Maintaining websites in Wordpress is fast, responsive and fun. It’s like driving a race car. You come in first place, and then you look back and realize you've been dropping piles of Viagra leaflets and viruses all over the track.
Ok, silly analogy.
Lately there's been a lot in the news about Wordpress brute force attacks and denial of service attacks. Here are 10 things you can do to make your Wordpress website a little more secure (your mileage may vary).
1. Understand the Situation
Any elementary/forgotten/default Wordpress sites out there are just waiting to be hacked. You have to be proactive, and that's perhaps why you're reading this.
Even if you have been proactive, malicious attacks are bound to happen to you - don't take it personally. Attacks are constantly updated to take advantage of new weaknesses in your server, passwords, Wordpress core files, themes and plugins.
2. Permissions Check
Often Wordpress is running with incorrect file permissions. This can be from copying files or from an older version installation. As a general rule of thumb, all files should be set to 644 and all folders set to 755.
When in doubt, lock it down. If a theme or plugin complains, loosen up permissions a bit.
3. Limit Access
Typically, only known users should be logging in to Wordpress. Limit admin access with a /wp-admin/.htaccess file.
<Limit GET POST> order deny,allow # now whitelist your editor's ip's allow from XXX.XXX.XXX.XXX allow from XXX.XXX.XXX.XXX allow from XXX.XXX.XXX.XXX deny from all </LIMIT> <LimitExcept GET POST> Deny from all </LimitExcept>
4. Choose a Good Username and Password
Did you know many Wordpress attacks assume an "admin" account exists? Delete that user. Create a new user with admin access, login as that user, and then delete the original admin account.
The majority of passwords are either guessed or brute forced, and Wordpress has surprisingly little defense to password attacks. Make sure you have a solid password.
Now that you've done that, don't forget to ensure your FTP account is also secure.
5. Wordpress Doesn't Update Itself
Monthly checks and updates to your Wordpress website is a good idea. Run a backup, update Wordpress, themes, plugins, and check posts and logs for strange activity. Understand what updates contain. Often time comments on the Wordpress website can cue you in. When things are working well, there's never a better time to run a backup!
A scan from http://sitecheck.sucuri.net/scanner/ or http://aw-snap.info/file-viewer/ wouldn't hurt things either.
6. Don't Trust all Plugins and Themes
Limit your use of plugins. In the process of building a website, many people experiment with a variety of plugins and themes but then forget to remove them completely. If you're not using a theme or plugin, remove it. And maybe even consider rolling your own themes!
If a plugin wants 777 permissions and doesn't feel right, don't just disable it, uninstall it and delete its remnants completely.
7. Speaking of Plugins...
Three plugins worth exploring are OSE Firewall, Word Fence, and Login Lockdown. Each plugin has various features, benefits, and alert mechanisms. I would suggest locking everything down as tightly as you can work around.
8. Monitor your Website
Consider using a tool like Changedetection.com, Google Webmaster Tools, or Google Alerts to monitor your website. If you receive alerts and haven't updated anything, it's a pretty good indicator that something suspicious has occurred.
New users signing up? Lots of comments? If your Wordpress website doesn't have a blog and doesn't have any need for user registrations, turn that feature off.
9. Operate Through Obscurity
Each version of Wordpress comes with its own set of vulnerabilities. Several plugins or code modifications can hide the version of Wordpress you're using. Of course there's other ways to detect the version, but why make hacking easy?
Often overlooked is readme.html blatantly revealing the version of Wordpress you've installed. How annoying! You can easily block that with .htaccess along with some other files you don't want prying eyes to see:
Deny from all # now whitelist your ip allow from XXX.XXX.XXX.XXX </FilesMatch>
10. More Defaults to Default On
The Wordpress default database prefix begins with "wp_," and all the hackers know this. It's a good idea to choose a different prefix from the start. If you're working with an existing installation, you're in the market for a database tool to help you change your table names.
I hope this post was insightful, and you will consider some of the lock-down methods I've shared. Need help? Call an expert. We are here to help!
I'm Mark. Doer of things, fixer, creator.