WordPress Security

Dec 1, 2014 | Content Management Systems, WordPress

WordPress Security

WordPress is one of the most popular web publishing platforms used on the Internet today due to it’s user-friendly platform. It is also one of the most popular targets for spammers and hackers.

In September 2013, WP White Security stated that “According to statistics from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.” In 2012 they state that more than 170,000 WordPress sites were hacked. Most of the hackers are not wanting to damage your site, they want email address so they can send out spam emails.

There’s several different ways you can safeguard your WordPress site.

  1. WordPress Login Page – The WordPress login page is where attackers devise strategies to guess the passwords. They will use brute force measures to try to gain access into the website. There are several things one can do to protect the login page.
    1. Limit Login Attempts – Limit the number of times a particular IP address can log into the site before it is blocked.
    2. Two-Factor Authentication – With two-factor Authentication one will need to provide a second layer of protection to login to the WordPress site. This second layer of proof of identity makes it hard for attackers to impersonate the user.
    3. WordPress Login Path Renaming – Change the URL of your login and admin area so attackers will not know where to look.
    4. User a Very Strong Password – So many users will use a simple password that is easy to remember and what’s even worse is they will use the same password on multiple websites. You should never make it easy for a hacker to guess your password. Use secure passwords that are at least 12 or more characters with a combination of letters, numbers, and special characters.
    5. Guarding the Admin Page – The login and admin page is the most important pages on a WordPress website.
      1. Use SSL – Install an SSL certificate on your account and use it for the admin area. It keeps this area secure over the internet and makes it hard to crack. Once the SSL certificate is installed simply modify the “wp-config.php” file and include the following lines:define(‘FORCE_SSL_ADMIN’, true);define(‘FORCE_SSL_LOGIN’, true);
      2. Keep WordPress Updated – Keeping WordPress up to date allows the latest security features to be installed on the site. WordPress even gives the option to have updates installed automatically and this should be turned on.
      3. Editor Accounts – If there are multiple people posting to the website there should be an account setup for each person and each account should be set as “editor”. Limit the number of people who have “admin” accounts.
      4. Admin Account – Never use “admin” as a user on the website. This is the most common mistake that hackers look for to gain access to the website.
    6. Security Analytics – Have your website analyzed for security vulnerabilities and improper configurations that will leave the website vulnerable to attacks.
      1. Install Security Plugins – Use a good security plugin like iThemes Security Pro to keep your site secure and safe.
      2. Username the User Name – If the archive of all posts by a particular author is accessed it is very easy to find the username in the URL. This gives hackers easy access to the names of users on the website and an avenue for them to start running scripts to get the user password.
  2. Protecting The Theme Area – Having themes on the WordPress site that are not being used is asking to be hacked. Delete themes that are not being used.
    1. Update the Current Theme – Be sure to keep the current them updated. This is important to receive the latest security fixes as they are released for the theme. This makes the site more secure as vulnerabilities are fixed.
    2. Use Reliable Themes – It is so easy to grab a “free” theme off the Internet to use. But I have found out from experience these themes can not only be loaded with injectable code, but most of them don’t even work and will break when the WordPress version is updated. Themes hosted on the official WordPress repository seem to be more secure and are updated more to work with the latest WordPress version. Use a reputable company like Elegant Themes Premium WordPress Themes to purchase your themes
    3. Remove the Version and wp-login – Some themes come with a wp-login area. This and the theme version needs to be removed. These can give a goldmine of information to attackers.
  3. Plugin Downfalls – Plugins are a great help and are used on all WordPress sites for one reason or another. They can also be a downfall in in presenting a security risk. To keep the plugins on the site from being a security risk, do the following:
    1. Use Official Plugins – It’s great to get “free” things from many places, but when it comes to the WordPress plugins used on a website they should either come from a reputable place like the official WordPress repository or a website where the plugin has technical support one can rely on. When looking at a plugin, if it has not been updated within the last year, one can be pretty confident that it has been abandoned and no updates have been made to it. Steer clear of these plugins.
    2. Update the Plugins – Just as WordPress needs to be updated to the latest version, plugins also need to be updated to the latest version. This is one more step of securing the website to thwart potential attacks from hackers.
    3. Delete unused Plugins – If it is not being used, delete the plugin. Keeping unused plugins hanging around presents a target for attackers.
  4. Protect Your Data – The security of the website is as secure as the platform it resides on, the backups of the site, and the backups of the data on the site.
    1. Hosting on a Secure Infrastructure – Before choosing a hosting provider, be sure to research each company completely. Make sure they have a secure infrastructure for your site. Read online reviews of WordPress hosting providers where one can see which provider provides the most protection. Remember that hosting accounts based on Linux tends to be more secure than others.
    2. Schedule Site Backups – We insure our homes and autos, why not insure our website(s) with a scheduled site backup. Using a plugin like Backup Buddy to run short backups of the database or complete backups of all the data, images, themes, and plugins to a safe place. Be sure to keep “offsite” complete backups of the website and database.
    3. Use SFTP to Access The Site – Secure FTP is a way to access the files on your hosting account with a secure method. This helps prevent malicious attackers from obtaining access to your site.
    4. File Permissions – If the site is hosted on “shared hosting” then it is very important file permissions are set correctly on the site to secure files at all times. All files should be set to 644 and directories to 755. The only difference is on the “wp-config.php” file. It should be set to 600 to prevent reading of it from users on the server.

Disclosure: Some of the links in this post are “affiliate links.” This means if you click on the link and purchase the item, I will receive an affiliate commission.

Pin It on Pinterest