WordPress, the most popular content management system used by millions of websites worldwide, is a favorite target of exploit by hackers because it is so widely used. While WordPress itself is very secure, the many themes and plugins linking into WordPress may not be. Here are 10 easy steps you can take to further secure your WordPress site.
Install Newest Version of WordPress: First of all, always make sure you have the latest version of WordPress installed for your account. Every new version of WordPress should have software installed that optimizes your site faster than before. Make sure you test your site and it’s speed after a new WordPress update to make sure your site is functioning the best it can be.
Update All Plugins: You’re not done updating. It’s important to check your plugins with every new WordPress update. Make sure the plug-ins you need are updated and working properly.
Delete All Unnecessary Plugins: Plug-ins you are not using should not just be turned off, but deleted completely from your directory. Separate your plugins into two categories, ones you need and ones you don’t. Try to substitute a non-local plugin with a WordPress plugin wherever possible.
Always keep an eye out for the latest fixes and releases for your plugins. Monitor the web sites of the developers whose plugins you are running; add their sites to your RSS feed. Quickly install these improvements because hackers will try to exploit recently outdated scripts with confirmed security flaws.
Backup Your Site Frequently: Backups are packaged files of your account that contain everything that make up your website, including emails, databases, and redirects/forwarders. Save and back up your data as often as your schedule allows because you may be able to restore your latest backup if a hack occurs. We discussed backups more in detail here.
Limit Logins: By default, WordPress lets users try as many passwords as many times as they want to get into their account. A brute force attack is when a hacker tries usernames and passwords continuously until gaining access to the account, usually with the help of a bot. Download a plugin like WP Limit Login Attempts to lock out the user after a set amount of tries or by proving a Captcha.
Two-step Authentication: In April 2013, WordPress.com allowed users to log in with two-step authentication for better security. Logging in with a password is single-step authentication; two-step is where you use two factors to prove your identity. So, once you enter a password, you must use your phone or another device to further prove authentication. Keep in mind that two-step authentication can also prevent legitimate logins. Say you forget your phone at home and have the two-step authentication enabled, then you won’t be able to access your account. Google Authenticator is one of the most popular authentication plugins.
Avoid Generic Usernames & Passwords: Speaking of gaining entry, you will make a hacker’s job much easier if your username is something like “admin”, “adminstrator”, or some combination of your first and last name. Try to make your username as unique as your password. WordPress Security Team says that “the weakest link in the security of anything you do online is your password.” If you can memorize the password, it’s probably not secure enough. Fill your passwords up with some non-alphanumeric characters. Try a password generator and change your password every few months.
Set File and Folder Permissions Correctly: These permissions specify who can read, write, modify, and access file and folders. This is done by adding up the following values for the user, the file group, and for everyone else.
- Read 4 – Allowed to read files
- Write 2 – Allowed to write/modify files
- eXecute1 – Read/write/delete/modify/directory
So, the optimal permission is to set folders to 755 and files to 644. For more on changing file permissions, read WordPress’ guide.
Protect the Comment Section: Comment sections are a great relationship between owner and consumer, but it’s also an easy exploitive place for hackers. Validate the form input before any comment is accepted to strip out most HTML tags. WordPress has a keyword filter you can tinker with to prevent any malicious code. Again, a Captcha would be good for thwarting bot activity.
The HostDime Cloud and WordPress are a match made in heaven for any website that needs scalability, availability, and speed.
Leverage our cutting-edge hardware of Enterprise-grade processors and industry best SSDs to create your instant infrastructure in mere seconds!
Best of all, each cloud server comes with a free Content Delivery Network! HostDime leverages 20 data center locations around the global to provide an instant CDN for web content hosted in our cloud infrastructure, speeding up your entire cloud server due to reduced latency.
Cloud servers start at just $34 a month! For a limited time only, HostDime will match your initial credit deposit! For example, if you put in $1,000, you will receive $2,000 total! There is no maximum to the amount we’ll match!
To take advantage of the deposit match, please open a ticket in CORE and we will add your funds; you have 30 days from purchase date to request a credit match from our sales team.
For any questions you may have, please don’t hesitate to open a chat.
Jared Smith is HostDime’s SEO & Content Strategist.