Podcast Episode

280 – Securing Your WordPress Site – Pro Fixes


  • WordPress 4.5 has been released (I think!). Update your site today

Is there a plugin for that?

With more than 50,000 plugins in the WordPress repository, it’s hard to find the perfect one. Each week, I will highlight an interesting plugin form the repository.

For more great plugins, download my 50 Most Useful Plugins eBook.

WP Dev Dashboard is a better tool for monitoring your plugins & themes, including support requests, download stats, version support, and more.

I’d recommend using this plugin on a site that you visit regularly so you can see the updates and details about your WordPress plugin.

Securing Your WordPress Site – Pro Fixes

Generate new WordPress security keys

WordPress Security Keys handle the encryption of information stored in the user’s cookies. To make things secure, the keys need to be generated randomly for each WordPress install. Find them in the wp-config.php file.

The security keys, or sometimes called salts, are what allows users who are signed on to stay signed on. When you change your password I recommend changing your security keys, especially if your site has been compromised.

Change your database prefix

The default database prefix for WordPress sites is “wp_”. If you change it, you’ll automatically make any SQL injection attack attempts way harder. Find this in defined in the wp-config.php file.

This is a tricky change, because once you change the database prefix, your site will be temporarily broken. iThemes Security is a great plugin to help you accomplish this quickly and efficiently.

Disable login hints

When ever you type either your WordPress username or password incorrectly, WordPress will give you a subtle hint of which field is incorrect.

You can customize those hints with the following code in your functions.php file:

function no_wordpress_errors(){
  return 'What the heck are you doing?! Back off!';
add_filter( 'login_errors', 'no_wordpress_errors' );

Use .htaccess to protect your site

When your web server doesn’t find an index.php or index.html file, it’ll display a page showing the contents of such directory, making important information related to your installed plugins, themes, and so on, easily available to anybody.

You can check to see if directory browsing is enabled on your site by creating a new folder containing a simple text file and then visit the directory via your web browser. If it displays a link to the text file, then directory browsing is enabled. If you get a message like “Page Not Found”, “Forbidden” or just a blank page, then directory browsing is disabled.

Since the goal here is to make your WordPress website more secure with quick tweaks, it’s helpful to prevent that information from being quickly known by hackers. To do so, you should add to your .htaccess file this line:

Options All -Indexes

Make sure that both your wp-content/themes and wp-content/plugins folders have a blank index.php file in it too.

Adjust your FTP settings

Another quick thing that you can do is your can lock down your site’s sensitive directories via FTP.

Insecure shared hosting environments or compromised passwords might make it possible for an individual to access your site’s FTP, where they could upload harmful files to your WordPress directories. But limiting the write access on these directories can keep them out and reduce or even completely eliminate the potential for damage.

Ensure that only your FTP account has write access to the following folders:
* The root directory (excluding .htaccess if you use a WordPress plugin to set up URL redirects)
* wp-admin
* wp-includes
* wp-content

If you are having a developer help you with something on your site, then only give them permissions to the folders they need and revoke all privileges once they have completed the task.

Disable PHP error messages

Beefing up your site’s backend security has a lot to do with closing the holes or weak spots. Now, if a plugin or theme doesn’t work correctly, it might create an error message. This is definitely helpful when troubleshooting, but here’s the problem: these error messages often include your server path.

Hackers would only need to view your error reports to get your full server path, which means you’d be handing them every nook and cranny of your website on a silver platter. No matter how helpful error reporting might be, it’s a better idea to disable it altogether. This one’s another code snippet to be added to wp-config.php.

@ini_set(‘display_errors’, 0);

Track Dashboard activity

The WP Security Audit Log is a great plugin for someone running a mult-user WordPress installation.

It tracks everything from when someone signs on and every change that is made to your site.

Pay attention to Webmaster Tools, aka Google Search Console

Google Search Console is very useful when it comes to letting you know about malicious things going on with your site.

When my site got hacked for the first time, it’s GSC that notified me what was going on and that Google had black listed my site.

It’s a free service and only takes a few minutes to set up and I recommend setting it up for any website that you run.

Follow news from Sucuri

Sucuri.net has a blog with tons of great information about keeping your site safe. While they are all about keeping every website hack free, they really tailor to the WordPress community.

The Sucuri guys are always on the lookout for new vulnerabilities, and very often it’s they who report on new problems before anyone else notices them.

Want to stay safe? Simply subscribe to their blog and keep track of what they are publishing.


SSL is a technology allowing you to encrypt the connection between your web server and your visitors’ browsers. This increases the security of the whole experience, purely because all data being transferred can’t be easily read by third parties.

Enabling SSL for your site is a bit of a task / headache. I’ve always had great luck with asking my hosting provider to install it for me.

