KB Knowledge Base
How to Secure Your WordPress Websites

Article By sabinshrestha


img

secure wordpress on a BIP media VPS WordPress is by far the most popular CMS Content Management System used on the internet. 1 out of 6 websites use WordPress.

In this tutorial you will learn how to secure your WordPress website but first lets go over some of the myths circling the interest about WordPress.

Top 10 WordPress Security Myths

Source: http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/

Here are the myths:

1) WordPress is not secure. When there is security issue WordPress Developer team patch them quickly. so you always need to update to latest version. However, WordPress core is very secure.

The most frequent causes for compromised WordPress sites are in fact:

  • Outdated Software
  • Insecure themes and plugins
  • Bad passwords
  • Stolen FTP credentials
  • Hosting problems.
For more information about WordPress security
http://wpmu.org/wordpress-security-vulnerabilities/

2) Nobody wants to hack my blog or Site. Most hacking attempts are automated and rarely personal or political motivated. WordPress hacking—more often is for financial gain.

Maybe you’re thinking, “But I don’t have anything for sale on my site. I don’t have credit card information or any other sensitive information.

What could they possibly steal from my site? Possible ways to exploit your site are:
  • The insertion of spam links in your content to boost SEO for other sites
  • Through malware infections of your visitors computers, e.g. to steal their financial information
  • Redirecting your traffic to other sites.
  •  And many more.

3) My WordPress site is 100% secure. No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist. So For this reason you need to take your sites backup regularly.

4) I only use themes and plugins from WordPress.org so they are secure. No It's not. You need to keep updating your plugins and themes. plugins and themes are #1 way that hacker get access to your sites. but it is safer to get them from WordPress.org.

http://codex.wordpress.org/Managing_Plugins
https://make.wordpress.org/themes/handbook/review/
http://premium.wpmudev.org/blog/free-wordpress-themes-ultimate-guide/

5) Updating WordPress whenever I log in is ok. No it's really a bad idea and you need to update it as soon as possible. Why you ask, because the whole world knows about the issue and people are looking to exploit it as soon as they can.

6) Once my WordPress site is setup my job is finished. Having a WordPress site is an ongoing commitment. If you leave it untouched, hackers will find it and gain access your sites.

7) I’ll just install xyz plugin and that will take care of the security issues for me.

You also need to take care of other things like.
  • It won't help if the hosting server is compromised.
  • It won't help much if a hacker gain access to your online session & password or sensitive files
  • Securing the computer you use to connect to your hosting account (anti-virus, malware and firewalls)
  • Creating and managing strong passwords
  • Using Secure FTP to access to your hosting account
  • Protecting sensitive WordPress files from access from the internet
  • Off-site WordPress monitoring.

8) If I disable a plugin or theme, there is no risk. All files that exist in your WordPress folder are accessible from the internet unless you specifically protect them. This means even disabled themes and plugins can be exploited if they are vulnerable. If you don't need that plugins just remove it.

9) If my site is compromised I will quickly find out. Not sure, Many hacks are invisible to visitors and only visible to bots. You may not know until your site has been blacklisted by Google

You need some kind of off-site monitoring of your WordPress site or malware scanner.

http://wpsecuritychecklist.com/off-site-monitoring-for-wordpress/
https://blog.sucuri.net/2012/07/backdoor-tool-kit-todays-scary-web-malware-reality.html

10) My password is good enough. A normal 8 character or less password can be decoded easily. Try using of mix of characters, numbers and special characters

Use password generator tools. Here are some examples:
https://lastpass.com/
https://agilebits.com/onepassword

Building Secure Wordpress Sites in 10 Steps


Step 1: Secure Your own computer

Recommendation:

  • Keep your laptop / computer private.
  • Run Anti-Virus / Malware cleaner / Browser cleanup Regularly.
  • Use firewall security
  • Don't use insecure or public Wifi network
  • Be carefull of sites you click on or installed.
  • Remove all the unwanted software from computer PUP & JRT.
  • Junk-ware Removal Tool,Avast browser cleanup and Adware cleaner to remove unwanted programs
  • Manage or remove unwanted addons


Step 2 : Get Reliable Hosting Server I recommend BIPmedia.com.


Step 3 : Add Secret Keys in wp-config.php file

Recommendation: A secret key is a haching salt which makes your sites harder to hack by adding random elements to the password

Visit this URL to get your secret Keys:

https://api.wordpress.org/secret-key/1.1/salt/

Step 4: Proper File and Folder Permission

Recommendation:

Files should be set to 644

Folder should be set to 755

Step 5: Use Strong password and remove admin user create another admin user first. assign posts/ pages to new admin

Step 6 : Get reliable Wordpress theme.

Recommendation:

Use free theme hosted in Wordpress.org

Use Premium theme only from reputed theme development Companies

Step 7 : Get reliable Wordpress Plugins

Recommendation:

Try to minimize the use of the plugins

For free plugins only use Top Rated and Popular Plugins in Wordpress.org

For premium plugins check the code, change logs and feedbacks

Step 8 : Setup backup schedule

Recommendation:

Use Backup plugins such as VaultPress, Backup Buddy, WP DB Backup,Wp Online backup and so on.

Backup as often as you don't want to loose data.

Step 9 : Update Update and Update

Recommendation:

No Excuse

Update your Wordpress,Themes and Plugins.

Step 10 : Install Security Plugins

Recommendation plugins:

iThemes Security https://wordpress.org/plugins/better-wp-security/ ,

SucuriSitecheck Malware Scanner

BulletProof Security

WP Security Scan

iThemes Security Protects

iThemes Brute Force Protection Network

  • Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
  • Bans troublesome user agents, bots and other hosts
  • Prevents brute force attacks by banning hosts and users with too many invalid login attempts
  • Strengthens server security
  • Enforces strong passwords for all accounts of a configurable minimum role
  • Forces SSL for admin pages (on supporting servers)
  • Forces SSL for any page or post (on supporting servers)
  • Turns off file editing from within WordPress admin area
  • Detects and blocks numerous attacks to your filesystem and database
  • Detects bots and other attempts to search for vulnerabilities.
  • Monitors filesystem for unauthorized changes.
  • Run a scan for malware and blacklists on the homepage of your site.
  • Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.
  • Changes the URLs for WordPress dashboard areas including login, admin and more
  • Completely turns off the ability to login for a given time period (away mode)
  • Removes theme, plugin, and core update notifications from users who do not have permission to update them
  • Removes Windows Live Write header information
  • Removes RSD header information
  • Renames "admin" account
  • Changes the ID on the user with ID
  • Changes the WordPress database table prefix
  • Changes wp-content path
  • Removes login error messages
  • Makes it easier for users not accustomed to WordPress to remember login and admin URLs by customizing default admin URLs
  • Detects hidden 404 errors on your site that can affect your SEO such as bad links and missing images
Resources for Wordpress Security Articles

http://codex.wordpress.org/Hardening_WordPress

http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html

http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is-locked.html

Clean a Hacked Site

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://www.marketingtechblog.com/wordpress-hacked/

Resources for WordPress Security Support Forums

Hacked: http://wordpress.org/tags/hacked

Malware: http://wordpress.org/tags/malware




Tags: , , , , , , , , , , ,

Spin up a VPS server in no time flat

Simple setup. Full root access. Straightforward pricing.

DEPLOY VPS SERVER

Leave a Reply



Feedbacks