Did you know that WordPress is the most popular open source CMS used in the world? Approximately 15% of websites in the world actually use it today. Below you will find some tips that I wish I had known when I first started out with WordPress. They will help you avoid spending hours trying to recover what’s left of your website or blog after an attack.
After Installation You Must Prepare for the Worst
By installing WordPress you will be asked to enter the username of the administrator. Choose something other than the traditional “admin”. The goal is to make it as difficult as possible for someone who is looking to harm your WordPress site.
For your password you should always use a combination of lowercase letters, uppercase letters, numbers and punctuation marks. I always use a password generator (there are many available online to use for free).
Keep WordPress Up to Date
WordPress is updated regularly so make sure that you install updates when they become available in your dashboard. By upgrading to the latest version of WordPress, you will prevent security breaches that have been found in the previous version so you won’t get exploited or harmed by spammers and hackers.
The automatic updating tends to take no longer than 2 minutes – but before doing so please make sure to not to forget to backup your database.
Protect Any Sensitive Files
There are two files that are very important in your WordPress installation: “wp-config.php” and “htaccess.”, Take good care of them. You can add other things to your “functions.php” file of your theme too.
In wp-config.php do the following:
Generate and insert security keys by visiting the following page: https://api.wordpress.org/secret-key/1.1/salt/ (Note: You will need to reconnect after the operation.)
Protect your wp-config.php file through this code:
order allow, deny
deny from all
Protect your .htaccess file:
order allow, deny
deny from all
And then in your functions.php file – (This is to hide the version of WordPres as a potential hacker could know the vulnerabilities of your site if they know which version you are using – Here’s the code to insert:
remove_action (‘wp_head’, ‘wp_generator’);
Hide Your Folders
It may be that you have not disabled the browsing of your directories. For example by entering the following URL: yoursite.com/wp-content/plugins anyone can see the plugins you use and thus exploit any vulnerabilities.
Return to the htaccess file and insert the following code:
Restrict Access to Your Administration
The Login Lockdown plugin is very good and lets you limit the number of attempts to connect to your WordPress administration. This is especially useful if someone tries to guess your password.
Another one to use is Password Protect plugin from AskApache which should appeal to more anxious amongst you. It adds an extra level of security by creating a username and password to access all the contents of the wp-admin directory.
Do Not Forget This Essential Plugin
WordPress Security Scan is a plugin that will check that everything is in order so that you have the least possible chance of being attacked. It check the following items on your site:
- WordPress is up to date
- The prefix of your database tables are named effectively
- That file permissions are good
- That your files and directories are protected
Backup, Backup and Backup Again
If there was only one thing I would do in order to secure a WordPress website, then that would be to perform regular backups. There are dozens of WordPress plugins to help backup your files and one which I recommend is called WP-DB-Backup by Austin Matzko.
This plugin will save your website at regular intervals by sending you an email or by storing it on your server. There are also plugins that use Dropbox and Amazon S3 to store your backups. You can also do this manually by using your favorite FTP client.
About the Author: Marc Chili runs the Coupon Chili website. If you are interested in developing websites using the Windows Azure cloud-based program then he recommends signing-up for a free trial. You can read his blog post about the Azure promo code here which goes into more detail on the pros and cons to developing applications using this program.