Security is typically something that many of us don’t give a second’s thought to until it is too late.
If we are lucky, someone else’s misfortune galvanizes us into action. For instance, the popular blog Famous Bloggers was recently subject to domain theft, as chronicled here and here. Whilst hacking and malware are something I have always been aware of, I hadn’t even considered domain theft. In response to learning of Famous Bloggers’ misfortune, I immediately changed my GoDaddy password to something completely unique and random.
Fortunately, the dev folks here at ManageWP take security very seriously, with everything from secure SSL login capability to two step authentication featuring in our our suite of security utilities. However, your WordPress site may not be as well protected.
With that in mind, there are some steps that arguably every WordPress user should take to secure their site(s).
Is WordPress Vulnerable?
There are a few integral factors that make WordPress potentially vulnerable to attack, but the core issue is in its enormous popularity.
Every single day, new WordPress installations take place on an unfathomable number of varying server environments. Each installation will then subsequently be built upon with third party themes and plugins of varying qualities and compatibilities. As the TimThumb debacle and WordPress.org Repository hack last year highlighted, all it takes is one compromised or out of date plugin or theme to result in a major security threat.
You may be wondering what hackers might do when they find a website that they can breach. In reality, they are only limited by their imagination, but popular examples are:
- Executing code
- Creating hidden links to sites (in the hope of boosting search engine rankings)
- Redirecting visitors to alternative sites (which is exactly what happened in the Famous Bloggers incident above)
- Embedding a hidden backdoor, so that access can be gained even when vulnerabilities are fixed
I should make it clear that all content management systems of a similar nature suffer from the same vulnerabilities – it is the nature of the beast. With great power comes a responsibility to ensure that you are keeping your WordPress installation secure. The good news is that securing your WordPress site is not a particularly difficult process.
How to Secure Your WordPress Site
This may seem like an intimidatingly long list, but in reality, the majority of tips you see below are either a one-off job, or can be done at the click of a button. Although you will need to put in a little bit of work in order to secure your WordPress site, the alternative is unthinkable.
Here’s what you need to do:
- Update your WordPress installation as soon as a new version is released.
- Keep plugins and themes updated (even deactivated ones).
- Never install themes or plugins from an untrusted source.
- Create regular backups of both your database and files.
- Create a new administrator user, login as that user, and delete your “admin” user account. Make sure that you transfer any posts and pages owned by the old admin user when doing this.
- Do not publish your administrator account name on your blog (e.g. in the meta data above a post). Instead, select to display your nickname as your public name (which can be done from the User Profile settings screen).
- Create a custom login page URL (these plugins may help you)
- Create a completely unique password for your account, ideally included upper and lowercase letters, numbers, and symbols. I like to combine a completely random word with a couple of numbers, with at least one symbol replacing a similar letter (e.g. “@Grari@n36”).
- Install a login attempt limiting plugin, such as Limit Login Attempts.
- Install WordPress File Monitor Plus, so that you will be informed whenever changes are made to your site.
- Install one or more of the following excellent security plugins: Wordfence Security, BulletProof Security, or Better WP Security.
There are additional, more intricate steps you can take to further boost the security of your WordPress installation. After all, there is no such thing as a perfectly secure website, so there is always something extra you can do. However, following the above 10 tips will have you more effectively protected than the vast majority of WordPress sites, and hackers go after the easy targets, not the difficult ones.
I have just one final piece of advice – make sure that any computer you use is free of viruses, malware and spyware. Following all of the above recommendations will be for naught if the computer you are using is compromised.
What Tips Do You Have?
Are you a WordPress security nut? If so, do you have any additional tips that can help people increase the security of their WordPress installation? Let us know in the comments section!
Creative Commons photo courtesy of vrogy