WordPress website security
It is fairly common to ignore checking your WordPress installation for security updates, including both themes and plugins. Take it from our experts on WordPress security. If you do not frequently check for updates you will eventually find irreversible issues compromising the integrity of your web investments.
When an attacker infiltrates your website, it is not only time but fragile reputation being negatively affected. Despite numerous research studies on web application security, WordPress developers and admins continue to overlook updates, and other security patches for their WP installations.
This article will discuss how to keep your WordPress website hacker free.
Backup WordPress Installation
Regularly backing up website data is a crucial task. In college they tell you to frequently use CTRL+S (or ⌘+S for Mac) to save your documents. This is because computers fail, and if they crash you will lose your work.
Similarly when a WordPress website has been taken over with malicious intent, the likelihood of restoring your website to it’s original state is slim-to-none or very expensive.
Benefits of Backup Plugins for WordPress
- Automating scheduled backups for your website. You can schedule backups, so why wouldn’t you backup your WordPress website? Taking 5-10 minutes to install a plugin to automate backups for WP is absolutely the smartest thing you could do.
- Easily revert changes to a previous stable version. An important thing to keep in mind, you do not have to be a WordPress developer to accomplish a backup of your website. Plugins allow the end-user administrator to accomplish backup goals in a few clicks.
- Backup an entire WordPress installation. This includes but is not limited to: media files, themes, databases, and all custom css, javascript, and styling.
- Online WordPress resources at your disposal. We can’t even begin to tell you how many resources there are on the internet for WordPress, even backup plugins for WordPress themselves. Within a few moments of searching keywords, you will notice someone else has already asked the same questions. A great place to start could be the WordPress Support Forum, or even WordPress StackExchange.
Take this time to secure your website by following these steps.
- Visit your WordPress adm dashboard, select Plugins -> Add New
- In the Keyword field type in Backup, select Install Now next to one of many highly rated plugins
- After installing, select Activate and configure any necessary parameters for the plugin you have chosen
Update My WordPress Installation
Every once in awhile WordPress releases core updates. Major updates are essential to your website safety. Black-hat attackers find vulnerabilities in the latest versions, furthermore WordPress patches these vulnerabilities as security and maintenance. Here is a list of the latest WordPress releases
Some WordPress hosting providers offer management services including updates to ensure you are always running the current version of WordPress.
An alternative, if you are unable to successfully complete these performance tasks is hiring professional WordPress consultants for security and maintenance.
Reflect quickly on the Benefits of Backup Plugins and Themes for WordPress. If you have successfully ran a backup of your website, you are free to test and improve your skills by updating themes and plugins without the stress of ruining weeks, months, or even years of work.
Managing Plugin Updates for WordPress
Potentially every WordPress plugin installed is a threat to your installation. Backdoor vulnerabilities are found daily and may provide web admin access to malicious users.
Keeping plugins up-to-date requires attention to detail. Research if the plugin is actively updated by the author, as well as supported by a community of users. Each plugin will provide information about users, version bugs, and the author.
Consider removing WP plugins that are no longer supported by the current core version or plugin author to ensure security for your installation.
Note: Some plugins conflict with other similar plugins. If you experience these issues, other security problems can arise. Be careful of not installing two or more plugins that operate similar actions.
Unofficial WordPress Themes & Plugins
Let’s say we create our own official WordPress theme called, WP Silly WordPress Theme, and charge the public $25 to download and use within our terms of service.
John Smith likes our theme so he buys it. He embeds malicious malware, phishing, or even executables and browser bugs.
Now you (the end-user), do a google search and find yourself on John Smith’s website, offering our theme for free.
You get the picture, don’t illegally download themes and plugins.
File Permissions for WordPress Hosting
Instances of WordPress can be mis-configured at the time of installation. If you haven’t installed manually, you should be able to contact your hosting provider for support.
Many other sources who have discussed this matter say you should have directories configured to 755 or 750, wp-config.php to 600, and files to 640 or 644.
For more information on WordPress Hosting Permissions click here.
Specialty Plugins for WordPress Security
Search through the many WordPress security plugins to add needed functionality including features such as password validation, default admin URL, or two-step login authentication for sending an auth code to your phone.
You can never be too careful! Security plugins exist to protect yourself from a variety of intrusion methods.
Reliable WordPress Hosting
Purchasing cheap hosting has consequences, needless to say investing in the best hosting you can afford is a must while considering WordPress security.
Many web hosts partition their servers to host many customers on a single server. If an organization on your server is targeted you may also be at risk.
Moreover, individuals and businesses looking for WordPress solutions should consider a hosting provider specializing in WP firewalls, PHP and MySQL updates, malware scans, and dedicated servers for WordPress.
Hide Confidential WordPress Usernames
In a fresh WP installation you can find the primary administrator username by adding ?author=1 to the website URL. Some WordPress hosts provide default settings to hide this, although shared hosts that do not specialize in WP may not.
To hide the default WP username add the following code snippet to your functions.php.
add_action(‘template_redirect’, ‘chrs_template_redirect’);
function chrs_template_redirect() {
if (is_author()) {
wp_redirect( home_url() ); exit;
}
}
Use .HTACCESS to Secure WordPress
To restrict access to your admin panel to specific IP addresses you can add the following code to your .htaccess.
Individual IPs:
order deny,allow
allow from 199.898.1.2
deny from all
Multiple IPs:
order deny,allow
allow from 199.898.1.2
Allow from 199.776.1.2
deny from all
With .htaccess you can password protect areas of your website, restrict IPs, and redirect users.
My Database Details for WordPress
You can find your database information inside of your wp-config.php file, but so can someone else unless you protect it!
Start by adding the following code to your .htaccess file:
<Files wp-config.php>
order deny,allow
deny from all
</Files>
Next your .htaccess file might look like this:
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
<Files wp-config.php>
order deny,allow
deny from all
</Files>
Limiting Brute Force Login Attempts
Despite being provided as factory settings by your host there are many plugins to protect your organization from malicious attacks. IPs that cannot login within a number of tries will be blocked for a set period, as well as alerting the web administrator of possible intrusion.
Login LockDown as well as Login Security Solution are two that are highly recommend.
To permanently ban an IP from accessing your website add the following code to your .htaccess file.
<Limit GET POST>
order allow,deny
deny from 201.169.2.1
deny from 192.168.1.5
allow from all
</Files>
Configure Important WordPress Folder Access
All of your images, theme files and plugins are located in the wp-content folder, which needs to be secured. Add the following code to a new .htaccess file located inside of your wp-content folder. Blocking access to PHP files, while allowing users to view CSS and other important WordPress assets.
order allow,deny
deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all
</Files>
Securing WordPress .HTACCESS File
We are almost finished deploying our security patches with .htaccess. To prevent anyone on your website from viewing files beginning with “hta”, add the following to your .htaccess.
<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
Before making any changes to your .htaccess. be sure to backup your WP installation.