When it comes to managing your website, nothing is more important than security. If you are running a business on the internet, then securing your WordPress installation should be at the very top of your priority list! There is so much to say on this topic, but I have picked some of the most broad and easily-executable tips and outlined them here. If you are looking to improve security, this this is a great place to start.
Prepare For A Rainy Day With Backups
Your first lesson in security should be knowing that the security landscape is constantly changing, and that you should never consider yourself 100% secure. Even if you are doing everything right, you should always have a backup plan. If your website is important to you, then you need to be performing regular backups.
1. Remote Server Backups – Always store backups remotely. It’s foolish to store backups on your production server! There are some really simple ways to perform regular backups using standard server software, such as WHM. I would also recommend R1Soft for incremental backups.
2. Remote WordPress Backups – If a daily full-server backup is not an option, the very least you should be doing is backing up your WordPress database. There are many free and commercial plugins out there that can handle this for you. I would highly suggest using one that allows for remote storage. If you have to use FTP for file transfer, use FTPS or SFTP. Unencrypted FTP should probably be disabled on your server anyway.
3. Use a Redundant RAID Array – You should be using a host that stores your information on a redundant RAID array, such as RAID 1 or RAID 10. Hard drives fail all the time, it’s simply a reality of the hardware. Using a RAID that mirrors your data across multiple drives will greatly reduce the risk of data loss.
Securing Your Internet Activity
Good WordPress security starts in your own home. Not only does your website need to be secure, but so do the methods in which you connect to it. Connecting to your server or WordPress Dashboard in an insecure manner will put everything at risk.
1. Use A Secure Network At Home – If you are using Wifi at your home or office, then I would suggest setting up a private WPA2 network with a strong, randomly-generated name and network passphrase. For additional protection, you can employ “security through obscurity” methods such as enabling MAC Address Filtering.
2. Use An Encrypted VPN Connection Over Public Wifi – Generally speaking, it’s best to never log in to a sensitive area such as your WordPress Dashboard when connected to the internet over public Wifi. If you are using your laptop or phone over a public network, always run your connection through an encrypted VPN and make sure that you are signing in to your website over SSL. You can purchase a VPN from StrongVPN.com.
Securing Your Personal Computer
Your network is secure, but what about your physical computer? It’s incredibly important to keep your computer clean of spyware, malware and viruses.
1. Virus Protection and Firewall – There is no sense in having secure passwords if your computer can be easily infected with malware that can access your sensitive information and spy on your internet activity. Be sure that your computer is running trusted Anti-Virus, Firewall and Malware software. I have had good success with Kaspersky and Malware Bytes. Both should be configured to automatically update and scan your computer daily.
Securing Your Online Accounts
You can be doing everything right, but still get hacked from a brute force attack because your password is weak. You can also have a strong password, but still get hacked because you stored it insecurely.
1. Password Generation – Every login you use should have a unique, randomized password with at least 8 characters. Your password should include capital letters, numbers and special characters.
2. Store Your Passwords Securely – If you have 20 randomized secure passwords, how do you remember them? If you plan on storing your passwords somewhere that you can reference, do so in a secure manner. If you are using OSX, try creating a new Authentication keychain and make a new secure note set to automatically log out after 5 minutes. If you are using Windows, try creating a secure OneNote file set to automatically log off after 5 minutes as well. You might also try using online services such as LastPass, or you could also encrypt your own files using an encryption software such as Truecrypt.
3. Reset Your Passwords Regularly – Your passwords should be changed on a regular basis. It’s best to set up a reminder on your calendar to reset all of your passwords every month or two.
Avoid Phishing & Social Engineering Schemes
Sometimes getting hacked has nothing to do with your website or your computer, but with your insecure communications. These types of attacks are often called phishing or social engineering scams. The “Nigerian Prince Scam” is the classic example of a phishing scheme.
Be Wary Of Phishing Attempts – Commonly, phishing attacks come in through email. They often target large companies blindly, such as WordPress or Hosting companies. A simple Whois lookup could provide insight into your hosting company, and a look at your website will reveal that you are running WordPress. An easy attack on such a website would be to pose as an employee from your hosting company, warning you about an issue with their WordPress installations and requesting your Login details so that they can fix it. Don’t fall for it! No respectable company will randomly request your login credentials. Phishing attacks will often send out mass emails like this to potential targets, hoping that a few people fall for their trickery.
Securing Your WordPress Installation
I bet you were wondering when we were finally going to talk about WordPress! There are many good practices that you can subscribe to that will help keep your installation more secure. The WordPress codex has a great entry about Hardening WordPress.
1. Update WordPress, Themes & Plugins – One of the most important things you can do is keep your software up to date. Whenever there is a new version of WordPress, or a new version of one of your themes or plugins, update them as soon as possible. This goes for your inactive themes and plugins too. Keep them updated, or if you don’t plan on using them any time soon, delete them so you don’t forget to update them.
2. Update WordPress, Themes & Plugins – Seriously, do it!
3. Force SSL On Login – If your server has an SSL certificate, then you can use https when logging in to your WordPress Dashboard. I would recommend forcing login over SSL by editing your wp-config file using define(‘FORCE_SSL_ADMIN’, true);
4. Change Admin Username – This shouldn’t be a big issue if you are using a truly strong password, but none-the-less changing your username to something unusual makes brute force attacks much less likely to succeed. You can change your Administrator login by created a new Administrator via the Users > Add New tab in wp-admin. Once created, you can delete the default user.
5. Perform Daily Malware Scans – Ideally you wont get hacked if you are running your website securely, but as mentioned in the beginning of this article, it’s impossible to be 100% sure. Running daily malware scans can help notify you if a hacker has successfully exploited your website to do something malicious by detecting suspicious code on the frontend. Sucuri is a great choice, especially considering they have aligned themselves with the WordPress community a bit more than the average security company.
6. Limit Login Attempts – If you have a secure password and admin username, then you should be fairly safe against brute force login attacks. Just in case, however, you can also limit login attempts. There is a great plugin that will do the job for you.
7. Disable Administrative File Editing – In the unfortunate event that someone gains access to your WordPress Dashboard, you should try and limit the resources they have to do damage. Using the WordPress Editor to modify your theme’s PHP files is an easy way to execute malicious code on your site and effectively let the hacker do whatever they want with your website. These editing capabilities can be disable in your wp-config file using define( ‘DISALLOW_FILE_EDIT’, true );
8. Use Security Plugins – There are a few great security plugins out there that will do a lot of the work for you when it comes to hardening your WordPress installation. I would give WP Better Security a try – it helps handle most of the things mentioned here, and more.