Search

WordPress Security - Part 1: The Basics

1. Personal Workstation Security
    a. Have and regularly scan your machine for viruses or malicious software.
    b. Update your browsers, anti-virus, and operating system regularly.
    c. Install security patches as soon as they become available.
    d. Use a firewall, at the router and the ISP level if possible.
    e. Update local passwords often, at least every 2-3 months.

2. Strong Passwords
    a. http://www.pcmag.com/article2/0,2817,2368484,00.asp
    b. It is so important to get this one right, no excuses.
    c. Don't share your password.
    d. Don't use the same password in multiple locations.
    e. Don't have the mindset that someone isn't going to hack you.

3. Protect Your 'wp-admin' Users
    a. Rename the admin user to something unique, but know that your username is published in a variety of locations on your website. Just renaming the admin user may not necessarily protect your account.
    b. Make sure that each admin user on your account has a secure and unique password.
    c. Yubikey is an additional option that can further secure your log-in, check out the details for that here: http://www.yubico.com/
 

4.
Keep WordPress and Other Applications Updated
    a. These updates fix bugs, close security holes, and add functionality.
        The most important part of updating is patching known security issues.
        Hackers will scan for particular versions of WordPress and attempt to hack in with these known vulnerabilities.
    b. If you used Softaculous to install WordPress, it can also help you to update it:
        http://www.midphase.com/support/q977/How-do-I-install-WordPress-using-Softaculous
    c. Do the same for any themes or plugins you have installed - updates are vital to account security.
    d. If you worry about themes or plugins being broken with updates, you need to utilize different themes or plugins - the providers of these addons should be keeping up with the WordPress updates to keep users like you as secure and functional as possible.
    e. If you're not a developer you should look at plugins/themes with paid update and/or support options, as these will be more likely to help keep your website secure.

5. Control Sensitive Information
    a. Permissions on files are configurable for a reason. Control what files are visible to the world, and limit particulars about your account functionality.
    b. For example, disable world read permissions on the readme.html file to avoid letting outsiders see what version of WordPress you're using.
    c. Make sure you don't have phpinfo.php, info.php, or i.php files accessible to everyone. d. DO NOT leave .sql backup files in your web directory - your usernames and passwords are saved in those files along with all your posts and comments.

6. Malware
    a. Monitor for malware every day.
        http://www.sitelock.com/
        http://sucuri.net/introducing-server-side-scanning.html
    b. Do something about it!
        The tools above will actually help you resolve the issues that come up.
         Make sure that you are proactive in taking care of possible infections immediately.

7. Clean your site
    a. Just like you complete daily chores around the house, you should regularly clean up your site and files that you do not need.
    b. Having old files on your account can leave you vulnerable!
ven if you've deactivated the old plugin or kept a backup of an old version in your web folder.
    c. Stay clean and keep things organized - you should know all the files on your account well enough to identify when something is there that shouldn't be.

8. Back up your website
    a. A good plugin that can be used here is WP-DB Manager (note that it may consume excessive resources in a shared environment).
        This plugin can be useful for reporting other vulnerabilities as well, when it detects accessibility issues.
        http://wordpress.org/extend/plugins/wp-dbmanager/
    b. Remote backups are also good options, if you haven't already, check out ComCure:
        https://www.comcure.com/

9. Install Security Plugins
    a. Remember to only install plug-ins offered through the wordpress control panel since external plug-ins may not be secure. Most plugins offered from WordPress.org are regularly audited for the benefit of your security.
    b. Guard against brute force attacks. Thousands of failed login attempts happen on servers every day. While we do provide firewall protection to help defend against attacks like this, there are steps you can take as well!
        i. Programs like Limit Login Attempts and CATCHA can help you defend your account from brute force attacks.
            http://wordpress.org/extend/plugins/limit-login-attempts/
            http://wordpress.org/extend/plugins/si-captcha-for-wordpress/
    c. Exploit scanner http://wordpress.org/extend/plugins/exploit-scanner/
    d. Install other useful plugins Bad Behavior and User Spam Remover

Want More? Check out:
WordPress Security - Part 2: Maximum Security!



Last Updated: 19th of April, 2013     Article ID: 1009

Continue