WordPress is pretty secure by default. But it is also the most popular open source CMS in the world, which makes it a target of all the wanna be hackers, malicious code distributors, and random DDOS attacks. Making your WordPress site secure should be your top priority right after you install WordPress.
Here is what you need to do.
1. Always Use Unique Strong Passwords
Passwords are your first line of security and most often it is the weakest security point. When you are hosting your own site, you are not just managing your WordPress admin password. You also have passwords for your hosting cpanel, FTP account, MySQL user password, etc.
Small dictionary based passwords can be easily cracked by hackers. You need to generate long passwords containing special characters and spaces. Make it a habit to use unique passwords for all your accounts.
The big question is how you would remember all those strong passwords? Actually, there are several password management software which allow you to generate, store, and auto-fill passwords. LastPass and 1Password are the two most popular password management tools in the market right now.
2. Setup Automated Backups
No matter how secure your site is, you should always be ready for the worst case scenario. To protect your site against any threats you should setup an automated backup system as soon as possible. Even if your web hosting service provider offers daily backups of your site, you should still have your own backup system in place.
There are several WordPress plugins both free and paid which allow you to quickly setup backups on your site. You can install BackupBuddy which is a premium WordPress plugin or you can use a free plugin like BackWPup, or Updraftplus.
Make sure that you store your backups on a cloud storage service like Dropbox, Google Drive, One Drive, etc. To be even more cautious you can manually download backups to your own computer occasionally.
3. Password Protect WordPress Admin Directory
You can add another security layer to your WordPress site by adding password protection to your WordPress admin directory. This is an advance step, so make a complete site backup before proceeding any further.
First you need to create a .htpasswds file. Visit this link to generate a .htpasswd file. Simply enter a username and your desired password. This tool will generate a single line containing your user name and your password in encrypted form.
Paste this line your .htpasswds file and then upload it to your server. Instead of uploading it to your website, make sure you upload it outside your public_html directory.
Now create a new .htaccess file in the wp-admin folder of your website. Paste this code inside your new .htaccess file:
AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user yourusername
Order allow,deny
Allow from all
Satisfy any
Don’t forget to replace yourusername with the username you used when creating your .htpasswds file.
4. Using A Security Plugin or Service
The top 3 steps mentioned above should make it quite difficult for someone to break into your website. But sadly this cannot hold much longer if someone intent to break in wants to get into your website. To further strengthen your site’s security you have two options.
First option is installing a security plugin like bulletproof security or iThemes security plugins. These plugins help you cover most vulnerable parts of your WordPress set up. Both these plugins are very well documented and will guide you through every step of the way so that you know exactly what you are doing. These plugins also provide you a chance to learn about the most commonly exploited backdoors on WordPress sites and how these tools locks them down.
Another alternative is to signup for Sucuri which is an online website monitoring and scanning service. Sucuri offers WordPress site owners complete peace of mind against the most common attacks, trojans, and malicious code injections. It provides you instant notifications when something suspicious happens on your site. They will also cleanup your site for free if something gets injected into your site while you are subscribed to their service.
5. Be Careful With Access to Admin Area
If you run a multi-user website where other users can login to write posts, then you need to make sure that those users follow the security best practices mentioned above. Most importantly you need to make sure that all users on your site use strong passwords.
Sometimes when you are hiring a developer to work on your site they might need admin access to your WordPress site. Instead of giving them your own account credentials create a new user account for them on your WordPress site. You can also create a new FTP user account for them. Once they are done working on your site, you can safely delete those accounts to make sure that they are not improperly used.
6. Themes and Plugins
Never ever download or install a WordPress theme or a plugin from an unreliable source. Themes and plugins hosted on WordPress.org sites are considered quite safe as they go through a properly fine tuned security check. These security checks weed out any malicious code that someone could hide into those plugins and themes.
All free themes and plugins from other sources should be treated with suspicion.
There are several WordPress plugin and theme shops that are well known and respected. You should look around for signs that you are purchasing or downloading your theme/plugin from a trustworthy source. Check out must have WordPress plugins for 2015.
Conclusion:
Most WordPress sites run without any problem for years. However, malicious code, trojans, brute force attacks are all too common on the web. It is better to be safe than sorry.
Nick Anderson operates Hostoople.com which provides WordPress Webhosting , and offers numerous tools.
[Lock image via Leo Reynolds via Compfight cc]
Sean Leacy (@GeekAthair) says
Don’t use “Admin”, “Administrator”, “root” or your url (if your website is joesblog.com don’t use joesblog) as a user/admin on your install. I’d also highly recommend Wordfence, it will limit login attempts and notify you when someone’s been blocked. Definitely gives you an idea of how often WordPress installs are targeted.
Eric Dye says
For real.