The cost is generally $50/yr, but it’s possible to find free SSL certificates through a site called Let’s Encrypt

Thank You!

Thank you to those who use my affiliate links. As you know I make a small commission when someone uses my link and I want to say thank you to the following people. For all my recommended resources, go to my Resources Page

Call To Action

Take an hour or so this week and make sure you are doing each of the 10 items mentioned in this week’s show.

Full Transcript

Business Transcription is provided by GMR Transcription.

On today's episode we're going to conclude the three-part series on how to secure our WordPress website. These will be the pro fixes, right here on Your Website Engineer Podcast Episode No. 280.

Hello, everybody. Welcome back to another episode of Your Website Engineer Podcast. My name is Dustin Hartzler, and this week I'm actually recording this way, way in advance because this week I'm in Austin, Texas with some of my colleagues. We have just wrapped up the Woo Conference, and we are spending a few days together in the heat of Texas, here in the early spring, and we're just learning about each other. We're learning – there's going to be like seven or eight of us as a team, and some of us are from – I mean we're from all over the world, and so we just get to spend some quality time together. We're going to learn more about the plug-ins that we support. We're going to learn how some of these things work, and it's a lot of fun. But of course, as always, I'm not going to forget about publishing an episode when I'm out of town.

So I went ahead and pre-recorded this. There's not a lot of announcements in that I just recorded Episode No. 279, just like two minutes ago, and so when it comes to announcements, my fingers are crossed that we released WordPress 4.5. It's out there in the wild. It's live. You want to make sure that you're updating your sites, and make sure that you run a test copy and do all the good things like backing up, and then making sure that all of your other plug-ins are updated and all that good jazz. I'm sure it's amazing. I'm sure it's wonderful, and next week we'll talk about what all came with 4.5? What are the exciting pieces that we should be excited about and start using and implementing in things like that?

So those are the announcements kind of, and speculation of announcements, but I do have a plug-in that I want to share with you today. The plug-in is called WP Dev Dashboard. This is kind of a – it's a unique plug-in. It has been – it only has 70 active installs, and this is a tool for monitoring your plug-ins and themes, including support requests, download stats and version support, and more. So what this is, this is a perfect plug-in for you to use if you are a WordPress developer. I don't know – I'm trying to, in my head, wrap around where I would install this plug-in because it's basically a dashboard to let you know what's going on on the WordPress repository when it comes to your plug-ins. So I don't ever remember to go in and look to see how many five-star reviews or how many even reviews that I have on my site. I don't go in to look to see how many people are download the [inaudible] [00:02:17] plug-in.

I'm not looking to see if anybody has left some sort of report request that I need to fix or help out with. So I don't ever remember doing that. So I don't know if I would install this on yourwebsiteengineer.com because I'm in there all the time, and this would be something to give me a notification inside. But basically what this does is it gives us the ability to review, respond to all of our plug-in support requests. You can see all of your stats and stuff, and it all works right within your WordPress dashboard, which is really kind of cool. It's a neat way that it extends the WordPress functionality, and you're using WordPress to actually go in and leave your comments, your reviews, all that kind of stuff. You can do that for your own themes and plug-ins which are hosted on the WordPress repository.

So it's a neat plug-in. It's something that you have to have a very specific need for. Maybe you have a plug-in on the WordPress repository or whatnot, but that is what I wanted to share with you today.

Alright, today we are going to continue our discussion on how to secure our WordPress website. Today I'm calling these the pro fixes. It's just because they're a little bit more technical, and they are a little bit harder than just inside the WordPress dashboard. But they definitely can be done by each and every one of you listening to this podcast today. So today, let's go ahead and dive in. We've got ten more tips. So this is the third part of the three-part series, and it's going to wrap things up. Let's just go ahead and dive right in. The first thing that we want to do is – or what we should be doing – is we can generate new security keys. What a security key is, is it basically, there's a bunch of random letters, numbers, characters that allow you to stay logged in to WordPress for longer periods of time.

I'm not exactly sure how, the technical aspects of how the keys actually work. But basically, if you're logged in, and you've set up so that you can stay logged in for a week or a month or whatever, as long as those keys stay the same, then if you're already in and you've already hacked in through the password, then you don't have to log back in the next time you come to your site. You can just navigate through yourwebsiteengineer.com/wp/admin, and if you're already logged in, then you can just go ahead and just sign you right back in. So if you're having problems, and this is always something that is recommended as soon as you find that you've been attacked or you've been hacked and somebody's gotten into your website, you want to definitely make sure that you change your SALTS is what it's called, the security keys, or sometimes they call them the WordPress SALTS.

