February 7, 2012

Posts Comments

Would you please pass the security?

September 23, 2011 By

So many WordPress Experts on the Internet.

Who do you believe? What do you believe?

Well, like anything in life you need to have a functional understanding about the subject before you want to solicit advice from other people. Why? You need a fighting chance at knowing whether other people are feeding you BS. You can’t count on other people to always be honest – if you do, then I have some beach front property in Utah that you might be interested in.

As I’ve said many times before, the only 100% secure WordPress site is the WordPress site that is turned off. Big problem though right? The darn thing doesn’t do much good if it is turned off. There are number of things that WordPress site owners can do to decrease our security risks with varying degrees of implementation difficulties. I’ll be covering two important areas that any WordPress web site owner should be able to execute without much difficulty.

User security:

  • The most basic and essential step that we can take towards good user security is to not use the default admin username. In WordPress 3.0 we saw a welcomed and much-needed feature by not forcing the default admin username during installation. Starting in WordPress 3.0 you can create your own unique username for the default user account. Regardless, if you have or user and account with the username admin, don’t use it anymore! Take 2 minutes and create a new user with a unique username. Since admin is a default – would be crackers don’t need to guess the username and the password, just the password. Lets take 2 minutes and make things a little harder for them!
  • Another great effort towards good user account security is to use strong passwords and change them regularly. MyCodeTree offers an awesome plugin for WordPress that will regularly remind users to change their account password at selectable intervals and even provides a handy password generator tool for generating super-secure passwords! The MyCodeTree pass changer plugin for WordPress can be downloaded here.

wp-config.php security:

  • Point your browser to https://api.wordpress.org/secret-key/1.1/salt/
  • You’ll see some rather cryptic looking text generated in the browser window.
  • Next, you’ll want to open up the wp-config.php file from your WordPress installation in a text editor. The file is in the base or beginning folder of your WordPress installation by default.
  • You’ll notice an area in that file that looks like what is generated in your browser window (specifically, the garbled text between define(‘ and ‘) should be the only difference, on each line).
  • You’ll want to copy what is generated in your browser window and replace what is in your wp-config.php file with what you copied. Make sure to only copy/paste what is generated in the browser and it’s counter part in the wp-config.php file, nothing else!
  • Save the changes in the wp-config.php file. Changing these values will most likely logout any logged in users.
  • Lastly, you should set the file permissions of wp-config.php to 0644. This is an advanced task if you’re not familiar with individual file permissions. Most FTP clients offer the ability to try and change file permissions but not all web servers will support it. When in doubt, ask your hosting provider. The wp-config.php should by default, be set to 0644 during installation so there is a good chance that you won’t need to change it.

Until next time,

Ryan Huff – President & Founder of MyCodeTree

Filed Under: Blog Tagged With: , , , , ,