8 Tips to Secure a WordPress Site
- 11 years ago
- 1,889 views
Security is one of those topics that comes up time and time again. You hear the advice, you know you should do it, but somehow, you never get around to it.
The tips in this post are designed to help make your WordPress installation safer and less likely to be hacked or spammed. If you’re short on time, just start at the top and work down. I’ve (roughly) ordered them so that the most important tweaks come first.
1 – Set up Backups
This is quite simply a requirement. If you don’t have backups, you’re putting all your eggs in one basket and if something goes wrong, you lose everything. You’d have to be mad to risk this…
There are 3 rules for a good backup:
- It can’t be saved on your server (Because then if your server dies, so do your backups).
- It needs to be automatic (Because you aren’t going to remember to do this yourself every day.
- You need to save a number of them (e.g. if you only save the past 5 backups, and then go on holiday for a week, your backups could all be useless by the time you get home).
Thankfully, they’re easy to do. Here are 3 possible ways:
- Automatic Database Backups to Email
- Automatic Amazon s3 Backups (For VPS users)
- VaultPress – Paid service from Automattic to make handling backups simple.
2 – Always Update WordPress
A fairly common thought used to be that “upgrading WordPress might break my plugins.” And it was true; upgrading WordPress does carry that risk.
Not upgrading is worse; it guarantees that you’re at risk. Almost every WordPress release that comes out has security fixes as part of it. If you don’t update, then by definition, you’re leaving those holes open.
At the very least, you can always do minor updates, e.g. 3.0.1 to 3.0.2. They’re usually solely for security and bugs, so always update right away when one comes out.
As an aside; it’s possible to hide the version of WordPress you’re using by adding this to your functions.php file:
That’s no substitute for not upgrading though (And if they can load your login page, quite often the design is a dead giveaway anyway).
3 – Choose a Better Password
I know you hear this all the time, but crappy passwords are still the #1 reason for sites being hacked. How do you know if your password sucks?
Easy. Does it make any sense whatsoever as a word/phrase/name? If you can pronounce it at all, it’s probably bad. Your password should be a completely random, meaningless set of letters and numbers.
And the meaningless part is important there. Turning “michael” into “m1ch@el” doesn’t make it secure, it just means the hacker will get it on their second guess instead of their first.
4 – Check Your Site Regularly
You’d be surprised how often your site can be compromised without you even knowing. For instance, a lot of unwanted scripts will hide links all over your pages that only search engines can see.
It’s crucial that you catch on fast because once Google penalizes you, getting your rankings back is a slow, painful process.
One way to check is to use tools like Google Webmaster Tools to see what links Google is finding on your pages.
Another option is to use a tool like Sucuri.net (Which we’re giving away at the end of this post!), which will automatically scan your site regularly and alert you to any issues.
5 – Prevent Directory Indexing
Directory indexing means that if someone loads a folder on your site (e.g. wp-content/plugins/), they will get a list of all the files in it. This is bad because then a hacker can see everything on your server.
The fix is easy, open up your .htaccess file in a text editor and add the following to it:
#Prevent directory indexing Options -Indexes
6 – Don’t use FTP
FTP is the most common way to add files to your server, but it isn’t secure. Someone can intercept your transmissions and even your access details. If your host allows you to access your server with SSH, then you can use SFTP instead.
Behind the scenes the two work completely differently, but using them is exactly the same. Odds are you can even continue to use your current FTP program with SFTP instead.
There is no reason not to make this swap, so contact your host and ask them if you can use SFTP (Most should allow it).
7 – Move and Update Your WP-Config.php File
Your wp-config.php file doesn’t have to be in your site’s root folder (Where it is by default). You can move it up a folder (So it is no longer in your public web folders at all).
And it’s as easy as it sounds. Just move the file up one folder, and WordPress will know to find it there.
Also, if you’ve had WordPress for a while now, you may not have all the security keys that you should in your wp-config.php file. These keys help encrypt your passwords and other details. All you need to do is go to https://api.wordpress.org/secret-key/1.1/salt/, copy the code it generates, and then paste it into the relevant section of your wp-config.php file.
8 – Take Care Downloading Plugins/Themes
There are a lot of places to find these items, but not all of them are trustworthy. Many sites get caught out because they installed a script with malicious code hidden in it.
Before downloading a theme or plugin, Google the site to see what people say about it. Lots of good reviews and links? Then go for it. Hard to find any? Then best leave it alone.
For plugins; there is usually little reason for a free plugin not to be hosted on WordPress.org, so always go there first (There are still exceptions though, e.g. cforms). Or alternatively, you can buy premium plugins from sites you trust (Again though, check the site first!).
Themes are trickier. The WordPress.org theme directory is great, but a lot of talented theme developers do choose to host their themes on their own sites (The auto-update feature of the plugin directory isn’t so necessary with themes).
If you do take a theme from a 3rd party website, I’d recommend scanning it right away (Spammy paid links in the footer of a theme are a very common find that Google may penalize you for).
And of course, you always have the option of paying for premium themes (Though do be careful of sites selling themes they did not make. You have no guarantee that they haven’t tampered with the theme first).