The very first thing you should do is Beware of Hackers.
Were you recently freaked out by a scary report on the hacking of a major WordPress website? You have a lot of sensitive data on your site and you don’t want it being compromised in any way, do you? Every day, there are thousands of unauthorized login attempts at various sites, and they can wreak havoc to your site.
Maybe a hacker living halfway across the globe is even at this moment trying to hack into your WordPress website. Your site can be vulnerable due to Link Injection, PHP code injections, blackhole exploits and so on, against which you need to protect it.
These days, you just can’t be too careful and need to take all steps to secure your WordPress website. For those having a technical background, this sounds quite easy, I suppose. But for others, security can be a little nebulous and you might find some of the safeguards a little difficult to understand. If you are the type to use the same password for you admin login accounts, your Gmail accounts and also for, well, your Bank Account (how naïve can you get), you really need to be taking security concerns a little more seriously. WordPress is the popular software for websites and has powered millions of websites. There is, of course, nothing like a hundred percent secure site; yet, you can take these 12 simple steps right away to make your WordPress website a lot safer. Remember that your WordPress site is only as secure or safe as you make it. Let’s kick off!
The importance of a strong password cannot be stressed enough. You can do this immediately and make an overhaul to your password. Of course, I agree that it is easy to have a single password for all your sites, as it’s easy to remember. Use a password that has not less than ten characters, with a combination of numbers and letters, combining both upper and lower case. There is a password strength meter in WordPress and you can use it to ensure that the password is strong enough. Avoid using permutations of your real name, your company name, your website name and so on. In fact, I would say you should treat your password like your toothbrush – don’t allow anyone else to use it and throw it away every six months.
If you have set your file permissions to 777, this can prove to be the perfect red carpet welcoming all hackers. You could, instead, use 644 for setting files and 755 for setting folders. If you relax your file permissions, intruders can easily get into your site. The permissions will decide whether all or only some can read the file, write it, execute it, etc. You can set it up at the user level or at a group or public level. It is better to lock down the file permissions as much as possible and then loosen them only when you want to create any specific folder having fewer restrictions, uploading files and so on.
When sourcing themes or plugins, we have noticed that quite often, they contain malware and these can disrupt the performance of your WordPress website, and in the worst case scenario, even hack into critical information. They can also spread viruses to the users or visitors to your site. Hence, you need to make use of a trusted source when getting themes or plugins.
Make a careful choice of the right web host. Any host can run a WordPress website, but you need to select one that provides good security measures related to WordPress. You must choose a host who offers both security and speed and even offers security guarantees. In this case, if your website is compromised in any way, the host will have to foot the bill and get the problem fixed. A major security risk is using a shared server. Just think of it like this: consider all the security risks in your own installation and then multiply this with the number of other websites on the server. Generic hosting is still worse, where you have to share with hundreds of other websites. If at all you are on a shared server, make sure that there are just a few sites and that the host has good safeguards to protect your site. Always be careful of network vulnerabilities as well. The network on the server side as well as the client network should be trustworthy. For instance, it’s surely a bad idea to send your password through an unencrypted connection in an Internet café.
You probably make use of FTP to access files in the website, but this is not very secure, as all the files and the passwords get sent to the web in the form of plain text. When you pass the information from your computer to the website, it can be easily viewed by a clever hacker. When accessing the site through FTP, it would be a good idea to use a Secure FTP (SFTP). The data no longer gets sent in plain text form, but in the form of encrypted data. This makes it difficult for others (hackers) to view the content. Use the SFTP on a safe and secure network while you try to access your files on the website. Take care to make the SFTP password a strong one.
You need to regularly clean out your site and remove all old themes and plugins that you are not using any more. Keeping a messy site makes it difficult for security professionals to save your site when it is compromised. Would you leave your stale dishes or silver sitting in dirty water for days on end without cleaning up? This would be literally begging for filth and germs. Have a regular schedule for cleaning up and organizing files and folders.
