WordPress is one of the most popular Content Management Systems globally and supports hundreds of millions of websites online. Most web developers have at least touched WordPress and know of the basics. But how deep should you go into studying WordPress security?
I would argue that securing your website from malicious visitors is possibly the most important factor of a good user experience. In this article I would like to share some best practices for installing WordPress and keeping your website safe. Since the project is open source there are very few bugs left unpatched at this point. However you can never be too careful with plugins and other template functions in the mix.
Updating your Database Prefix
Each installation of WordPress will include a small prefix for the database tables. So whenever you generate a new database for your website the tables will be created as wp_tablename. But if somebody can gain access to your database or even into a shell command in your server, it would be all too easy to pull down that data.
However if you have created your own custom prefix then it is much less likely anything could happen. This is all assuming somebody could remotely gain access into MySQL, but it’s not an idea you should totally overlook. Keep in mind this step should be applied when you first install WordPress – or you can go through and update the settings in your Admin panel, but this may cause issues with already-existing plugins. Best to do this right away if possible.
Customize the Default Comments
By default WordPress will allow anybody to comment on your blog posts if the form can be found inside your template directory.The problem is that so many people will target WordPress blogs to gain backlinks in the comments area. Just setting up a blank website and letting it sit there is practically begging for trouble.
One security tip you can follow is to limit the amount of time your discussion is opened. I will often setup newer posts to close the comments area pending a certain amount of time – 1 week, 1 month, 3 months, whatever works best. This will keep your comments area uncluttered when you go back to revisit articles 1-2 years old.
But you should also consider grabbing an Akismet API key if you want to use the typical WordPress comments system. They are one of the best spam protection services you can have, and the plugin comes bundled with every script copy of WordPress. But unfortunately their premium services have become paid-only and so this route may wind up costing you some money.
Alternatives for User Discussion
Many webmasters who I ask have said they are getting fed up with the spam on WordPress blogs. This doesn’t happen overnight but it’s not uncommon to find yourself racking up loads of new comments very quickly. On my newer projects I don’t often use the normal system and have instead switched over to Disqus.
Their open source plugin for WordPress is phenomenal to say the least. You create an account with Disqus and can tie in your API key right to your website. This allows you to moderate or delete comments right from the WordPress backend. Plus by now so many people are using Disqus, it’s commonplace that your visitors would have an account to post with.
A couple benefits include threaded comment support, quick signup/login links, and user voting. It’s possible to sort comments by newest, oldest, and even top rated. Disqus is simply the most open discussion system and also the safest to have running on your blog. Before giving up on comments entirely I would highly recommend installing Disqus for a test ride.
Disable wp-config.php Access
Anybody who is attempting to view or download your wp-config.php file are obviously after some malicious endeavor. This file holds your database name, along with the database username and password combination. That information is extremely sensitive and absolutely nobody should have access.
<Files wp-config.php> order allow,deny deny from all </Files>
The best way to combat this is by denying all access to your configuration file. This can be done with a couple lines inside your .htaccess file. Alternatively you may be interested in using WP htaccess Control which is a plugin designed specifically for editing this file.
For non-technical users this solution is a lot easier because you won’t need to FTP into the server at all. Just search & install in your Admin plugins page, then edit your file right on the backend.
Limit User Login Attempts
Another problem I’ve run into is noticing hundreds of new subscribers join the site all in rapid succession. This is usually a parade of spam accounts, and they are eating away storage space inside your database.
To clean out and put a stop to this garbage I recommend SABRE. This stands for Simple Anti-Bot Registration Engine and it’s completely free to use on any WordPress site. You should be able to keep this issue at bay and instead go through the database to clear out some pointless accounts.
One related issue you may face is when too many people are logging into the website at once. Check out this login limit plugin which you may install and customize to your own settings. This will stop users from logging into the site after a series of failed attempts. You can change the limit to be just a few minutes or even hours long.
These are just some of the most common ideas for WordPress users to follow. However this is by no means a complete list and certainly worthy of review. Web designers are not always focused on security but it is a hot button topic.
It is my hope that these techniques will push you in the right direction. WordPress comes packaged as an extremely safe library, so there really isn’t much you would need to do. But taking some extra precautions against spammers is never a bad preemptive attitude. If you have any similar thoughts or questions feel free to share them with us in the discussion area below.