WordPress Security


I love WordPress. Of all the blogging and web content management systems I have tried WordPress wins hands down. I’ve moved several of my clients sites and my personal sites to the WordPress platform over the last few months.

As a web developer with a checkered past, security is always a concern of mine when using an out of the box solution that I didn’t write.  I think that anyone who takes the time to develop a nice website would want to help protect it from those who would want to vandalize it.

WordPress is very stable and fairly secure (one of the benefits of open source software), but I have found a few places in the software that I beef up through a few simple steps that I believe everyone should take.

Security point 1: wp-config.php
wp-config.php is the key to the wordpress operation. This file hold usernames and passwords to your databases. Scary stuff if it fell into the wrong hands. By default this file is protected from direct web access because it has a .php extension, and doesn’t output anything. This is a common practice and is fairly secure. Suppose this, there is a problem with your php install of your web server, and instead of the .php file getting processed, it just gets served out and anyone who wanted to could download the passwords to your database. scary stuff! An easy way to fix this is through your .htaccess file.

open the .htaccess file in the root of your wordpress install, and add the following lines:

<FilesMatch ^wp-config.php$>
deny from all

This will tell the web server to NEVER serve out the wp-config.php file. Sure its a long shot that your server would server this file out, but an ounce of prevention is better then a pound of trouble!

Security point 2: browsable plugins directory by default
Do this on your server, go to http://www.your-domain.com/wp-content/plugins/
did you see the plugins that you have installed? What if one of those plugins has a security hole in it? A hacker could lurk around for sites with an exploitable version of a plugin installed, and then have their way with your site. The solution to this is SO SIMPLE, I dont know what wordpress doesnt to this by default.

create a blank file named “index.html” and place it in the /plugins directory. Now try to navigate to http://www.your-domain.com/wp-content/plugins/
The plugins list should not show up, and would-be-hackers have no way of knowing all the plugins you have installed. A simple and elegant solution.

wordpress is a great piece of software and with age, it will get more secure and more stable. The community of wordpress users are the people who make wordpress truly powerful. As I find things that I believe need changed, I will continue to blog about them, and submit changes to the wordpress project.