WordPress Smart Security
How To Secure Your WordPress Site Smartly
Every day, some scary report about a major site being hacked or a sensitive database being compromised hits the web … and freaks everyone out.
We’ve been discussing WordPress security a lot over at the blogs, but these days, we can’t be secure enough, right? It’s worth your time to look over this list of security tips, and to take the few simple actions to implement them. How secure are our sites and blogs?
Let’s go over the basics…
Why should we take WordPress security very seriously?
Why all the fuss and security talk? Because staying vigilant about security is an ongoing responsibility for any WordPress site owner. And it’s an ongoing responsibility for everyone online, whether you’re using WordPress whatever else.
Then we’ll continue to discuss it here as much, if not even more so, than performance. Sub-second load times are great, but not if you’re hosting hidden links to Canadian pharmacy sites or Google is flagging your site as malware-infected shack.
I know that security can sometimes be an annoying topic. If you don’t have a technical background, the risks and the necessary safeguards can be difficult to comprehend and master
1. Maintain strong passwords
How about kicking off the list with the easiest step you can implement immediately. Hopefully you already have. If not, do not procrastinate on this one. Take this seriously.
The common Excuses like, “But I want one password for all of my sites so that I won’t forget!” or “My (generic) password is good enough, and what are the odds that someone is really going to try to hack me?” are not acceptable if you want to follow my advice.
If you aren’t using a password that’s at least ten characters, with numbers and letters, capitals and lowercase … you’re doing it wrong. Do it right. Especially this one.
2. Must keep up with important updates
All software programs updates are not just released for the search engines News search results. But are released to fix bugs, introduce new features, or, most importantly, to patch security holes and vicious viruses.
Shall we think WordPress (or any software program, for that matter) always be one step ahead of the hackers? Absolutely not. Software is always going to be one step behind the hackers. That’s just how it goes, it’s the new world we live.
But when major security holes are known , and solutions are available, there is no excuse not to implement them. Thus, there is no excuse not to keep up with WordPress and all other software programs updates.
Many of us feel trepidation when it comes to updating WordPress, afraid that it might break your theme or disrupt a plugin’s functionality. My response to this is simple: if you’re afraid of it, then you need to re-evaluate your theme and plugin strategy. Your theme will certainly get disrupted when a hacker injects half a page of a nasty encrypted code in your site.
One of the benefits of investing in a WordPress theme framework like Genesis is that our StudioPress division will have the Genesis Framework updated near instantaneously when a WordPress update is released. In fact, there’s a good chance they had input in the WordPress update itself! So, you never have to worry about your theme breaking or malfunctioned.
For plugins, this is why vetting plugins is so important. If a plugin isn’t updated regularly, or you’re not paying for support, then you should be afraid of it possibly breaking with a WordPress updates. Thus, you might want to rethink using it at all.
3. It is very important to Protect your WordPress admin access
Shall we change the name of the default “admin” user that every WordPress installation starts out with? Sure, we can. certainly isn’t going to hurt.
Just remember that it isn’t the pinnacle of security measures. Hackers can find usernames fairly easily from blog posts or other places.
What is More important than disguising the specific admin username is to make sure that every username of your site with administrator access is protected by a strong password.
But if you really want to protect your site, go the extra step of requiring a Yubikey to login. This way, even if someone does have the password to a username with administrator access, they cannot login without physically possessing the Yubikey (which is easily used via simple USB insertion when it’s login time, plus the fact that it’s not a hassle, It’s peace of mind.
4. Try to Guard against brute force attacks
One more time, the stat I cited above? It’s worth citing again: we see between 60K and 200K failed login attempts a day on the sites I host. The site you’re reading right now (Freewebsiteandbusiness.com) in case you’re somehow reading a scraper site) sees 30 unauthorized login attempts … every hour.
As you may pass out at the magnitude of that number, know that you’re far from powerless against these nameless, faceless hack attempts.
Your web host should be helping to protect you from brute force attacks and regularly monitor where failed login attempts are coming from and then lock out the offending IP addresses.
Third, there are programs that can be installed (such as Limit Login Attempts) that will make it much more difficult for brute force techniques to work.
5. Always Monitor for malware
It’s extremely imperative that you have some kind of system in place to constantly monitor your site for malware.
The way you monitor is vitally important. Choose a method that can actually plunge into your files structure and detect deep breaches, rather than one that just shows you simple vulnerabilities.
6 Now Do something about malware!
Monitoring for malware is not a solution by itself. The solution is what happens once malware is discovered.
7. Choosing the right web host is very important
A major security risk is being on a shared server. Think of it this way: take the security risks inherent in your own WordPress installation, then multiply it by the number of sites on the server. And if you go with generic hosting, chances are you’re going to be lumped in with hundreds upon hundreds wanted and unwanted sites and blogs.
May be Your own VPS may not the right option for you. It may be too expensive, or your traffic may not necessitate it. That’s fine. But if you’re going to be on a shared server, make sure it’s shared with just a small number of websites. Also, find a host that doesn’t get complacent about security.
For those who may claim to “have security figured out” has no clue. Online security is constantly changing. Web hosting companies need to constantly evolve with that changes, and the threats that come with it.
8. Keep your site as clean as your bedroom
We All know that our WordPress installation could easily have ticking time bombs sitting on it that you’re not aware of? If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security invasion. A sloppy site also makes it much more difficult for security professionals to operate should your site be invaded.
9. Extra Control to extra sensitive information
Make sure when you are doing a cleanup of your site or blog, check to make sure you are not leaving bits of valuable information available for anyone to see.
WordPress readme.html file by default will say what version of WordPress you’re running. If you’re running an older version of WordPress with a known security hole, hackers will move in.
Also look into your phpinfo.php or i.php files. They’ll tell a hacker everything about your setup and serve as a “road map to the house” before they even break in your site.
Also leaving .S.Q.L database backups files can be very dangerous. If a hacker can download your entire database they’ll have every username and encrypted password you’ve ever used at their disposal.
10. Always Stay vigilant
Just stay on top of what’s going on out there. There is no need to understand the intricacies of a DDOS attack or churn out a blog post about GoDaddy getting taken down. But when an issue like the Tim Thumb fiasco rears its ugly head, are you aware of it? Early detection is the best prevention as we all know. You should be with a managed WordPress host who has your back, but it never hurts to have your own.