Many hackers use Brute Force tactics and attack websites. They keep trying to access the website hundreds of times by using all kinds of random combinations for passwords. To tackle this, there are plugins that can be used to limit the number of Login attempts that a user makes. This is a great means of stopping hackers using brute force to access your site. The best method would be to limit attempts to three incorrect combinations of username and password. If the person submits the wrong combination three times, he gets locked out of attempting to enter the site for about a half hour or so. I believe most hackers will give upon a site if they are going to be banned every few minutes.
WordPress File editor enables users to run the PHP code and this can be a security risk, as this is the gateway through which the attack can be carried out. The default settings for the WordPress dashboard is set so as to allow administrators the facility of editing PHP files, namely plugins and theme files. When a hacker logs in, this is the first tool he is likely to use, as code execution is allowed. You can disable the editing function from the Dashboard. This can, to some extent, prevent attacks from malicious hackers. Giving access to the WordPress file editor will enable hackers to run scripts and also upload any malware or destructive files, send emails to your users and even get access to your database. If you are not making use of the file editor, disable it immediately. If you are using it, make sure that you are the only one who ever sees it. You can disable it with just a single line of code that stands between you and trouble and takes just a few minutes. There are also other reasons for disabling this feature, as wrong insertion of a single character in some places can result in crashing of the site.
If you go to the main WordPress site, you can get the latest version of WordPress. You must never download and install the software from any other website. The 2.7 version has automatic updates and it becomes easy to update your site. The WordPress dashboard also gives information about updates. You can read the latest entries in the Dashboard and take the appropriate steps for updating WordPress. Vulnerabilities are regularly discovered in versions and once this happens, a new version is released that addresses the issue. This information will be provided in the public domain and if you continue to maintain your old version, it is likely to be attacked. Hence, remaining up to date is very important.
In WordPress, you can give admin access to other users. Instead of using the username ‘Admin’, make use of any other name and rename the administrative account, instead of retaining the default admin account. Of course, hackers can easily find the usernames from blog posts and other places. Hence, it is also important to ensure that all usernames of your website having admin access should protect themselves with a strong password. You can either delete the ‘admin’ account or just not create it in the first place. You can either remove it manually or use one of the plugins for doing this. Though it doesn’t provide complete protection for your site, removing the admin user can circumvent several kinds of attacks.
At times, you might forget to update the WordPress installation or you might have been too busy to do it. Looking at the version of the WordPress installation gives hackers a fairly good idea of ways of hacking it, especially if it is an outdated one. WordPress, by default, shows the version, as they would like to know the metrics, how many people are using the version and so on. By showing the version, you are actually putting up a bright signal informing hackers what to do. Open up the functions.php file and use the appropriate code for removing the version display.
It will help to hide your plugins by using a blank index file in the plugins folder. You are probably thinking it doesn’t matter whether people view your plugins or not. On the contrary, plugins can give information to hackers regarding ways of hacking the site and also whether it can be hacked or not. For instance, if a hacker is able to view your plugins and see that you don’t have any security plugins, he can know that it’s going to be easy to enter your site. When you put up a blank index.html for the plugin folder, it is almost similar to a security sign. Even if you don’t have a security system in place, the hacker will not know about it and may not attempt to break in.
WordPress is robust software for creating websites and has powered millions of websites, from blogs to large corporate websites. Yet, as it is becoming more and more popular, the web based attacks have also started increasing in alarming numbers. You need to protect it against malware and viruses and various other vulnerabilities. Some of the important steps are updating your plugins and themes regularly, cleaning out old plugins, selecting a good server among others.
As the old saying goes, prevention is always better than cure. Use a proper backup regularly, so that it gives you the option of switching hosts quickly, in case you discover that your site has been hacked or compromised. Online security is something that is constantly changing and there is absolutely no room for complacency. For instance, you can never claim that you have your security completely figured out and in place. With the evolving scenario, new threats keep emerging and you need to operate with this mentality .Stay vigilant at all times. The best way of prevention is early detection. Follow updates and keep your eyes and ears ready when you read about security issues affecting other sites – they could easily affect your WordPress site soon. Give respect to ‘thine’ enemy, if you want to overcome him!