Locking Down WP

With every release WordPress becomes more secure. On the other hand, everyday hackers become increasingly smarter and more malicious. Out of the box, WordPress can’t be as secure as it’d like to be, so they even give us some tips.

WordPress’ site already has an article on on Hardening WordPress.

One of the quick things you can do is restrict access to the WordPress administration side. Create the file, “.htaccess” in /wp-admin/ and paste the following into it, replacing the IP address with your own. Find your IP.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist this IP address
allow from 209.173.246.4

Secondly, create an empty index.html file in your /wp-content/plugins/ directory. This will prevent the listing of your plugins for the world to see, making it a bit harder for hackers to find exploits.

Next, delete the username “admin” (obviously make a new username for yourself first), and use a strong password for your login.

Finally, install WP Security Scan to make sure everything checks out.

Customize Text and Title Attributes

One of the first customization to the default WordPress theme is to remove the “Powered by WordPress” section in the footer. This is done by editing the footer.php. Be sure to copy the page to notepad or some other means to preserve the original code while you fiddle with it encase something goes wrong and you break it.

There are also title attributes that are embedded in anchor tags throughout the site. Here is one example, found in the index.php file:

<h2><a href="<?php the_permalink() ?>" rel="bookmark" title="Permanent Link to <?php the_title_attribute(); ?>"><?php the_title(); ?></a></h2>

The code above is the section that will display the title of each post listed on your home page. The title attribute in the anchor tag has the super-obvious text of “Permanent link to …” and then the PHP function that spits out the title. You can modify this and other default text that appears throughout your WP theme.

Customize Your Sidebar

The sidebar in WordPress is a dead “giveaway” when a user visits your site. The sidebar will have default titles like “Blogroll”, “Categories” and “Archives”. You can easily change the text of these titles, and which sections are displayed, by editing the sidebar.php file in the theme directory. Also, WordPress displays a different sidebar depending on what page of the site you’re on, which can also be changed.

Even if you’re not familiar with PHP, WordPress code is very developer-friendly, and easy to work with. A simple knowledge of how functions are called and how to open and close if statements is often more than enough to help you customize some of the sidebar code.

Also, you can easily duplicate and customize certain sidebar sections.  This is done by duplicating the “categories” section and controlling what categories are displayed using parameters inside the function call for that particular section.

Security Keys

As of WordPress 2.7, there are four security keys available that are designed to insure better cookie encryption. These keys work silently in the background and should be as random and complicated as possible (no, you will never need to remember them). The easiest way to generate these keys is to do it automatically at the WordPress.org secret-key service. Simply visit that link and copy/paste the results into your wp-config.php file. Note that these keys may be changed anytime, and doing so will invalidate all of your users’ existing cookies so that they will have to re-login to your site.

define('AUTH_KEY', ':dr+%/5V4sAUG-gg%aS*v;&xGhd%{YV)p:Qi?jXLq,<h\\`39');
define('SECURE_AUTH_KEY', '@*+S=8\"\'+\"}]<m#+}V)p:Qi?jXLq,<h\\`39m_(');
define('LOGGED_IN_KEY', 'S~AACm4h1;T^\"qW3_8Zv!Ji=y|)~5i63JI |Al[(<YS');
define('NONCE_KEY', 'k1+EOc-&w?hG8j84>6L9v\"6C89NH?ui{*3\\(t09mumL/fF');

WordPress Database Prefix

The database prefix setting is particularly useful for increasing the security of your site and for housing multiple WordPress installations in a single database. By changing the default value of “wp_” to something randomly unique, you mitigate commonly targeted attack vectors and improve the overall security of your site. Here is the default setting:

$table_prefix  = 'wp_';

There are tons of crackers out there probing sites for this default database prefix. Changing it to something like “343P_” is a good way to avoid these types of targeted attacks.

You can also use this setting to install multiple instances of WordPress using the same database. Simply specify a unique database prefix for each installation:

$table_prefix  = 'wp1_'; // first blog
$table_prefix  = 'wp2_'; // second blog
$table_prefix  = 'wp3_'; // third blog

Moving the WordPress

As of WordPress version 2.6, you may change the default location of the wp-content directory. There are several good reasons for doing this, including enhancement of site security and facilitation of FTP updates. Here are some examples:

// full local path of current directory (no trailing slash)
define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/path/wp-content'); 

// full URI of current directory (no trailing slash)
define('WP_CONTENT_URL', 'http://domain.tld/path/wp-content');

You may also further specify a custom path for your wp-content directory. This may help with compatibility issues with certain plugins:

// full local path of current directory (no trailing slash)
define('WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'].'/path/wp-content/plugins'); 

// full URI of current directory (no trailing slash)
define('WP_PLUGIN_URL', 'http://domain.tld/path/wp-content/plugins');

Specify the Autosave Interval

In a similar vein as the post-revisioning feature is WordPress’ actually useful Autosave functionality. By default, WordPress saves your work every 60 seconds, but you can totally modify this setting to whatever you want. Normally, a more modest value would be in our humble opinion a better setting.

define('AUTOSAVE_INTERVAL', 200); // in seconds