WordPress is by far the most popular CMS Content Management System used on the internet. 1 out of 6 websites use WordPress.
In this tutorial you will learn how to secure your WordPress website but first lets go over some of the myths circling the interest about WordPress.
Top 10 WordPress Security Myths
Here are the myths:
1) WordPress is not secure. When there is security issue WordPress Developer team patch them quickly. so you always need to update to latest version. However, WordPress core is very secure.
The most frequent causes for compromised WordPress sites are in fact:
- Outdated Software
- Insecure themes and plugins
- Bad passwords
- Stolen FTP credentials
- Hosting problems.
2) Nobody wants to hack my blog or Site. Most hacking attempts are automated and rarely personal or political motivated. WordPress hacking—more often is for financial gain.
Maybe you’re thinking, “But I don’t have anything for sale on my site. I don’t have credit card information or any other sensitive information.
What could they possibly steal from my site? Possible ways to exploit your site are:
- The insertion of spam links in your content to boost SEO for other sites
- Through malware infections of your visitors computers, e.g. to steal their financial information
- Redirecting your traffic to other sites.
- And many more.
3) My WordPress site is 100% secure. No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist. So For this reason you need to take your sites backup regularly.
4) I only use themes and plugins from WordPress.org so they are secure. No It's not. You need to keep updating your plugins and themes. plugins and themes are #1 way that hacker get access to your sites. but it is safer to get them from WordPress.org.
5) Updating WordPress whenever I log in is ok. No it's really a bad idea and you need to update it as soon as possible. Why you ask, because the whole world knows about the issue and people are looking to exploit it as soon as they can.
6) Once my WordPress site is setup my job is finished. Having a WordPress site is an ongoing commitment. If you leave it untouched, hackers will find it and gain access your sites.
7) I’ll just install xyz plugin and that will take care of the security issues for me.
You also need to take care of other things like.
- It won't help if the hosting server is compromised.
- It won't help much if a hacker gain access to your online session & password or sensitive files
- Securing the computer you use to connect to your hosting account (anti-virus, malware and firewalls)
- Creating and managing strong passwords
- Using Secure FTP to access to your hosting account
- Protecting sensitive WordPress files from access from the internet
- Off-site WordPress monitoring.
8) If I disable a plugin or theme, there is no risk. All files that exist in your WordPress folder are accessible from the internet unless you specifically protect them. This means even disabled themes and plugins can be exploited if they are vulnerable. If you don't need that plugins just remove it.
9) If my site is compromised I will quickly find out. Not sure, Many hacks are invisible to visitors and only visible to bots. You may not know until your site has been blacklisted by Google
You need some kind of off-site monitoring of your WordPress site or malware scanner.
10) My password is good enough. A normal 8 character or less password can be decoded easily. Try using of mix of characters, numbers and special characters
Use password generator tools. Here are some examples:
Building Secure Wordpress Sites in 10 Steps
Step 1: Secure Your own computer
- Keep your laptop / computer private.
- Run Anti-Virus / Malware cleaner / Browser cleanup Regularly.
- Use firewall security
- Don't use insecure or public Wifi network
- Be carefull of sites you click on or installed.
- Remove all the unwanted software from computer PUP & JRT.
- Junk-ware Removal Tool,Avast browser cleanup and Adware cleaner to remove unwanted programs
- Manage or remove unwanted addons
Step 2 : Get Reliable Hosting Server I recommend BIPmedia.com.
Step 3 : Add Secret Keys in wp-config.php file
Recommendation: A secret key is a haching salt which makes your sites harder to hack by adding random elements to the password
Visit this URL to get your secret Keys:
Step 4: Proper File and Folder Permission
Files should be set to 644
Folder should be set to 755
Step 5: Use Strong password and remove admin user create another admin user first.
assign posts/ pages to new admin
Step 6 : Get reliable Wordpress theme.
Use free theme hosted in Wordpress.org
Use Premium theme only from reputed theme development Companies
Step 7 : Get reliable Wordpress Plugins
Try to minimize the use of the plugins
For free plugins only use Top Rated and Popular Plugins in Wordpress.org
For premium plugins check the code, change logs and feedbacks
Step 8 : Setup backup schedule
Use Backup plugins such as VaultPress, Backup Buddy, WP DB Backup,Wp Online backup and so on.
Backup as often as you don't want to loose data.
Step 9 : Update Update and Update
Update your Wordpress,Themes and Plugins.
Step 10 : Install Security Plugins
iThemes Security https://wordpress.org/plugins/better-wp-security/ ,
SucuriSitecheck Malware Scanner
WP Security Scan
iThemes Security Protects
iThemes Brute Force Protection Network
- Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
- Bans troublesome user agents, bots and other hosts
- Prevents brute force attacks by banning hosts and users with too many invalid login attempts
- Strengthens server security
- Enforces strong passwords for all accounts of a configurable minimum role
- Forces SSL for admin pages (on supporting servers)
- Forces SSL for any page or post (on supporting servers)
- Turns off file editing from within WordPress admin area
- Detects and blocks numerous attacks to your filesystem and database
- Detects bots and other attempts to search for vulnerabilities.
- Monitors filesystem for unauthorized changes.
- Run a scan for malware and blacklists on the homepage of your site.
- Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.
- Changes the URLs for WordPress dashboard areas including login, admin and more
- Completely turns off the ability to login for a given time period (away mode)
- Removes theme, plugin, and core update notifications from users who do not have permission to update them
- Removes Windows Live Write header information
- Removes RSD header information
- Renames "admin" account
- Changes the ID on the user with ID
- Changes the WordPress database table prefix
- Changes wp-content path
- Removes login error messages
- Makes it easier for users not accustomed to WordPress to remember login and admin URLs by customizing default admin URLs
- Detects hidden 404 errors on your site that can affect your SEO such as bad links and missing images
Clean a Hacked Site
Resources for WordPress Security Support Forums
Tags: Security, wordpress, Secure, Server, Hosting, how to secure, malware, Plugins, recommendation, secure wordpress, sites, wordpress sites
This work is licensed under a
Creative Commons Attribution-