WordPress Security – Ensure Your Website is Protected

WordPress Website SecurityNote: Little did I know when I started writing this post on WordPress security that I would have to deal with a hacker on one of my client’s websites. Even though I use website security best practices to secure my websites, someone planted a WSO Web Shell on the website that activated while I was moving it to a new host (or it was planted on the old host prior to my backing up and moving the database).

I spent the entire day yesterday dealing with it, finally having to rebuild the site from backups that I knew were clean. Luckily it was a site with a few pages, not blog posts and a small number of images that needed to be uploaded and reattached to the pages. Hackers don’t care about how disruptive they are to you or your business. So my advice is to take WordPress security seriously even if you think your site is not big enough to be a target.

10 Proactive WordPress Security Tips

A small business website is a valuable asset, one that you want to protect from damage by some malicious hacker. In many cases, our websites are analogous to a physical store or office, and just like you wouldn’t want someone throwing a brick through your window, you don’t want someone damaging your web property.

Many of us have spent time and money on our Website design, brand identity and expert content that projects how we want people to perceive us and our businesses. With its popularity, WordPress has become a target for those trying to exploit vulnerabilities. And unfortunately, there are those misguided individuals that think hacking your website and potentially harming your business is fun.

Here are some simple WordPress security tips and best practices that can help thwart those who want to do harm to your online presence.

  • Eliminate the account called “admin” – When you install WordPress, select a name for your administrative account rather than take the default. If one exists, create another admin account and delete the default.
  • Use strong passwords for all admins – Make your WordPress login as secure as your bank account and use a strong password with letters, numbers and special characters.
  • Block countries from accessing the dashboard – The iQ Block Country is a plugin that allows you to block selected countries from accessing your administrative backend. If you don’t want certain countries accessing the live site, it also provides that feature.
  • Hide the WordPress login link – Every WordPress installation uses /wp-admin as the login link. The Rename wp-login.php plugin enables you to easily and safely change wp-login.php to anything you want, making wp-admin directory and wp-login.php page inaccessible to brute force login attempts. Update 12/22/14: since writing this post, the plugin developer is no longer maintaining this plugin. 
  • Add security features to your WordPress dashboard – Select a WordPress security plugin like the WordPress Simple Firewall to further secure your website from the backend. I set this up for the firewall capability, but there are other features that can help you tighten your control.

Update 12/22/14: I’ve also been experimenting with the Ninja Firewall plugin to see if it would replace several of the security plugins I’ve been using. It does have a protect login feature that can be set to lock when under attack, giving you the ability to still log in with a predefined username/password combination.

  • Keep WordPress and plugins updated – outdated software may contain security vulnerabilities that are known to hackers. Updating your site regularly eliminates them and makes your installation more secure. You shouldn’t modify any of the core software so that you can update without breaking your site.
  • Only use plugins and themes from reputable developers – do your research before you install a plugin or theme to make sure it isn’t harboring vulnerabilities that can be used to exploit your website.
  • Protect your critical files from tampering – Add the following to your .htaccess file to protect your WordPress installation:

# Prevent directory listing

IndexIgnore *

# Protect .htaccess files

<Files .htaccess>
order allow,deny
deny from all
</Files>

# Protect wp-config.php

<FilesMatch ^wp-config.php$>
deny from all
</FilesMatch>

  • Protect the files on your WordPress installation – Make sure all theme and plugin files are write protected (644 for the property attributes) before you go live.
  • Keep a recent backup of your website – Keep regular backups using the process I described in Easily Move Your WordPress Website. But if your database is compromised, make sure you have all the pieces to rebuild your site cleanly. Do a WordPress export of the content, theme settings, plugin settings, backup the uploads directory, theme and keep a list of plugins you use. Make sure you always do a fresh backup when you make any major changes to your website. If you know your database backup is clean, a simple monthly export can help you recover more quickly from an older version if something goes wrong.

Update 1/30/15: I’ve started using All In One Site Migration to keep backups of my client’s sites. The plugin allows me to rebuild the entire site in 10 minutes. As long as your site is clean, this type of a backup with an incremental export of blog posts since the backup will enable you to recover quickly.

Don’t think it couldn’t happen to your website. Hackers don’t care if your site is small, new or insignificant. Remember, hackers will hack your site because they can.

What do you do to secure your WordPress website? Add your advice in the comments.

9 thoughts on “WordPress Security – Ensure Your Website is Protected

  1. I really love the security plugin called Wordfence. It allow me to auto block any IP trying to hack my site, it notifies me of out-of-date plugins, and if you do get hacked it will show you which files have been changed, then show you a comparison of before and after, and easily allow you to go back to the previous version of any file. The basic model is also free with the option of a more advanced paid model. Very slick and super easy to set up and use.

  2. Great list; I use many of those but will certainly try Vault as I use WPBackUp and haven’t had a response to a support request for two weeks !

    A recent plugin that I found is Dropbox Photo Siteloader. If you use Dropbox to collect your photos or receive photos from brands/PRs you work with, this plugin pulls all your selected photos from Dropbox folders into your media library. No more downloading and re-uploading !

  3. Hi Debra,

    This is a wonderfully comprehensive post on wordpress security – ensure your website is protected. I enjoyed this article. I would love to see some more such interesting article from your side.

    Thanks for writing and I hope that you’ll have a happy weekend.

    Keep up your great work!

    Regards,
    Mohd Arif

  4. Great article Debra!

    The strong passwords and plugin updates are common security holes we find with customers. We recommend a password be minimum 12 characters in length with special, lower, and uppercase characters. The plugin updates are trickery in that if a website is only on one server instance and does not have a beta or development website for testing purposes, updating a plugin can cause chaos on a production website. Really great insight and wonderful post.

    Looking forward to more blog posts!

    • Thanks Andrew. Interestingly I’ve only had one minor issue with a plugin update across all of my client’s sites and it was an easy fix. I’m more cautious when updating ecommerce plugins, but most others are a non-issue. Of course, I always update my site first and if it doesn’t wreak havoc there, then I update my clients :)

Leave a Comment

Marketing Campaign Template

Sign up to get marketing tips direct to your inbox and get a FREE campaign action plan, editorial calendar and instructions on how to plan and execute a successful marketing campaign!

* required

90 Day Year

Email marketing via MailChimp