Every day, some scary report about a major site being
hacked or a sensitive database being compromised hits the web … and freaks
everyone out.
But, what if I told you that the effects of being
hacked could cause all of your work to be destroyed and you would have to start
over? I bet you’re to do list would
change a little bit if all of the work you have done on your website was gone
forever.
That is why WordPress security is very important and
you need to add it to the top of your to do list.
For those who use WordPress there are some things that
you can do to make sure your site is as secure as possible. Here are 11 things
that you should do to help ensure your site is as safe and secure as possible:
Create Strong Passwords
This is one of the easiest things to do to ensure your
website is secure. Many people make excuses due to it taking too much time, but
should be taken very seriously. Each of your sites should have a different
password.
Every password should be at least 15 characters long, and it’s best if your password does not contain a real word.
You should use capital and lowercase letters, numbers, and special characters such as a question mark.
Your password is your first form of protection against hackers, so make sure you come up with a strong one.
Once you have secure passwords for all of your sites, you should never just write them down.
The only two places your passwords should be are in your head or within a password manager with a strong master password.
Every password should be at least 15 characters long, and it’s best if your password does not contain a real word.
You should use capital and lowercase letters, numbers, and special characters such as a question mark.
Your password is your first form of protection against hackers, so make sure you come up with a strong one.
Once you have secure passwords for all of your sites, you should never just write them down.
The only two places your passwords should be are in your head or within a password manager with a strong master password.
Secure your WordPress Login Page
Your WordPress login page is accessible to the world
but if you wish to prevent non-authorized users from logging into WordPress,
you have three choices.
- Password Protect with .htaccess – This involves protecting the wp-admin folder of your WordPress with a username and password in addition to your regular WordPress credentials.
- Google Authenticator – This excellent plugin adds two-step verification to your WordPress blog similar to your Google Account. You’ll have to enter the password and also the time-dependent code generated on your mobile phone.
- Login Dongle – This plugin takes a very unique approach to protect your WordPress. It generates a bookmarklet with a secret question that you can add to you bookmarks. While on the WordPress login page, enter you credentials and then press this bookmarklet to get into your WordPress – the button on the login screen won’t work.
Keep Your Site Updated
When it comes to WordPress, many people do not want to
take the time to make sure they have all of the current updates.
Remember WordPress is not releasing these updates just
so they can get media attention. The updates are released to fix bugs, patch
security holes, and to introduce new features.
Will any solution always remain a step ahead of the
hackers? No, but when there are security holes that are known and there are
patches available, you need to implement them on your site. There are no
excuses for not keeping up with the updates.
You should also make sure to keep your plug-ins and
themes up-to-date. Also, if you have a
VPS or dedicated server, keep all of the things associated with the server
up-to-date as well.
Changing the WordPress Login Username
Change the username that is provided as the default
admin user when you first set up your account.
Since most brute force attacks on your website are
automated, they most likely will either use “admin”, “administrator”,
“manager”, or your domain name to try to hack into your account, so use a
random username instead. Of course the username should be backed by a strong
user password using the guidelines that were covered earlier.
Guarding Against Brute Force Attacks
Many people do not realise that most sites have at
least a few hundred unauthorised login attempts each day.
In addition to the possibility of successfully hacking
into your blog, these attacks can also put a strain on your server resources. To
guard against these brute force attacks, make sure you have taken the steps
listed above. You can install a plug-in such as Limit Login Attempts that will
lock out the hacker after a certain number of failed login attempts.
Malware Monitoring
You need to have a solution in place that will
constantly monitor your site for malware.
A perfect free solution for this is WordFence which
will scan your WordPress core, plug-ins, and themes for changes against the
files in the WordPress repository. If there are changes to the files it will
send you an email notification if you provide an email address within the
plug-in options page.
Another malware monitoring solution that includes
server side scanning as well as a variety of other features is Sucuri. Although
it costs some money, it is well worth it for the additional features it
provides.
Fix Malware Issues
In addition to your efforts to prevent malware from
infecting your blog, it is always a good idea to find a way to clean up any
malware issues that are detected. One of the costs that many blog and website
owners tend to overlook is the cost of downtime that is associated with
security problems and the time it takes to clean up those issues.
A good solution that will remove malware in the event
that you are hacked is Sucuri. If you have been hacked already, you can sign up
for their service and they will remove the malware even if you were hacked
before signing up.
Choose the right web host
A substantial security risk comes from having your blog
on a server that is shared. Consider the risks of your single blog and then
multiply it by the number of blogs and websites on the same server.
If you choose shared hosting, it is likely that you are
going to be lumped in with hundreds of other sites. The reason shared hosting
is a big risk is because if another website on the same server as you gets
hacked, your website can possibly be hacked as well.
While your own VPS or dedicated server may not be the
right choice for you due to the knowledge to manage it and the cost, managed
WordPress hosting may be a good alternative. They offer hosting that is more
expensive, but well worth it considering the risks that comes with generic
shared hosting.
With managed WordPress hosting you get better security,
a faster site, better support, and full backups done automatically for you. The
3 managed WordPress hosts that stand out are WP Engine, Pagely, and
Synthesis. All of them are slightly
different and have different benefits, so look into each one and pick the one
that fits you best.
Control Sensitive Information
When you are cleaning up your blog files make sure that
you are not leaving any important information available for the world to
access. Check your phpinfo.php and i.php files. These are like roadmaps to your
set up and a hacker will be able to use this information to break in.
Another area of caution: don’t store backups of your
site directly on your website’s server.
This is just inviting potential hackers to download the backups and hack
into your website without any work!
Disabling directory browsing is a good idea to prevent
a hacker from browsing your blog site’s folders and files for information that
could lead to them finding a way to exploit you.
You can disable directory browsing by adding (without
the quotes), “Options –Indexes,” to your .htaccess file.
The last thing you have to be careful with is using the
file manager within CPanel and having it save temporary copies of important
files such as wp-config.php. That is why it is always better to use secure file
transfer protocol (SFTP) with a program such as FileZilla.
Never store your passwords within FileZilla
because they are not encrypted. If you were ever to get malware on that
computer, it is very common for malware to search for passwords stored within
FileZilla and use them for malicious intent.
Daily Backup Your Site
It is always a good idea to backup your blog site in
case your site gets hacked or even if you made the wrong change to a file and
want to restore a prior version.
The two best solutions for backing up your site are
BackupBuddy and VaultPress. If you are using another backup solution already
that is fine just make sure it isn’t overwriting the previous backup and that
you have backups going at least a few weeks back. It’s also very important to
test the backup to make sure it works even if you don’t need it.
Be Vigilant
You need to stay on
top of everything that is going on in the WordPress security world.
Remember, preventing issues in the first place is
better than detecting and fixing them later. While a managed WordPress host
will have your back, it is also important that you have your own back as well.
Take the steps that are listed above to help make your
WordPress site as secure as possible and keep an eye on stories about website
security as well. Never think that the security issues are only affecting other
sites… they can just as easily affect yours.
Caleb Lane is the WordPress security expert for Lockdown
2013, where you can learn how to secure your WordPress website. He spends his time consulting with companies
about their website security and keeping his clients updated about the latest
changes and news in website security.