As life is deadly, the online world can be dangerous. Any website online is potentially exposed to virtually every hacker in the world. With so much invested in sites, WordPress security needs to be taken very seriously. Fortunately, taking the right precautions will greatly reduce the risks and make the chances of any site ever being hacked very low.
No security can ever be perfect. Although few hackers will bother with a well-protected site, it is impossible to be certain, and technical problems at the server level can also potentially cause a site to be lost. Therefore, the first line of defense needs to be a periodic and complete WordPress backup that is stored securely offline. The most imporatant files needed for recovering a WordPress site are the wp-config and .htaccess files, the wp-content folder and the database. See WordPress backup for more information.
Every security precaution one can take may be wasted if the computer the site is being logged in from has been compromised. Avoid using public computers to login to a site when possible. Keep all security software up to date and do weekly scans of the computers WordPress is being accessed from.
Choose secure web servers
Some hosting services, particularly those overseas, may not have enough security on their servers. Check the reputation of any hosting service and ask what they do for security. A private server is best because one site on a server being hacked can potentially put others on it at risk. However, shared hosting is fine for most people if the service is serious about security.
WordPress hosting covers some secure hosting services that work well with WordPress.
Passwords and user names
One of the most common attacks on WordPress sites involves using software to guess passwords. Therefore, it is paramount to always create long and difficult passwords that use a combination of letters, numbers and symbols or use an online password generator. The database password should also be hard to guess (avoid dictionary words altogether or at the very least do not use complete words).
NEVER use the default “admin” as the user since it will make a hacker’s job much easier (this can be changed if the site is already set up). Security plugins to include Login Lockdown will place limits on how many login attempts can be made in a given period of time.
Keep everything updated
WordPress is updated not just to improve its functionality but to plug holes found in its security. Keep it updated, along with the plugins, to keep it as secure as possible.
While plugins are great tools, it is not a good idea to install too many of them. Those who make the plugins may not have security in mind and inadvertently leave holes. In addition, an excessive number of plugins can slow down a site. Plugins that require write access to WordPress files and directories need to be treated with particular care.
Use security plugins
However, some plugins can enhance security. The following are some popular and effective free security plugins:
- Windows Firewall 2: “This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks.” It can whitelist and blacklist and will send reports of suspected attacks. When it is installed, users will sometimes have to temporarily disable the plugin when making some changes that affect coding, but the extra security is well worth it.
- Wordfence: This is a great all-in-one security plugin. Its features include a firewall, login protection and file repair. One feature to take particular note of is its scanning feature. It will automatically scan your site regularly and alert you to potential problems. It also provides information on traffic to your site. There are both free and paid versions of this plugin, but the free version includes most features and is enough for the average user.
- Better WP Security: This is another all-in-one security plugin. This single plugin is full of tools and starts by scanning your site and suggesting security enhancements Features include everything from login security to blacklisting dangerous IPs. Like Wordfence, it has a very high user satisfaction rating.
- Secure WordPress: This plugin is rated highly and lists a number of security enhancing features to include “Removes error-information on login-page” and “Adds index.php plugin-directory.”
A listing of many of the top WordPress security plugins, as well as what they will do, can be found here.
Not requiring users to fill in a CAPTCHA code when they comment on posts leaves a security hole that can be exploited with software. While the downside is that this requirement may discourage some people from commenting, a simple CAPTCHA is all that is required, and this will also eliminate annoying spam.
If the server supports it, use SFTP rather than FTP when transmitting files between the computer and website since SFTP encrypts the password and other data being transmitted.
Remember database security
On top of choosing secure passwords, when there is more than one site on a server; always keep databases separate with different users for each. Doing so may keep the other databases secure even if one is hacked.
Set appropriate file permissions
File permissions need to generally be as restrictive as possible for better security, particularly when using shared hosting, but files do need to be writable by the server for some functionality. In general, most files should be writable only by the main user account. However, content files, apart from the themes and plugins, will need to be writable by all users and the public. Permissions are generally 755 for directories and 644 for files.
Utilize the .htaccess file to protect the wp-config and other files
The .htaccess file can be modified in various ways to enhance WordPress security. For those comfortable with making these kinds of edits, there are various added tips for enhancing the security of their sites here.
Change table prefixes
SQL injection is a very common type of attack on WordPress sites. Since those who make these attacks usually assume the table prefix is “wp_”, changing this prefix to something else will enhance security. WP Security Scan is a plugin that makes changing these prefixes easy. It also offers a scanner and password strength tool to help with security as well as a quick way to back up the database.
Be it the WP Security Scan or another plugin, do an occasional scan of the site to prevent and correct security breaches.