WordPress has been getting a lot of flak lately, due to a number of security threats, and a perception that the platform isn’t safe.
That’s not true. WordPress itself is as safe as any other internet based platform, and it is constantly being updated and tweaked to make it more secure with every signle update.
Of course, no open software is 100% safe, but WordPress core is pretty damn close.
The problem generally lies in other associated parts of WordPress: themes, plugins, and even the host.
What then can you do to reduce to secure and harden your site and reduce the chance of being hacked?
Below is a compilation of some of the best ways to manually and automatically protect your site.
Security Starts With You
Sometimes a hack has nothing to do with your website, security, but instead originates on your own computer. Make sure any computers you use to access your website are up to date and free from malware and viruses.
As WordPress.org says:
“No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.”
1. Protect Your Users and Hide Your Passwords
Passwords are pesky things; they need to be secure but are annoying to remember, especially if you have lots of sites.
That does not change the fact that you, and the other users of your site (but especially administrators) should change passwords regularly, such as every 30 days.
Passwords should also be strong, so I advise using a generator such as:
- Strong Password Generator
- Passwords Generator
- Nortons Password Generator
- Lastpass’s Own Password Generator
Recent updates wot WordPress have improved upon password generation, and it now automatically generates strong passwords for new users too.
I use a service such as LastPass for site logins as it makes it easier to track and maintain these complex passwords.
Make sure that your users also have secure passwords, Force
Strong Passwords is a great plugin for that, especially if you have a high number of users. http://wordpress.org/plugins/force-strong-passwords/
Keeping in line with periodic password changes, it is useful to occasionally change the database password as well. It should also be checked to make sure that at the time of creation it wasn’t a weak password.
You can check the password by viewing your WP-Config.php file via your hosts control panel or FTP. You can modify the password via your hosts control panel. Just remember, if you change the password, you need to update it in the WP-Config.php file as well.
Down with the admin!
The admin user used to be the default first user of any WordPress site, as such it takes a battering from hackers using brute force methods.
Unless your site is new and you gave the first user a different username, it is advisable to either delete the Admin user or neuter it by giving it the subscriber role. This way, if the hacker successfully penetrates the Admin account, it can’t do much with it.
Two factor authentication
Two factor (or two step) authentication is a popular additional security step that can help secure your website.
The premise is you log in as normal but then need to complete a secondary step such as scanning a fingerprint, typing in a code received via a text message, or even answering a security question.
Two factor authentication is great as it adds that personal element that hackers just can’t match but it does have its limitations. For example if you lose or forget your phone and your authentication is via text message it will make it very difficult to access your site.
Plugins that provide two step authentication are:
One of the main ways a hacker will try to gain access to your site with is the brute force attack.
This style of attack is aimed at passwords, and it will continually try to guess your password.
One of the best ways to counter this is to use a plugin to limit the number of login attempts from an IP address.
You can also hide the login page itself. While this is “security by obscurity” which in itself is not that great, it can help to delay and potentially even prevent brute force attacks. Stealth Login is a great plugin to achieve this.
2. Keep Your Database Secure
I’ve already mentioned the database password, but there are two other things you can do with your database to help change it from the defaults and thus increase protection.
The default database prefix is wp_ and all WordPress hackers know this. Ideally when starting your site, this should be changed, but it can be done retroactively.
To do so you need to edit the WP-Config.php file and modify the prefix line. If being done retroactively, you will also need to modify the database directly to change all the table names to the new prefix and to search each table for mentions of the prefix and change those too.
All this is a hassle especially if you are not experienced with databases, so you may want to check out iThemes Security as this allows you to change the prefix with one click.
Salts are hashes – long strings of numbers, letters and symbols used when encrypting things like your password.
Decent hosts and WordPress installation software will automatically generate salts, but you should check this in your WP-Config.php.
IF you don’t have any you can head over to the WordPress Salt Generator and create some.
Salts can be changed at any time, and also force a user to log back in.
3. Always Prepare for the Worst
If you do get hacked, the worst part of it is the clean-up.
First you need to try and figure out how they got in (not an easy task), so check your site and plugin logs for unusual behavior (e.g. a large number of login attempts).
Once a hacker has access, one of the first things they usually do is to make it easier for themselves to get back in or setup code to do malicious things. They do this by modifying code in various files (it could be anywhere!).
As such, cleaning this mess up manually is a nightmare. One of the easiest ways to resolve it is to restore the site to a backup copy that is known to be clean.
Therefore keeping regular backups of files and the database is essential.
There are numerous free and premium back up plugins out there, but for an easy to use and feature filled plugin, I recommend Backup Buddy.
I recommend doing daily database backups and weekly or biweekly file backups. These should be stored off server and should be done regardless of whether the host provides backups or not.
Most decent backup plugins like Backup Buddy provide the ability to send files to a cloud based storage system like Google Drive or Dropbox, and you should definitely take advantage of this.
Keep as many versions of the database and files as possible. My rule of thumb is to keep 3 – 5 copies of the files and 10+ copies of the database.
Obviously your mileage may vary depending on the size of your site and the frequency of changes and the availability of storage.
For example if your site is file heavy you may want more frequent file backups, but if it is more writing heavy, database backups will be your priority.
4. Stay Up to Date
Being proactive about security is definitely something you should do. One of the easiest ways to do this is to make sure that your WordPress installation, theme and plugins are all kept up to date.
This is because the developers behind each of these will generally find bugs and security issues that could cause problems and fix them: if you don’t update your site is open to attack.
Using a website management service such as ManageWP is great if you have numerous sites: it can automate the updates of WordPress and most themes and plugins.
That being said, they are not catch all systems, as some premium plugins and themes have odd update methods or require manual action to update things. As such you should still be manually checking your site at least once a week, even when using a service like ManageWP.
While we are talking about plugins and themes, you should try to make sure that your plugins/themes are sourced from a trusted supplier.
Make sure the software is from the author’s site or trusted marketplace. If it’s a premium plugin and you’re getting it for free, it’s likely it’s been pirated and therefore more likely that it contains malicious code.
Software to help prevent spam and hacks
The WordPress community is very lucky: it has a lot of smart people willing to make complex plugins that help everyone else out. Of course, they are not all for free.
WordFence is a free and premium security plugin for WordPress and I highly recommend it. It can so the following things:
Scan your site files for malware and malicious code
- Notify you of issues like out of date plugins
- Live monitor your traffic and it’s behaviour
- Block IPs
- Two Factor authentication (premium feature)
- Block countries
I definitely see it as being part of any secure site, though it doesn’t cover everything. Personally I use it in combination with another free plugin called Stop Spammers.
- block users from logging in
- records when users try to access something
- scans for threats
Using these two together helped stop a variety of brute force attacks on one of my sites.
They not perfect, and sometimes the combination of the two can cause false positives, but those things are minor compared to the benefit they bring.
Another option to look at for security software is Sucuri.net. This premium service is not cheap, but they are one of the leading online security companies in the world.
Last but not least is iThemes Security which is a solid security plugin with both free and premium versions available.
- Protect against brute force attacks
- Scan for threats
- Lock out users
- Hide login & admin
- Database backups
- And more
The Bottom Line
There is no surefire way of protecting a WordPress (or any type of) site from being hacked: there are simply too many possible points of entry, from the host itself, to themes, plugins and even your own computer.
That being said, all of the above options are a great starting place to harden your WordPress website to make it significantly more difficult to gain access to.
It’s far from a complete list, and I would recommend reading through WordPress.org’s own guide as well (http://codex.wordpress.org/Hardening_WordPress).