WordPress Security: Primer & Advanced Techniques

WordPress is the most widely used open source blogging software in the world.  This didn’t happen overnight, and the developers over there have certainly earned their keep.  With any web application, especially a heavily used one, there are security risks and precautions we must take.  Without a security model and virtual barriers in place to protect us, it can be an all-out free-for-all for hackers.

I’ve taken the time to put together a list of security implementations that will help keep your blog safe.  There’s nothing 100% foolproof out there, but the things below will deter a good amount of negative activity.  Not only do we address the internals of the WordPress security model, but we also share some of the starting points for further securing the application.

The Nonce

In the lovely world of development and security, NONCE is the abbreviation for a number used once (Number ONCE).  WordPress has implemented this strategy into their application to protect against different types of attacks (e.g. XSS).  Below is a basic version of the lifecycle of a WordPress nonce:

  1. wp_nonce_field(‘action-name-here’) is used inside of a form, which displays two fields to be used in during validation.
  2. When the user submits the form or starts the Ajax action, the nonce fields are passed via POST or GET.
  3. The nonce value is checked on the other side.
    • check_admin_referer(‘action-name-here’) – Ensures that the user was referred from another WP administration page.
    • check_ajax_referer(‘action-name-here’) – Used to verify nonce to prevent external requests (i.e. nonce used so only WP can make the Ajax call).
  4. check_ajax_referer() kills the script and displays -1 if there is a failure.  check_admin_referer() will also kill the script, but displays an Are You Sure? action to confirm the action.


As a precaution, we don’t want search engines indexing the directories containing all of the administration and include files. The robots.txt file, which needs to be located in the root of a domain, is used to tell which files can and can’t be indexed by search engines.  We can safely block all of /wp-admin, and /wp-includes; however, some of you may want to keep the /wp-content/uploads directory unblocked.  /wp-content/uploads is the default WordPress upload directory, meaning images and other media will be stored there.  Google Image Search can be huge in gaining additional traffic to a site, so it is important to keep it accessible to spiders.

User-agent: *
Disallow: /wp-admin
Disallow: /wp-content
Disallow: /wp-includes
Allow: /wp-content/uploads

Use a quality password for MySQL and WordPress

A quality password is not your dog’s name, last name, or favorite dish.  A quality password is a set of seemingly random letters, numbers, and characters, and is at least eight characters long (all of mine are >12 characters).  A password does not need to be memorable, especially if it is the key to a web site.  You wouldn’t entrust your house key with a stranger, would you?  Never store your passwords in a file on your computer.  If you want to keep them safe, write them down on paper, and store that paper in a safe.

Use Microsoft’s Password Checker tool to ensure your passwords are safe.

Use Microsoft's Password Checker tool to test your password's strength
Use Microsoft's Password Checker tool to test your password's strength

Example of a quality password. v&2$5dm:)cEd*i+_

Do not allow public viewing of directory indexes

There are two ways to approach this.  The best way to do this is via your .htaccess or httpd.conf file (if you have your own Apache server).  If your host allows the use of .htaccess, place this at the top:

Options All -Indexes

The alternative would be to place a blank index.html file in each directory.  This may seem trivial, but a crafty and knowledgeable attacker will only need a small amount of information to get into your server.

Use SSL and SSH

Did you know that you can force the administration panels and logins to be loaded via HTTPS?  Yes, it’s possible!  To activate this feature, add the following line to your wp-config.php file before the line that says “That’s all, stop editing! …”:

// Force administration panels to use SSL
define('FORCE_SSL_ADMIN', true);
// Force logins to use SSL
define('FORCE_SSL_LOGIN', true);

If you have the ability, instead of connecting to WordPress via FTP, use SSH.  While using SSH, anything transmitted is encrypted.  Not only that, but there is the added bonus of certificate verification at the start of the session.  This will help you determine if the host computer is the intended computer.

Change the default username from admin to _______

Changing the default username from admin to something else makes it that much harder for an attacker to get into your system.  Now they have to try and guess the username and password, creating that many more possible number, letter, and symbol combinations.  This can be done via phpMyAdmin or a MySQL query.  You will find the user_login field within the wp_users table of your database.  See below for a screenshot:

Change WordPress admin username via phpMyAdmin

Cookie (in)validation using the WordPress “Secret Keys”

In newer versions of WordPress (2.6+), you will find a group of 3-4 secret key constants in your wp-config.php file.  Those constants, which include AUTH_KEY, SECRET_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY, are used to ensure encryption and proper validation of cookies.

The value of each constant can be changed at any time to invalidate existing cookies, requiring all users to re-authenticate (login) with WordPress.  It is important to make them long and complicated, for that only strengthens your virtual fortress.  Lucky for us, WordPress has created a tool, accessible via HTTPS, to create these for us.WordPress Secret Key API

WordPress Secret Key API

Plugin and theme security

WordPress Plugins come from third-party sources, therefore they are not always guaranteed to work as expected.  Always check the plugin for any potential security risks, such as the execution of shell or FTP commands.  It is not hard to write a script that can send database and credential information.  What if a person wrote a plugin that sent password information to the requesting user AND the attacker’s own e-mail address?

As a general rule, if you don’t trust your PHP knowledge enough to check plugins and themes, only download those which are well-known and heavily used.

Use ModSecurity for Apache


While ModSecurity isn’t a WordPress plugin or directly related to WP, it addresses a variety of common security concerns.  ModSecurity can prevent SQL injections, content injections, and a variety of PHP exploitations.  This software also allows for real-time monitoring and attack detection.

ModSecurity is often supported by server administration software, which allows for easy implementation and customization.  cPanel/WHM provides easy installation of ModSecurity via EasyApache.

Common sense security tactics

Some of the more common things that people do include

  • Keep WordPress up-to-date (new releases often include security patches)
  • Backup your database often
  • Change the administrator’s password on a monthly basis
  • Ensure file permissions do not allow ‘write’ privileges
  • Make sure your server is secure
  • Make sure your network is secure (i.e. Don’t access your database or admin panel from a public computer in the library or Internet cafe, etc.)

I would be happy to add to this article if you have an idea or know something we may have missed.  Please feel free to comment, and let us know some of the techniques you use to protect your blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>