Basically what you do is you go to, there's a link in the show notes to tell you where to go, but you basically go to this link, you click on it, and it randomly generates these. You copy and paste them and put them in the wp-config.php file. It's as simple as that. Then that means that anybody that is currently logged in to your site, then that will automatically kick them out, and as long as you change your password before that, and then change the security keys or the security SALTS, then you will allow people – you will kick people out, and they won't be able to log back in to your site. Another thing that you can do – and this is, again, another one of the pro fixes, is you can change the database prefix. This is a little tedious if you do this on a manual basis. You could also use the iTheme Security Plug-in can do this, that we talked about last week.

Basically what you want to do is you want to go in and you want to change the prefix to anything but WP_ because that's what every generic standard WordPress site is. Now we're getting a lot better with the one-click installs, and within your C panel or your hosting company, they're actually starting to randomly generate prefixes, which is really, really nice. I know in the podcast I talk a lot about going to the wp_post table, or the wp_comments table. That's just kind of a generalization because most people have that as their setup, but a lot of times they have five, six, seven, eight random characters _post, or _comments or whatever that is. So that's something else you can do. You can manually do this by going in and manually changing your database prefixes for every database table that you have, and then going to your wp-config.php file, and then change the wp_ to whatever that new thing is.

Or again, like I said, you can go to the iTheme Security Plug-in, you can just type that, you can just go ahead and it will generate a new one for you, and just do all of the pieces. I will have to say that it is – make sure that you have a backup before doing this because if you do mess something up, you want to be easily able to restore it. Your data is not going to be lost, but for a moment, your website is going to look down because it's not going to be able to access certain records inside your WordPress database. So if you're going to do this, make sure that you're trying to do it in an off-peak time. You don't want to do this right in the middle of the day when people are trying to buy stuff from your site or really engage with your material. You want to do it late at night or early in the morning.

Alright, another thing that you want to do, and I really like this tip, is called disabling your login hints. So right now, any time that you type in your wrong username or incorrect password, you get an actual little hint from WordPress letting you know what's wrong. So if you have the right username, it says, "The password for this username is incorrect," which that's going to allow a hacker or somebody to know that, hey, I've got the right username. Now I can just try, try, try, try lots and lots of passwords. So you want to go ahead and get rid of this. And you can put this – there's a bit of code that's in the show notes for Episode No. 280, but you can put this inside your functions.php file, and it basically will allow you to put anything in there that you want. You could put, hey, what are you doing; hey, I'm not telling you anything. You can be snarky with it or you can say, no information, you're not correct. You can put anything there you want.

So you're basically just kind of covering up what WordPress would be outputting. You're putting your own thing there. So that is something that you can do. You can say, what the heck are you doing? Back off. If you really want to be kind of snarky and tell people, hey, I know that you're getting into my site, and you shouldn't be. Okay, the next one is use HT access, the .htaccess file to protect your website. So this is something that you do on the server level, and of course, your hosting company can help you set this up. If you enable permalinks on your website so that your website is using the name permalink, so yourwebsiteengineer.com/about [inaudible] [00:08:12] /p?=13, you know, as long as you're using a custom permalinks scenario, then you have HT access enabled because that's where it puts all those rewrite rules.

You can actually put something in there that's called option all indexes, and then that makes sure that as long as there's an index file inside a folder, then people can't get in there and navigate into them. So you want to make sure that inside of – and this is done by default within WordPress. You know, there's always index.php files put in places, and it says, if you ever open them up, it says, "Silence is golden," and that just basically means that people can't get in there and look and find anything. It's just going to show page not found or forbidden or a blank page. Then they can't browse to any more directories. So that's something that you want to do as well. Another thing is you want to adjust your FTP settings, and you want to make sure that you, if you give out FTP settings, you know, credentials for somebody to do something on your website, give them access to a specific folder that they only need.

I know that it's kind of a pain when you are a developer or somebody that's asking for permissions, and to not get the full access of everything, but it's much, much safer for the site and the site owner, if you only give them access to the things that they absolutely, truly need. So if I was a theme developer and I'm trying to troubleshoot a theme, I'm only going to give that theme developer access to wp-content/themes/the name of the theme. That's the only thing that they're going to be able to get in and do and configure. Because opening that up, allowing them – you never really know about people, giving them access, they could lose it, they could post it somewhere, and people could just get in. And then another thing is, once you give somebody access, if they're doing a job, they're working on it, as soon as they're done, be sure to get rid of those credentials. Delete them. Change the password so they cannot log back in without getting the username and password again from you.

