You will probably not need to implement every tip and idea outlined here. Our goal is simply to provide a definitive resource for WordPress security that can be referenced anytime an issue arises. Of course, the best strategy when it comes to security is prevention, and many of these tips need to be put into action as soon as possible in order to keep disaster at bay.
Network and System Security
Before you even start to think about WordPress security, it is imperative to check the general security of your Web host, network and the computers administrators use to access the website. Only after these systems have been have been secured can you move on to the WordPress software and plug-ins.
No matter what platform you use for your website, security begins with your Web host. Some hosts are notoriously slack when it comes to reducing security risks. At a bare minimum, your host should meet the following qualifications:
• Knowledgeable about all security concerns and security features that are offered with hosting packages
• Updates all server software in a timely manner
• Offers proven methods for backups and data recovery
After you ensure that your host is secure, you must consider the vulnerabilities of your network and the computers that will access the WordPress dashboard. This is best accomplished by using a firewall and a reliable security suite that includes spyware protection, antivirus software and realtime malware detection. In addition, you will want to make sure that your operating system and all of your software are updated to the latesersions and have the latest security patches.
WordPress Upgrades
When vulnerabilities are found in WordPress, a team of programmers immediately begins work on closing them, and the fixes are made available in the next release. New releases may be downloaded at WordPress.org, or you may run the built-in automatic updater that has been included in each release since version 2.7.
Because WordPress is open-source software, details are usually provided about the fixes that were made since the last release. This is a double-edged sword in that the information about how to attack previous versions is readily available, and older versions become even more susceptible to attack than they were before. For this reason, all WordPress users should take advantage of updates as soon as they are available.
Most WordPress users are never on the latest version, and one often-cited reason for this is that their plug-ins are not compatible with the latest release. In this situation, you must decide whether the plug-ins are more important than the increased security. In many cases, the incompatible plug-in can be replaced with a compatible one that performs the same functions.
If you are unable to upgrade WordPress, you may want to divert potential hackers by hiding the version number, which is prominently displayed to all visitors. If hackers cannot discern whether their methods are compatible with your website, they may move on to one that holds more certainty for them.
To hide your WordPress version, all you need to do is download and install the Secure WordPress plug-in.
WordPress Passwords
While some hackers break into WordPress websites through back doors, many others simply pick the lock on the front door. Your password is the greatest protection you have against front-door attacks, so you want to create a secure one. To help you with this, WordPress includes a password strength meter, and ideally, the password should reach maximum strength.
In addition to creating a secure password, you will want to customize your login name. The default login name is admin, and keeping it the same gives hackers an important part of the login equation. To change your login name, you have to add a new user and delete the admin account, but before you do, be sure to associate all of your admin posts with the new account. If you do not, all the posts associated with the admin account will be deleted with it.
Several plug-ins are also available to increase your login security:
This plug-in blocks remote login requests from bots by creating a secret, customizable login URL.
User Locker limits how many times an invalid password can be entered before the user is locked out of the login screen.
One-Time Password was developed for administrators who access WordPress from unsecure locations, such as hotels or public Wi-Fi hotspots. It creates a list of passwords that can only be used once.
WordPress Backups
Regular backups of all your data are invaluable in emergencies and disasters. If your data becomes compromised without a backup, years of work could be lost forever. That is certainly not a pleasant idea, and several plug-ins are available to help with the backup process.
This is one of the most reliable backup plug-ins available today. It provides everything you need to schedule and restore backups of your database files.
WP Time Machine allows you to back up your WordPress files and data to your Dropbox account, Amazon AWS S3 account or offsite FTP. Instructions are also provided to facilitate a smooth recovery.
Other WordPress Security Tips
Install WP Security Scan
This handy plug-in scans your WordPress website for common security issues. Instructions to fix each issue are also provided.
Hide Login Errors
Whenever someone enters the incorrect login information, WordPress displays an error message for the specific reason why access was denied. Some hackers may be able to use this information to gain access to your website. To hide login error messages, you must open the WordPress system file named functions.php in Notepad or another HTML editor. Then, enter and save the following line in the file:
add_filter('login_errors',create_function('$a', "return null;"));
Disable File Editing
After you have properly secured your WordPress blog, you can close a popular window used by hackers. By default, administrators are allowed to edit system files, including theme files, PHP files and plug-in files. Because these files can run executable code, hackers often use them to introduce malware. To disable file editing, simply enter the following line in the WordPress file named wp-config.php:
define('DISALLOW_FILE_EDIT', true);
Final Thoughts on WordPress Security
While it is impossible to secure any website 100 percent, you can minimize the risk in WordPress by following the best practices outlined above. Maximum security can only be achieved by implementing several strategies, including performing basic system security, installing security plug-ins and adding lines of code to WordPress system files.
