Last week I was asked by a client why he wasn’t seeing the https: prefix in his URL (and the little lock icon in the bottom of the browser window) when he was logged into his WordPress site. That got us into a discussion about SSL and we wound up installing an SSL certificate on his hosting account, as well as making some additions to his WordPress installation to make it less appealing to hackers.
I learned a number of useful things about securing a WordPress site, so I’ll share them here with you.
Forcing administration over SSL is easily done by editing the wp-config.php file. You can enforce either:
- All logins over SSL
- All logins and admin pages over SSL (the backend pages are all https:)
We installed an inexpensive SSL certificate on the server, one that resolves to his domain name. We needed to enforce the use of SSL on all pages since there is a login box either in the template or in a widget on all pages (it’s a pretty small site). Having a login on an http: page that resolves to an https: page may or may not be secure. Forcing all pages of a site to use SSL can bog it down, but in this case the difference was very minimal. For a larger site with more traffic, I’d probably not have a login box on every page to avoid this; rather we’d link to one secure login page.
A few other plugins we found to be useful:
- Limit Login Attempts – makes brute force attacks fairly impossible by blocking an IP after too many login attempts
- Secure WordPress – performs cleanup work on the site after installation, removing vulnerabilities
- Threat Scan – checks the installation and database for ‘things out of place’
And finally, a few resources that I bookmarked…
Increase Your WordPress Blog’s Security by Running it Through SSL
I hope this helps someone else – I was pleased to find that it’s actually quite easy to put a few reasonably strong security measures in place for any WordPress site.