With WordPress becoming the prominent blogging and website building engine on the market, it’s no wonder that its security is a concern. Everyone from stay at home moms to software engineers are using this platform to quickly create sites and publish articles and stories. But when you are the major platform, then you’re going to be targeted…heavily. In this post, I am going to try and give you some simple steps to help further secure your WordPress site from would be hackers. There is no foolproof method to be completely hack proof, but you can at least secure the most susceptible portions of your WordPress powered site. I’m going to start out with a couple obvious ones…
This is the first and by far most important step. Make sure you are constantly backing up your WordPress files and databases. If you are an administrator of your own server and/or site, then have a look at another post I did “Backing up your mySql databases using MySqlDumper“. MySqlDumper is a very useful utility for automating backups of your databases, and is especially useful when you need to backup several databases automatically. If you are using shared hosting, then you should be able to find backup options in your hosting provider’s control panel. Here is WordPress’s official post on database backup options: http://codex.wordpress.org/Backing_Up_Your_Database , trust me… it is worth your time to do this. If you get hacked, you can at least get back up and running with a lot less effort. I suggest weekly or monthly backups, depending on how frequently you are updating your site/blog.
Keep WordPress Up to Date
WordPress is always coming out with new updates to its platform, addressing critical security issues and making performance enhancements. It is in your best interest to keep it up to date. If you need to administer several WordPress sites to ensure they are always up to date with the latest plugins, themes, and WordPress updates, I would suggest Infinite WP. It’s free, easy to use, and works great. If you ever login to WordPress and notice a WordPress update at the top of your screen, do it! Do it now! Old WordPress versions leave your site more vulnerable.
Use Strong Passwords
Everyone knows this, yet many people don’t obey it. Use a password with lowercase and uppercase letters, symbols, and numbers. Not much more to say here, but this is a critical component of WordPress security.
Keep WordPress Plugins Up To Date and Use Them Judicially
One of the greatest features of WordPress is plugins. Every installation out there is going to have at least one plugin running on it, so be safe. Do a little research before installing a plugin, make sure it does not have any glaringly negative reviews or complaints about it. The more people that use a plugin, generally the more trustworthy. With that being said, with the plugins you do install…keep them up to date. See point #2 above. Updates often address critical security flaws and performance issues.
Install and Configure Better WP Security
You won’t regret installing Better WP Security. It is by far one of the most popular WordPress security plugins, and for good reason. It can do everything from limiting login attempts to hiding your admin area, and blocking out bots trying to find weaknesses on your site. When installing this plugin, it will ask you to make a backup of your database, as well as ask for access to modify WordPress core files. You will need to do both. Backup, backup, backup, before you do anything with this plugin. Here are some of the more important settings I will highlight, and suggest configuring for your site.
- Prevent non-admins from seeing available updates. (3)
- Don’t have a username of “Admin”. It just gives hackers 50% of the information they need up front. (4)
- Don’t have a user with an id of 1. (5)
- Change your table prefix (6)
- Block bad hosts and agents with HackRepair.com’s blacklist. (9)
- Limit login attempts and help prevent brute force attacks. (10)
- Hide your WordPress login area. (11)
- Block attackers trying to scan your site for vulnerabilities (13)
- Installation actively looking for changed files. I actually can’t 100% recommend this setting. I’ve had quite a bit of trouble with it rendering some sites useless until I do a database restore. It has its place when it works, but use it with caution. I use another script to monitor changed files. (14)
- Don’t accept long Urls (15)
- Make wp-config.php and .htaccess non-writeable (18)
Don’t use shared hosting if you can help it
Shared hosting is inherently more insecure than a managed VPS or dedicated server. You’re sharing a site with usually hundreds if not thousands of other users. If there is a gaping security hole with any of that shared server’s software, then all sites could be compromised. The same works for a VPS or dedicated server, you need to make sure whoever is monitoring it, has a lot of experience with server security and administration. I am not an IT security professional, but it helps to have people who know this stuff. Unfortunately I have been a victim of this, and it’s not fun. Typically shared hosting should segregate user directories to prevent this thing from happening, but I happen to know it can still, and does happen. Find your favorite shared hosting provider and you will find posts about them being hacked. It happens, and hackers tend to target these servers as they can take down a lot of sites at once. Your site can be as secure as you want, but if the server gets compromised, it won’t matter. Once again, I want to state that just moving to a VPS or dedicated does not make you hack proof, but it can help given the right circumstances.
Use Sucuri Plugin for Scanning of Your Site for Potential Malware
I recommend installing the Sucuri Malware Scanner plugin. If you believe your site has been compromised, this will go a long way towards finding potential issues. From the Sucuri plugin site:
Sucuri SiteCheck detects various types of malware, SPAM injections, website errors, disabled sites, database connection issues and code anomalies that require special attention to include:
- Cross Site Scripting (XSS)
- Website Defacements
- Hidden & Malicious iFrames
- PHP Mailers
- Phishing Attempts
- Malicious Redirects
- Backdoors (e.g., C99, R57, Webshells)
- IP Cloaking
- Social Engineering Attacks
Conclusion and other references
You will never be 100% hacker proof, but you can at least make yourself less of a target. Between your hosting provider (see shared vs vps hosting), and keeping regular backups of your data, and running Better WP Security, you will have at least secured some of the most common attack routes. Be sure to also run an anti-virus program on any machine that you are accessing your site/blog from.
WordPress is awesome, and I highly recommend it, but be sure to take the critical steps to ensure it’s as secure as possible. Enjoy!