With hackers everywhere on the internet, website security is a concern for everyone. Fortunately there are a number of things that you can do to help secure you and your WordPress website or blog.
There are some primary website security topics that you should be aware of. For each of the security topics I will provide real world solutions that for most part don’t require too much technical knowledge.
- Hosting Provider
- Database Tables
- Remove “Admin” User
- Limit Login Attempts
- WordPress Theme
- HTAccess Files
- Backup Your Data
- Keep Updated
- Your Personal Computer
- Check Your Site Regularly
Your hosting provider has a lot to do with the security of your WordPress website.
Most hosting is done with shared servers, that means that your website and a number of other websites are all hosted on the same server. What separates the bargain sites from the quality sites is how well they protect your site from security problems with other sites.
I’ve personally had to clean out websites because they were infected by another website on the same server that got hacked. You want a hosting company which monitors the sites on their servers and fixes problems before you find out about them. You don’t want to be the one calling your hosting company and telling them to clean up their servers.
There is a pattern to a lot of attacks on websites, they tend to be with the same set of hosting companies. The companies that offer hosting for $2-$3/month tend to repeatedly show up in headlines with security problems. I don’t think it’s a coincidence.
Does the hosting company have real live customer service? I’ve seen some companies which advertise on their homepage that they have 24/7 customer support. But then you dig a bit further and they actually refer you to their user forums and only if that doesn’t work can you email them for help. If I have a problem, I don’t want to wait for another customer to answer it, nor do I want to exchange 40 emails. I want a real live person that I can talk to (either via chat or phone — personally I really like the chat option).
The reality is that you will have to contact your company at some point about something, you want a company that is actually there when you need them.
When looking at reviews, ignore the ones on their website. Look for independent reviews (and be careful of experts — many expert reviews are paid for by the company) and look for real customer reviews. Also check the date on reviews. If they had good reviews 5 years ago, but the ones in the last year are negative, the company is going seriously downhill.
Uptime is the percentage of time that your site is up and available to the world for use. Ignore a company’s advertised uptime. Because well, they can advertise what they want, you want reviews of their uptime that aren’t controlled by them. Generally speaking, better uptime means better monitoring of their servers. And you want them to monitor their servers a LOT.
There are a number of hosting companies that I don’t like to deal with (and the list always seems to be growing), but there are a few that I do enjoy working with.
- Bluehost – hosting starting at $5/month
- Web Hosting Hub – hosting starting at $5/month
- In Motion Hosting – hosting starting at $6/month
By default WordPress database tables are created with the prefix “wp_”. Since this is the default, some hackers use this to compromise your security. I always recommend changing the table prefix. If I am creating a new website, I will do this on site creation, but if you have an existing website you will need a tool to help you.
Website Defender has a plugin which will allow you to change your database table prefix (among other things). Changing your database table prefixes is a potentially dangerous thing to do and you should always have a backup of your site and know how to restore the backup before trying this.
The plugin is WP Security Scan. Once installed it will show up as “WSD security” in your WordPress left sidebar. If you go to WSD security and then click on Database you will have a button to make a backup of your database and at the bottom you will be able to change the table prefix. You want to make it something other than “wp_”.
Again, changing your database is potentially dangerous. NOT recommended for novices.
Remove “Admin” User
A number of hosting companies provide 1-click installs for WordPress, which makes getting your blog online very fast and easy. The downside is that most of them create the WordPress default user named “admin”. This is fine since it allows you to login to your new blog quickly. The downside however is that many hackers specifically target this username.
To remove the “admin” username is a two step process. First you will need to add a new username which is an administrator, then you will need to log in with the new administrator username and delete the “admin” user. For more information see my tutorial on adding and removing WordPress users.
Secure passwords are extremely important to overall WordPress website security. But creating complex passwords that you have a prayer at remembering, that requires some additional work. It also requires more space than I have here, so head over to my Creating Secure Passwords Tutorial post for more info.
Limit Login Attempts
Many hackers use what is called a brute force attack. Basically, they try using a predictable username (such as “admin”) and then try every password combination starting with the most common (such as “password123”). One way to increase website security is to limit the number attempts at guessing your password. Most hackers want easy targets, if you’re too much work they just move on.
To limit the number of passwords that can be tried, I recommend using the Limit Login Attempts plugin. Once installed and activated it is very simple to use. In fact, you normally don’t need to do anything else.
