As a WordPress user, you’ve read stories of WordPress sites being hacked. If you are like me, you don’t take most of the security advice seriously until you get hit. Don’t wait until something bad happens before you take necessary preventive measures.
Last week I shared a post on how I fixed a hack on my WordPress blogs and I promised to share security measures I’m taking. Today, I want to share do it yourself (DIY) steps to help you further strengthen WordPress.
Before you start installing security plugins at random, let’s consider simple but effective security measures you should implement right now by yourself.
1. Use the right host: Your host provides the space where your website leaves. I’m glad I got this right from the beginning – I use Hostgator. Your host must be supportive: to help you at anytime you have issues. They must also provide the latest versions of all server software and reliable methods for backup and recovery.
2. Choose the right theme: I use Genesis framework and personally build or customise the child theme I use. Make sure you are using a secure theme. It may not be easy to tell which theme is ok to use. Better to use a premium theme from a trusted WordPress theme development company or download a free theme from WordPress theme directory.
3. Keep regular backup away from installation: I used to make the mistake of saving my backup files within my WordPress installation. This means that if something really bad happens, the backup files may also be lost. The safest way is to either save your backup file to your PC or external drive. Most likely, I’ll not be able to keep up with weekly backup routine like some security experts advice, but a fairy regular interval will do.
4. Your computer: After discussing with my host, I learned that most successful hacks are initiated through malwares, spywares or virus on computer. To fix this, first, I downloaded anti-Malware software to scan my system. I used CCleaner to clear unnecessary files on the system. Going forward, I just don’t want to leave any trace because these ‘imps’ can be tricky. I had to backup and format my PC. My advice is: just do whatever you think is best for you – but be sure you keep your computer save. Also, always keep your web browser updated.
5. Keep WordPress Up to date: WordPress is constantly updated by the developers. And once a new update is released to fix a security issue, the information required to exploit the vulnerability is almost likely in the public domain. Make sure to update your WordPress site as soon as possible. And remember to check that plugins and your theme are working fine with the new update.
6. Your passwords: Is you password strong enough? Make sure your password is a mix of alphabet, numbers and symbols (like “£ $ @)
7. Secure wp-includes: The wp-includes files are rarely accessed by any user. It’s a good idea to block those scripts using mod_rewrite in the .htaccess file. Use the code below to block access to the files. Note: to ensure the code is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress
8. Secure wp-config: Make sure that only you (and the web server) can read the wp-config file (it generally means a 400 or 440 permission).
If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:
order allow,deny deny from all
9. Disable file Editing: The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login. If you don’t have need to edit plugin or theme files from your admin section for the moment, wordpress has a constant to disable editing from Dashboard.
To accomplish this, place this line in wp-config.php to remove the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
10. Secure Plugins: Make sure you plugins are always updated.
Useful Security Plugins
I wouldn’t be mentioning a lot of plugins here. You don’t need a lot of them – just few that does required jobs.
WP Login Security 2: With this plugin, each time a user tries to log in, the plugin will compare their existing IP address to the last seen IP address. If the IP does not match or no IP addresses have been whitelisted, an email will be sent to the users registered email address. The user must login to their email and click the included link, which contains the one-time password. This will prevent the bad guys from gaining access to your site even if they get your password.
Better WordPress Security: this plugin offer a variety of security options – from changing table prefix, back up, to assigning login limits. This security plugin is all in one.
Other useful resource to help you strengthen WordPress security: