WordPress is the most popular publishing platform on the web powering more than 60,000,000 websites according to Automatic. WordPress powers everything from TechCrunch to an eCommerce site selling LED Traffic Wands. With great usage comes great vulnerability. There is no such thing as a 100% secure site, but by taking the following steps you can make your WordPress site more secure.
1. Choosing the right Web Host
At ProTech, we take a bottom-up approach to securing our websites. It always starts by choosing the right web host. Almost any host can run WordPress, but just because it can doesn’t mean it should. We recommend using a web host that takes extra security measures with WordPress in mind. ProTech uses WP Engine for all of our properties, and wholly recommend them for anyone who is serious about security and speed. WP Engine has phenomenal customer support and a security guarantee, meaning if your site is compromised they will foot the bill to get it fixed. Please read our WP Engine review to learn more.
2. Update WordPress, Themes & Plugins
Every WordPress update adds security patches along with other improvements. In the latest major update, 3.5, WordPress’s image uploader was rebuilt from the bottom up making it much faster and easier to use. By updating your site on a regular basis, preferably daily, you can minimalize the risk of having your site exploited because of an outdated version of WordPress. The same concept applies to WordPress Themes and Plugins.
3. Limit Login Attempts
Limiting how many times someone can attempt to log into your site is a great way to stop a type of hack called “Brute Force Attacks.” This is when someone tries to gain access to your site by attempting to crack your password by using random combinations. Conveniently named, the plugin Limit Login Attempts is an excellent way to stopp Brute Force Attacks in their tracks. An ideal setup of this plugin is that after three incorrect username/password submissions, a user will be locked out of WordPress for 20 minutes; crude yet effective.
4. Delete “Admin” User
Admin is the default user with administrative privileges on most WordPress installations. This is easy to guess and is a common exploit on WordPress sites. We recommend you delete your “Admin” user and create another user with a less common username to access your site.
5. Secure FTP
FTP is one of the most common ways of accessing the files of any website. Unfortunately, FTP isn’t very secure; all files and passwords are sent over the web in plain text, anyone with the appropriate skill set can easily view all the information passed over from your computer to your website. We have three recommendations for accessing your site through FTP.
- Use SFTP (secure FTP) to access all of your website data. This will encrypt all data making it harder for others to see what content is being passed.
- Don’t use SFTP on public netowrks. Make sure your connected to a secure network that you know and trust while accessing your website’s files
- Harden your password – Make your SFTP password as hard to guess as possible
6. Harden File Permissions
Having relaxed file permissions is a common mistake that website owners make, which can allow intruders easy access to your entire site. A file’s permissions determine who can access that file, and whether they are allowed to read, write, or execute that file. These are set at the user, group and public level. It is hard to recommend specific permissions for a WordPress site, as different sites need access to different files, but the WordPress Codex a hardening WordPress article which has recommendations on permissions which is a great place to start.
The first question we ask when a prospective client approaches us with concerns that their WordPress site was hacked is, ”Do you have backups of your site?” In many cases they don’t. Having backups can help you out in more ways than we can stress. The first thing it does is allows for a quick recovery in the case of a website going down. Second, it gives a reference point to see what files changed in the case of a hack, which is a place to diagnose what was compromised. Third, you work hard on your website why risk losing your data? Many web hosts perform automated daily backups of your files, but it is always a good idea to do this yourself. There are many free plugins out there that will backup your site to places such as Amazon S3, Dropbox, or even an FTP server of your choice.
8. Run Security Scans
Running security scans is the best way to determine if your site has been compromised. Our favorite tool is Sucuri which offers a free website scanner on their website, as well as a WordPress plugin. Sucuri also offers a premium plan for $89 per year where they not only regularly audit your site for security breaches; they will even fix them for you.
9. No “Soup Kitchen” Servers
“Soup Kitchen” servers happen when a user has both a production site and a test site on the same server. You should always segment your development and production servers if possible. The problem is that people install “test sites” on a webserver, and then forget about them. As the WordPress install, plugins, and themes become outdated, more and more security holes open up. It is common for someone to access your production through this outdated test site and wreak havoc on it.
By taking these steps you can significantly reduce the risk of your WordPress site. As stated before, no site is 100% hack-proof, so the goal is to minimalize the risk of your site being compromised. Please stay tuned for future articles on different kinds of WordPress hacks and how to fix them.