There are a lot of themes out there and a lot of places to get them. If you are looking for an off the shelf theme, I recommend looking at some of the major theme houses, the official WordPress theme repository, theme roundups articles from major blogs, or my post on themes. These sources generally scan themes and make sure that they don’t contain malicious code.
However, since I tend to be concerned about security, I run any theme that I’m using through the Theme Authenticity Checker. The second security measure I take is to find out if theme uses the Tim Thumb script. If the theme uses Tim Thumb, then I add the Timthumb Vulnerability Scanner plugin.
For more information on theme security, read my post on Theme Security with WordPress.
HTAccess files (or more specifically .htaccess) basically allow certain types of access to files in a directory. Now since they do control access to your data, you need to be careful and always have a backup before you try anything. You should also be familiar with how to reload your site from a backup and how to manipulate files with ftp. If you aren’t familiar with these things, skip to the next section.
Still here? If you aren’t an .htaccess file wizard, Sucuri makes a very easy to use and simple security plugin which has 1-click hardening functions. Bullet proof security also makes an excellent plugin, but it is a bit more complex.
The plugin has buttons which with just one click will apply .htaccess files restricting php access to your different directories. This in effect puts up a wall between your files and php files accessing them (or hardens them).
Generally clicking the harden button on everything except wp-content and wp-includes works very well. However, if your theme files have been customized and for some reason access wp-includes (I’ve run into it), then hardening that would break your theme. In this case, I would highly recommend fixing your theme so that wp-includes can be hardened.
If your theme uses the TimThumb script (or a number of other image scripts), you won’t be able to harden wp-content without breaking your theme. A number of plugins also use such scripts, so I find I am rarely able to harden this directory.
Backup Your Data
While most hosting providers do backup your data on their servers, that really isn’t enough. One reason is that you have to hop through a lot of hoops to get to your data (contact tech support, file a request, get a reply asking which files you need, wait for them to reload the server with the files).
Also, if you request a reload of your files (for any reason, including their servers crashed) you may be charged. Most hosting providers will provide one retrieval of data per set period, but more than that and they are start billing you.
Probably the most important reason though is that you have no control over when the backups are taken. Most providers taken backups every 24-48 hours. But if you want to take a snapshot of your site before making some changes, too bad.
Since backing up is a rather long article on its own, please head over to my post on Backing up WordPress with BackWPup Tutorial for more info.
You’ve got everything all set up, but now is the hard part, keeping things up to date. There are three main areas that you need to check for updates: your plugins; your WordPress version; and your theme version. If you are not familiar with updating WordPress, read my post on WordPress Updates.
Your Personal Computer
It seems you are always hearing about new computer virus making the rounds, but the reality is that people usually get hacked with with old viruses. There are a number of people who don’t regularly install Security Updates for both their computers and their web browsers.
When your computer gets infected and you are logged into WordPress, you can transfer those viruses right to your website. Or, the virus might be one of those quiet ones that just copies your login information, and sends it back to a hacker who can login as you and wreak havoc on your site.
Now, I’m not saying you always need to update to the latest operating system flavor. However, you do need to make sure that the one you are using is still getting all of its security updates.
But while you don’t always need the latest and greatest operating system, you should get the latest and greatest browser. My favorite pick across all operating systems is Chrome (on macs its Safari). It has a simple interface and keeps up to date on web standards so that you view web sites as they were designed to be viewed. It also has a lot fewer security holes than some other browsers.
Check Your Site Regularly
Finally, a simple and very reassuring step is to check your regularly with a free tool like Sucuri Free. Sucuri has more advanced versions and also security services which they offer, but this free plugin is great for most site owners.
After installation and activation Sucuri Free will show up in your left side navigation bar.
Once you navigate to the plugin all you need to do is click on “Scan this site now!” blue button and Sucuri will begin to scan your site.
After you click on the site scan you will see the results of your scan. The goal is to have three green shields with check marks. That means things are going well. Now, Sucuri can’t guarantee that they will be able to detect every possible problem now and in the future; but they do work extremely hard to keep up to date with security problems.
WordPress security has many facets, but it is an important topic to learn about. This tutorial should have given you some practical tasks that you can do to improve the security of your website. If you need more assistance than presented here, contact us for a quote on your website!