts delivered to your INBOX or subscribe to the NewsFeed:

Connect

Archives

• Past listings from 2004 to the present

  Select Month March 2010  (18) February 2010  (28) January 2010  (20) December 2009  (22) November 2009  (24) October 2009  (23) September 2009  (27) August 2009  (19) July 2009  (25) June 2009  (27) May 2009  (25) April 2009  (32) March 2009  (27) February 2009  (25) January 2009  (24) December 2008  (21) November 2008  (30) October 2008  (33) September 2008  (19) August 2008  (16) July 2008  (21) June 2008  (20) May 2008  (31) April 2008  (14) March 2008  (21) February 2008  (16) January 2008  (32) December 2007  (29) November 2007  (16) October 2007  (3) September 2007  (3) August 2007  (6) July 2007  (15) June 2007  (13) May 2007  (20) April 2007  (33) March 2007  (11) February 2007  (2) January 2007  (10) December 2006  (2) November 2006  (4) July 2006  (8) June 2006  (3) May 2006  (6) April 2006  (9) March 2006  (12) February 2006  (10) January 2006  (16) December 2005  (2) September 2005  (2) August 2005  (2) July 2005  (9) June 2005  (17) May 2005  (20) April 2005  (28) March 2005  (9) February 2005  (15) January 2005  (17) December 2004  (5)

Sharing

• 
  This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 License.

Meta

• Log in