With the nature of wordpress being open source, it means that the code base is open for all to see. Whilst this is not a bad thing and some of the most secure software on the planet is open source, it does leave security considerations to be taken care of. Here are ten of the most important steps you can take to ensure your WordPress installation is not hacked or otherwise compromised.
Perform Regular Back-Ups
Applying a regular backup to your site is the most effective solution to a disaster scenario. It could be the case that your site was hacked and the exploit has allowed the hacker to run server commands. At this point your best course of action is to fully clean the server and each installation. I’ve seen cases that are so bad that this was the only course of action that could fully guarantee to keep the hackers out. There are plugins available to WordPress such as Vaultpress or blogVault or you can use linux commands to compress your site and download. Make sure you take a copy of the sql database too as this is not included in the compressed files.
Two-Factor Authentication Login
Using two factor authorisation means you are presented with an extra layer of login security such as a secret question or mobile text to a set number. The plugin WP google Authentication is a good choice providing Google 2FA to your site.
Implementing Login Limits
When you implement login limits you are specifying rules where any sequence of failed attempts from a given IP address will be prevented from logging into the site for a certain amount of time. This reduces the risk of an admin based brute force attack. Use a plugin such as the WP limit login plugin to enable this feature. Just make sure you don’t get locked out yourself, although the time limit function means this is only temporary.
Change Admin Login URL
Many automated brute force attacks work as the default URL for WordPress is well know to be wp-admin /wp-login.php making it an easy entry point for a brute force attack. By changing the default login url to something different means you can negate many of these attacks. Use the iThemes security plugin which has over 30 security configurations for your site.
Make Your Passwords Secure
Use strong passwords for your admin, ftp and domain logins. A solid practice is the use of letters, numbers and special characters as these are the most difficult to crack via automated methods. A password generator tool can be useful although this can encourage people to write their passwords onto bits of paper and stick them to monitors. This is particularly insecure and one of the most obvious security holes.
Password Protect the WP-Admin Directory
As the admin directory is effectively the heart of your site. If this was compromised, the entire site effectively becomes open to manipulation. Adding a password protect to the folder itself can add an additional level of security. You can either use your hosting providers login which will usually have a file manager and a way of protecting folders or you can use a plugin such as AskApache Password Protect plugin to accomplish this.
Forcing Strong User Account Passwords
For blogs that have multiple users, there can be a weakest link effect where by one person has an insure password rendering all the secure users void. Using a plugin such as Force Strong Passwords can ensure that each user must enter a complex password with symbols, numbers etc.
Switching to HTTPs (SSL/TLS)
This also actually helps with website SEO as it is now used by Google as one of its 200+ ranking factors. This involves purchasing an ssl certificate and applying it to your site. This will change all the URLs to your site (http://www.yoursite.com) to a version prefixed with “https” (notice the additional ‘s’ at the end) becoming (https://www.yoursite.com) ensuring that the link between you and the site is encrypted and almost impossible to intercept.
Actively Monitoring WordPress Files
Checking your WordPress files for any sign of tampering by a hacker. These ‘backdoor’ scripts allow a hacker to be able to enter, change or replace many parts of your site opening it up to further attack. There are plugins available that will alert you should there be any changes to the sites core files. The Wordfence plugin is a popular choice and an all round security solution for your site.
Keep WordPress and Its Plugins Updated
Once this is one, update your plugins via the plugin manager. As the sites WordPress version progresses, the plugins need to also update to ensure they are both using the same code base.
As additional security flaws are found both within core WordPress and also its plugins. The updates are released patching these. We have seen many occurrences where an outdated plugin has either broken the site or has exposed a security vulnerability.