WordPress is a great tool for building your small business website and maintaining your blog. It is the most widely used content management system in the world. Some experts estimate that WordPress powers over 20% of all websites.
Unfortunately, that popularity also makes it a target for hackers malicious software programs (malware).
While no website it ever completely secure, you can take some precautions that will make your WordPress much more secure than it comes “out of the box”.
Follow WordPress’ Tips
WordPress provides advice for making your website more secure on their Hardening WordPress page. This page contains quite a bit of useful information. I won’t repeat it all here, but let me point out a few things you will want to do
Rename the “admin” user account.
Since most people leave the default admin user account, one of the first things hackers will do is use the admin user name and try to guess the password by “brute force”. Changing the user name gives them two things they have to figure out rather than just one.
Restrict File Permissions.
Make sure permissions are set to 644 for all files and 755 for all directories. You can check and change your file permissions by using the file manager in the cpanel (or equivalent) in your hosting account or with an FTP client like FileZilla
Use strong passwords.
Strong passwords contain a mix of numbers, letters and symbols. Many sites, including WordPress, will measure the strength of your password when you are creating it, so make sure you see the green bar that indicates you have a strong password.
One way to generate strong passwords is to use a phrase (longer than 1 word), capitalize each word in the phrase, and replace certain letters (i.e. vowels) with numbers and or symbols. For example, using the phrase “My password is strong”, my password might be “MyP@ssw0rdIsStr0ng”.
Another great way to generate, store, and remember strong passwords is by using a tool like LastPass. LastPass stores all of your password in a “vault” – all you have to do is remember one password to get into the vault and LastPass will remember all of your other passwords (and store them securely).
Once last tip on user accounts and passwords – don’t share user accounts. Each user should have their own account and password
The Hardening WordPress article referenced above contains several recommendations that you may feel more comfortable discussing with your technical team rather than performing them yourself. These include such things as:
- Configuring and protecting your wp-config.php file
- Editing your .htaccess file
- Hiding and/or renaming key WordPress files and directories
- Using and maintaining plugins
(p.s. – if you don’t have a technical team, feel free to contact us)
Perform Regularly Scheduled Maintenance
Keeping your system up to date – WordPress issues updates on a regular basis – usually monthly, but more often if they discover a serious issues that needs to be corrected quickly. Many of these updates address security vulnerabilities, so it is important to keep up to date. Many website hosting companies are starting to automatically apply the latest WordPress updates if you haven’t applied them with a certain deadline.
In addition to WordPress, your plugins and your theme may also require periodic updates.
Last, but not least, make sure you are performing regular backups of your website. The biggest sources of loss from website problems are 1) lost data and 2) lost time spent fixing the problem. With a proper backup solution you can minimize your losses in both categories.
With a WordPress website, you need to make sure you backup all of the files that go with your website as well as the database that WordPress uses to store the content of your webpages, posts, and other information.
I use a plugin called BackupBuddy to manage backups. BackupBuddy gives you the ability to schedule backups, send them to a different locations (helping protect against hardware failure), and if you ever need to restore a site, it handles that as well.
This post is by no means a comprehensive list of procedures for securing a WordPress site. If you have any questions or need help securing your WordPress based website, feel free to contact me.
Please note: this list is not intended to be fully comprehensive, and there are other security procedures that we implement as well, however this is a great starting place and will help make any WordPress installation more secure.