Another thing that you can do, and this is another two little lines of code that you can put in the wp-config file, and it is called disabling PHP error messages. So you're basically making it harder for people to get in because it doesn't show any error messages that may occur if something is wrong with the code, or if something doesn't work correctly. No error message is going to be outputted. Because the error messages, when they're outputted, they show root level files, and it says this is exactly what folder and file that this is in. So then people kind of know the structure of how your website is working and where the important files are, so they can go in. Once they get in, they can kind of navigate to the right place, and they can wreak havoc on your website.

So you want to make sure that you are disabling that. The next thing is, and this one is a nice feature if you have multiple people running on your website. This one's inside the WordPress dashboard. It's a plug-in called WP Security Audit Log, and this is something, if you have multiple authors on your website, or people are just logging in and doing things, this basically gives a record log of everything that's going on in the dashboard. So if somebody comes in and they log in and they trash a post, or maybe they delete some comments, or maybe they add their own – you can see all of that stuff. Every person that logs in and they do something, you can see that on this WP Security Audit Log, so that's really, really nice.

Let's see. Just a couple more here, three more before we get wrapped up. And the next one is called Pay Attention to Webmaster Tools, or the new term for this is Google Search Console. And it is very useful for letting you know when malicious things are going on with your site. It can notify you if it finds bad things happening on your website. It's basically like the old Google Webmaster Tools, and you basically have to go in and you create, or you tell Google that this is your website, you have to verify it, and then they start monitoring and tracking it, and you can submit it to search engines and all that good stuff. So whenever you have the benefit or whenever you have the ability to do this, whenever you have a website that is online that you're managing, make sure that you set this up because you can get all kinds of information from Google Search Console, is what it's called now.

Alright, the next one is follow news from security.net, and I've mentioned this before in past shows. But this is a website that's informational, and they have a product or a service that helps to remove code that is malicious from websites. They can go and do a one-time cleanup. Again, it does cost some money to do this, but if you are running short on time or you have been compromised in some way, shape or form, they can go in and they've got the power to go in. They can find a bunch of these scripts, and they can run some scripts on your server level configuration. They can remove a bunch of stuff, and then they can get your site restored, which is really, really nice. The reason I say follow the news from this is because they're always on the lookout for new vulnerabilities, and they're the ones that report problems before anyone else notices them.

So you want to just keep up on their blog. It's nice to just kind of have that in the forefront of your mind. If you see a common plug-in that's out there, say, for example, the Jet Pack Plug-In has some sort of vulnerability or malware in it or whatnot, they're going to know right there, then you can say, "Oh, I should probably disable this." Not that Jet Pack or any – I'm just randomly picking a plug-in to pick on today. But basically, that's why I recommend following this network of security topics. So security.net, and you can follow their blog there. And the last one is, you can help to secure your website by using an SSL certificate. It's basically a technology allowing you to encrypt the connection between your web server and your visitors browser. This is normally used when people are sending credit card data to and from, across networks, and when you're paying for things online, you always want to make sure that there is a secure connection, just because then all of the credit card data that you are sending is secure and encrypted.

It increases the security of the entire web experience because all the data can't be read by third parties, which is really nice. When you enable the SSL, your site, it isn't a five-minute process though. This is one of the hardest things, and I always have problems setting up an SSL certificate. So I by default just normally have the web host do it because they can do it very, very quickly. Sometimes you can get free certificates. You can pay for certificates. And then once you have that turned on, there's a plug-in called WP Force SSL that you can force all of your pages to be SSL. Instead of just going to http, they'll all be served from https:// and then the name of your website. Stephanie: that's another way to set up the technology. Again, sometimes there's a fee associated with this. Sometimes it takes a while to do it.

And a lot of times you have to have a host set this up for you. But that is a good step in getting all the traffic that's coming to your website much more secure, and not having to worry about security. So that's a wrap. That is the ten things. Let's run through them real, real quick. We want to generate new WordPress security keys. We want to change our database prefix. We want to disable login hints. We are using the HT Access file to protect our site. We are adjusting our FTP settings to only let the people we want in to our server, and give them permissions only to the folders that they need. We are disabling PHP messages. We are tracking all dashboard activity with the WP Security Audit Log Plug-In. We're paying attention to Webmaster Tools.

And we're following the news from security.net. And we are using an SSL certificate to make our site much more secure. So that wraps up 30 items in the last three weeks to improve. I know there's a handful of them that I'm like, ooh, I should probably do these. And so that's something to work on this spring, as we're getting ready for the summer months and enjoying being outside and whatnot. We just want to kind of prep ourselves, prep our sites and get ready for this new season, this new challenge of our online experience. So that's a wrap. I'm getting ready to wrap up my team meet-up. Next week we'll talk about 4.5, what's in there and what's to come, and what we should be excited about. Until then, take care. Bye-bye.

Leave a Reply