If you're a web designer, a blogger, or work in the online marketing sector, it's a pretty good bet that you've already worked with WordPress. Due to the fact that it's a versatile content management system that's easy to setup and super easy to use, WordPress has become a very popular platform. But it's due to this popularity that WordPress hosted sites are becoming more popular for hackers to try and crack. This post is for those work who host WordPress on their own domain, not for those using a WordPress hosted site (ie. *.wordpress.com).
The majority of you that are in charge of a Wordpress site (excluding those in charge of major brands) will typically need to only worry about low level types of hacking which include the use of tools and scripts to either brute force in (poorly chosen passwords are a big issue here) or to find a vulnerability and take advantage of it like outdated plugins, themes or wordpress software. These types of issues are easy to prevent and yet account for the majority of hacks that people deal with.
This guide will help with shoring up your invulnerabilities and getting your WP site to be more secure.
Hosting and server level security
When it comes to WordPress security, you'll want to start at ground zero which means starting with web hosting. While there are many options out there, one of the top options for hosting when it comes to WordPress seems to be WPEngine.com.
While WPEngine is more costly (starting at $29 per month), the effort they put into security is fantastic (in addition, if you do happened to get hacked, due to their partnership with Sucuri Security, they'll fix your site for free). I've also found that after switching my sites from HostGator to WPEngine, that performance and load time improved greatly, which is great from both an SEO and user perspective.
That said, WPEngine might not be the best solution for everyone, due to pricing or plugin limitation. For example, there are quite a few plugins they don't allow (many for performance issues, not security issues).
If you decide to use another hosting solution or are hosting WP on your own servers, here are a few things to think about (WP Engine takes care of some of these issues):
The majority of you that are in charge of a Wordpress site (excluding those in charge of major brands) will typically need to only worry about low level types of hacking which include the use of tools and scripts to either brute force in (poorly chosen passwords are a big issue here) or to find a vulnerability and take advantage of it like outdated plugins, themes or wordpress software. These types of issues are easy to prevent and yet account for the majority of hacks that people deal with.
This guide will help with shoring up your invulnerabilities and getting your WP site to be more secure.
Hosting and server level security
When it comes to WordPress security, you'll want to start at ground zero which means starting with web hosting. While there are many options out there, one of the top options for hosting when it comes to WordPress seems to be WPEngine.com.
While WPEngine is more costly (starting at $29 per month), the effort they put into security is fantastic (in addition, if you do happened to get hacked, due to their partnership with Sucuri Security, they'll fix your site for free). I've also found that after switching my sites from HostGator to WPEngine, that performance and load time improved greatly, which is great from both an SEO and user perspective.
That said, WPEngine might not be the best solution for everyone, due to pricing or plugin limitation. For example, there are quite a few plugins they don't allow (many for performance issues, not security issues).
If you decide to use another hosting solution or are hosting WP on your own servers, here are a few things to think about (WP Engine takes care of some of these issues):
- Your server should only be accessible by you and your IT team.
- Never access your server from public WiFi (ahem... Starbucks WiFi) or any other type of unsecure network. If you are on public WiFi, make sure to use a VPN connection or take other security measures.
- Do not use 'Admin' as your user name as this is the default username which makes it much easier for hackers to gain access to your site as they only need to figure out your password.
- Use complex passwords comprised of upper and lower case letters, numbers and symbols. Make sure you don't use this password anywhere else.
- Make sure that you create a unique database any time you do a new blog installation, and make sure your database table doesn't begin with wp_.
- Run secure, stable versions of your web server and any software on that server.
- Have a server-level firewall.
Now that you've taken care of some of the easier things, the next step is checking your .htaccess file which is a configuration file that will override your server's rules (make sure to edit your .htaccess file AFTER installing WordPress).
When editing your .htaccess file, it's important to be very careful, otherwise you might cause a 'break', meaning downtime of your website, rules not working the way they're meant to, etc. WordPress auto-creates a section in the .htaccess file. Don't put anything inside of the WordPress section of the .htaccess, as it will be overwritten.
If you aren't comfortable with code, it may be best to let your developer do this. Here's a resource list to help you get started with editing your .htaccess file to best secure your WP installation.
The next step after sorting everything out is choosing a theme. It's a good idea to purchase or use a theme that comes from a reputable source, as there are many vulnerabilities and backdoors that someone can put into a theme if they choose to do so. The same tip goes for any plugins that you use.
By taking the time to follow some of the tips mentioned above, you'll greatly improve the security of your site, putting you ahead of many other sites, thereby reducing chances that a hacker spends time trying to crack your website.
When editing your .htaccess file, it's important to be very careful, otherwise you might cause a 'break', meaning downtime of your website, rules not working the way they're meant to, etc. WordPress auto-creates a section in the .htaccess file. Don't put anything inside of the WordPress section of the .htaccess, as it will be overwritten.
If you aren't comfortable with code, it may be best to let your developer do this. Here's a resource list to help you get started with editing your .htaccess file to best secure your WP installation.
The next step after sorting everything out is choosing a theme. It's a good idea to purchase or use a theme that comes from a reputable source, as there are many vulnerabilities and backdoors that someone can put into a theme if they choose to do so. The same tip goes for any plugins that you use.
By taking the time to follow some of the tips mentioned above, you'll greatly improve the security of your site, putting you ahead of many other sites, thereby reducing chances that a hacker spends time trying to crack your website.
RSS Feed