This is a guest contribution from Caleb Lane, WordPress security expert.
I am sure you already have on your to do list that you need to respond to emails, return phone calls, show up for meetings, write more content, and a whole lot more.
But, what if I told you that the effects of being hacked could cause all of your work to be destroyed and you would have to start over? I bet your to do list would change a little bit if all of the work you have done on your website was gone forever.
That is why WordPress security is very important and you need to add it to the top of your to do list.
For those who use WordPress there are some things that you can do to make sure your site is as secure as possible. Here are 11 things that you should do to help ensure your site is as safe and secure as possible:
1. Create Strong Passwords
This is one of the easiest things to do to ensure your website is secure. Many people make excuses due to it taking too much time, but should be taken very seriously. Each of your sites should have a different password.
- Every password should be at least 15 characters long, and it’s best if your password does not contain a real word.
- You should use capital and lowercase letters, numbers, and special characters such as a question mark.
- Your password is your first form of protection against hackers, so make sure you come up with a strong one.
Once you have secure passwords for all of your sites, you should never just write them down.
The only two places your passwords should be are in your head or within a password manager with a strong master password.
If you are going to use a password manager, LastPass or KeePass should do the job for you. LastPass offers a free version and a premium version for $12 a year, while KeePass is open-source and completely free. If you decide to use KeePass, make sure you keep a backup of the password database file in case the file becomes corrupted or your hard drive fails.
2. Keep Your Site Updated
When it comes to WordPress, many people do not want to take the time to make sure they have all of the current updates.
Remember WordPress is not releasing these updates just so they can get media attention. The updates are released to fix bugs, patch security holes, and to introduce new features.
Will any solution always remain a step ahead of the hackers? No, but when there are security holes that are known and there are patches available, you need to implement them on your site. There are no excuses for not keeping up with the updates.
You should also make sure to keep your plug-ins and themes up-to-date. Also, if you have a VPS or dedicated server, keep all of the things associated with the server up-to-date as well.
3. Changing the WordPress Login Username
Change the username that is provided as the default admin user when you first set up your account.
Since most brute force attacks on your website are automated, they most likely will either use “admin”, “administrator”, “manager”, or your domain name to try to hack into your account, so use a random username instead. Of course the username should be backed by a strong user password using the guidelines that were covered earlier.
4. Guarding Against Brute Force Attacks
Many people do not realise that most sites have at least a few hundred unauthorised login attempts each day.
In addition to the possibility of successfully hacking into your blog, these attacks can also put a strain on your server resources. To guard against these brute force attacks, make sure you have taken the steps listed above. You can install a plug-in such as Limit Login Attempts that will lock out the hacker after a certain number of failed login attempts.
5. Malware Monitoring
You need to have a solution in place that will constantly monitor your site for malware.
A perfect free solution for this is WordFence which will scan your WordPress core, plug-ins, and themes for changes against the files in the WordPress repository. If there are changes to the files it will send you an email notification if you provide an email address within the plug-in options page.
Another malware monitoring solution that includes server side scanning as well as a variety of other features is Sucuri. Although it costs some money, it is well worth it for the additional features it provides.
6. Fix Malware Issues
In addition to your efforts to prevent malware from infecting your blog, it is always a good idea to find a way to clean up any malware issues that are detected. One of the costs that many blog and website owners tend to overlook is the cost of downtime that is associated with security problems and the time it takes to clean up those issues.
A good solution that will remove malware in the event that you are hacked is Sucuri. If you have been hacked already, you can sign up for their service and they will remove the malware even if you were hacked before signing up.
7. Choosing a Hosting Provider
A substantial security risk comes from having your blog on a server that is shared. Consider the risks of your single blog and then multiply it by the number of blogs and websites on the same server.
If you choose shared hosting, it is likely that you are going to be lumped in with hundreds of other sites. The reason shared hosting is a big risk is because if another website on the same server as you gets hacked, your website can possibly be hacked as well.
While your own VPS or dedicated server may not be the right choice for you due to the knowledge to manage it and the cost, managed WordPress hosting may be a good alternative. They offer hosting that is more expensive, but well worth it considering the risks that comes with generic shared hosting.
With managed WordPress hosting you get better security, a faster site, better support, and full backups done automatically for you. The 3 managed WordPress hosts that stand out are WP Engine, Pagely, and Synthesis. All of them are slightly different and have different benefits, so look into each one and pick the one that fits you best.
8. Clean Up Your Site
As well as protecting your blog you need to make sure you keep your blog tidy. Get rid of any old plugins and themes that you are not using anymore.
This also includes separating websites that are in production and still being developed by having them on separate servers. Often times you will be working on a new website, but then forget about it for a few months. This causes the website to become out of date and vulnerable to being hacked. For this reason, it is always a good idea to separate websites on different servers that you are still working on from live websites in production.
9. Control Sensitive Information
When you are cleaning up your blog files make sure that you are not leaving any important information available for the world to access. Check your phpinfo.php and i.php files. These are like roadmaps to your set up and a hacker will be able to use this information to break in.
Another area of caution: don’t store backups of your site directly on your website’s server. This is just inviting potential hackers to download the backups and hack into your website without any work!
Disabling directory browsing is a good idea to prevent a hacker from browsing your blog site’s folders and files for information that could lead to them finding a way to exploit you.
You can disable directory browsing by adding (without the quotes), “Options –Indexes,” to your .htaccess file.
The last thing you have to be careful with is using the file manager within CPanel and having it save temporary copies of important files such as wp-config.php. That is why it is always better to use secure file transfer protocol (SFTP) with a program such as FileZilla.
Bonus Tip: Never store your passwords within FileZilla because they are not encrypted. If you were ever to get malware on that computer, it is very common for malware to search for passwords stored within FileZilla and use them for malicious intent.
10. Backup Your Site
It is always a good idea to backup your blog site in case your site gets hacked or even if you made the wrong change to a file and want to restore a prior version.
The two best solutions for backing up your site are BackupBuddy and VaultPress. If you are using another backup solution already that is fine just make sure it isn’t overwriting the previous backup and that you have backups going at least a few weeks back. It’s also very important to test the backup to make sure it works even if you don’t need it.
11. Be Vigilant
This is fairly simple to explain. You need to stay on top of everything that is going on in the WordPress security world.
Remember, preventing issues in the first place is better than detecting and fixing them later. While a managed WordPress host will have your back, it is also important that you have your own back as well.
Take the steps that are listed above to help make your WordPress site as secure as possible and keep an eye on stories about website security as well. Never think that the security issues are only affecting other sites… they can just as easily affect yours.
Caleb Lane is the WordPress security expert for Lockdown 2013, where you can learn how to secure your WordPress website. He spends his time consulting with companies about their website security and keeping his clients updated about the latest changes and news in website security.