Note: Little did I know when I started writing this post on WordPress security that I would have to deal with a hacker on one of my client’s websites. Even though I use website security best practices to secure my websites, someone planted a WSO Web Shell on the website that activated while I was moving it to a new host (or it was planted on the old host prior to my backing up and moving the database).
I spent the entire day yesterday dealing with it, finally having to rebuild the site from backups that I knew were clean. Luckily it was a site with a few pages, not blog posts and a small number of images that needed to be uploaded and reattached to the pages. Hackers don’t care about how disruptive they are to you or your business. So my advice is to take WordPress security seriously even if you think your site is not big enough to be a target.
10 Proactive WordPress Security Tips
A small business website is a valuable asset, one that you want to protect from damage by some malicious hacker. In many cases, our websites are analogous to a physical store or office, and just like you wouldn’t want someone throwing a brick through your window, you don’t want someone damaging your web property.
Many of us have spent time and money on our Website design, brand identity and expert content that projects how we want people to perceive us and our businesses. With its popularity, WordPress has become a target for those trying to exploit vulnerabilities. And unfortunately, there are those misguided individuals that think hacking your website and potentially harming your business is fun.
Here are some simple WordPress security tips and best practices that can help thwart those who want to do harm to your online presence.
- Eliminate the account called “admin” – When you install WordPress, select a name for your administrative account rather than take the default. If one exists, create another admin account and delete the default.
- Use strong passwords for all admins – Make your WordPress login as secure as your bank account and use a strong password with letters, numbers and special characters.
- Block countries from accessing the dashboard – The iQ Block Country is a plugin that allows you to block selected countries from accessing your administrative backend. If you don’t want certain countries accessing the live site, it also provides that feature.
- Hide the WordPress login link – Every WordPress installation uses /wp-admin as the login link. The Rename wp-login.php plugin enables you to easily and safely change wp-login.php to anything you want, making wp-admin directory and wp-login.php page inaccessible to brute force login attempts. Update 12/22/14: since writing this post, the plugin developer is no longer maintaining this plugin.
- Add security features to your WordPress dashboard – Select a WordPress security plugin like the WordPress Simple Firewall to further secure your website from the backend. I set this up for the firewall capability, but there are other features that can help you tighten your control.
Update 12/22/14: I’ve also been experimenting with the Ninja Firewall plugin to see if it would replace several of the security plugins I’ve been using. It does have a protect login feature that can be set to lock when under attack, giving you the ability to still log in with a predefined username/password combination.
- Keep WordPress and plugins updated – outdated software may contain security vulnerabilities that are known to hackers. Updating your site regularly eliminates them and makes your installation more secure. You shouldn’t modify any of the core software so that you can update without breaking your site.
- Only use plugins and themes from reputable developers – do your research before you install a plugin or theme to make sure it isn’t harboring vulnerabilities that can be used to exploit your website.
- Protect your critical files from tampering – Add the following to your .htaccess file to protect your WordPress installation:
# Prevent directory listing
# Protect .htaccess files
deny from all
# Protect wp-config.php
deny from all
- Protect the files on your WordPress installation – Make sure all theme and plugin files are write protected (644 for the property attributes) before you go live.
- Keep a recent backup of your website – Keep regular backups using the process I described in Easily Move Your WordPress Website. But if your database is compromised, make sure you have all the pieces to rebuild your site cleanly. Do a WordPress export of the content, theme settings, plugin settings, backup the uploads directory, theme and keep a list of plugins you use. Make sure you always do a fresh backup when you make any major changes to your website. If you know your database backup is clean, a simple monthly export can help you recover more quickly from an older version if something goes wrong.
Update 1/30/15: I’ve started using All In One Site Migration to keep backups of my client’s sites. The plugin allows me to rebuild the entire site in 10 minutes. As long as your site is clean, this type of a backup with an incremental export of blog posts since the backup will enable you to recover quickly.
Don’t think it couldn’t happen to your website. Hackers don’t care if your site is small, new or insignificant. Remember, hackers will hack your site because they can.
What do you do to secure your WordPress website? Add your advice in the comments.