There has been a lot of talk lately concerning WordPress security and the large number of hacking attempts on WordPress sites.
A year and a half ago I had forty five sites come under attack at the same time, forcing me to move all of them onto another hosting account after removing the malicious code from each site. Ironically, upon cleaning the last site, I realized that it was a domain that I used to use for testing WordPress plugins and it contained a plugin that I had identified years earlier on a client site as being vulnerable to hackers.
The agony of moving all of those sites could have been avoided if I had just paid attention to some of the articles and reports I had been reading, and spent a few minutes elevating the security of my blogs.
Since then I have been putting some new security measures into place for myself and my clients using many of the following tips and suggestions:
Backup your site’s database and design theme:
There are many free plugins for backing up the database. I use one called WordPress Database Backup: http://austinmatzko.com/wordpress-plugins/wp-db-backup/ It allows for backups to the server, your hard drive or sending the backup to your email. You can also schedule backups. It always wise to make a backup prior to installing new plugins or upgrading WordPress.
You will need FTP access in order to back up your design theme, especially if you have made changes to the PHP files.
Upgrade WordPress and plugins on a regular basis:
As a rule, most of the WordPress and plugin upgrades address security issues, so be sure to stay on top of upgrading. WordPress will notify you of upgrades at the top of your Dashboard. You can check to see if plugin updates are available by selecting Plugins from the left Dashboard navigation. If there is a plugin update available, there will be a section highlighted in yellow underneath the plugin description allowing you to click on a link reading Update Now. Remember to backup first!
Delete all unused themes and plugins:
Leaving the unused themes and plugins on the site won’t impact your blog directly, but if any of those files have been subject to a prior attack, hackers will still have access.
Change your administration user name and password regularly:
Changing your password can be done through the WordPress dashboard under Users in the left navigation column. Changing your admin username is a little more difficult and usually done through the PHP MyAdmin editor for your MySql database, as it cannot be changed in the Dashboard. Another approach would be to add a new User and assign them the role of administrator, then delete the old administrator.
Make use of a WordPress firewall plugin:
There are many firewall plugins available. My colleagues and I are currently running WordPress Firewall 2 plugin: http://wordpress.org/extend/plugins/wordpress-firewall-2/ This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. It will also email attack reports. This plugin hasn’t been upgraded in two years, but there are number of us running it with great results.
Use a web monitoring and malware cleanup service:
We are using and recommend Sucuri and Security: http://sucuri.net/ This service is more than worth the yearly cost of $89.99 for a single site license and includes the following: Malware Cleanup (No page limit) Website Integrity Monitoring Email & Twitter Alerting Manual Website Scanning Blacklist Removal
After signing up you can download a PHP file that will allow the service to conduct server side scanning, meaning that after you upload the file to the root of your server, the service can perform hands-on monitoring of your site. If the service detects anything it will send you an email, at which point you will login to your account and submit a malware removal request. After providing the service with your FTP login, they will go in and remove the infection. Afterwards, you change the FTP login username and password.
The service also offers their version of a WordPress firewall plugin. It features what they refer to as Sucuri 1 Click Hardening. 1 Click hardening will ensure that following areas are up to par: Verifies that WordPress is up to date. Verifies that the WordPress version is properly hidden. Verifies that the WordPress upload directory is properly protected. Verifies that the WordPress wp-content directory is properly protected. Verifies that the WordPress wp-includes directory is properly protected.
Verifies that the WordPress secret keys and salts properly created. (It checks whether you have proper random keys/salts created for WordPress. They should be created when you first install WordPress and regenerated if you have been hacked recently.)
Verifies that the readme.html file is properly deleted. Verifies that the default admin username is not being used. Verifies that the most recent version of PHP is being used on your server.
If the plugin discovers that any of the areas above are not correct, you can click a button labeled “Harden It” and the plugin will correct the issue.
Sucuri also offers a free scanning of your site to determine if you have security issues.
Are you convinced that you need to secure your WordPress site?
Securing your WordPress site is something that we should all take seriously. There is a sick feeling that develops when you discover that your site has been hacked, it’s like being violated in some way. One thing that we need to take into consideration is that hacking is not personal. Hackers use software to find vulnerable sites, such as WordPress, allowing them to identify and inject whatever type of malicious code they are using to benefit their endeavor, be it a site that sells Viagra or a site that sells Romanian cigarettes.
Don’t put it off. Even if you can’t pay for a service, consider implementing some of the free solutions that I detailed earlier in this article.