UPDATE: JANUARY 2016
Although a great deal of this post is still applicable, due to the constant evolution of WordPress, we recommend supplementing the information in this post to cover more recent WordPress developments. Give this post from Hosting Facts a read.
As of March 2012, 72.4 million web sites run WordPress, of which yours is one. It does not matter if your site is a small personal blog, viewed by only close family of friends, or a large international news site viewed by millions of people a day. You must ensure that your site is secure. You owe it to your visitors to ensure that their visit is a safe one, with no nastiness or danger involved.
As with any popular software, the more it’s used, the more it will be targeted for malicious reasons. Think Microsoft Windows; it’s easier to target something used on 90% of personal computers, than 10%. The return on investment is greater. The same rules that apply to your desktop, or laptop computer, apply to your web site. Apply updates and patches as they are released. They are released for a reason. What makes your site work is software, just like Word, FireFox or Photoshop, and you need to ensure that the software is updated with new versions and security patches.
What makes securing WordPress more complicated than a piece of desktop software, is that it’s not just WordPress that needs to be kept current, but also the plugins and theme that you use. Each comes with its own set of potential vulnerabilities and issues. The beauty of WordPress is that new versions are released on a regular base, and your admin interface will inform you that there are updates that need to be applied.
When you sign into your admin interface you will be informed that there are updates that need to be applied. Click through you will see exactly what needs to be updated.
But there is a lot more you can and should do to secure your site.
Steps to securing your WordPress site.
Some of these will require some technical knowledge, so if you are not comfortable doing the required step, please find somebody who know what they are doing to assist you. Our sister company, The Forge Web Creations, offers Service Level Agreements specifically for this, so please feel free to contact them for more information.
Stay updated – The most important step has already been covered above, but I’ll repeat it here for emphasis. Apply all security patches and upgrades as they are released.
Change your database prefix – Every installation of WordPress defaults to the prefix wp_ for tables. Change it to something that is unique.
This is best done at installation. Be sure that you know what you are doing before attempting this as your site could become unstable or even go down if this is done incorrectly.
Don’t use “admin” as your Username – Once again, this is something that every WordPress installation defaults to. And is something that is known by hackers making it easier to target your site.
Create a new user profile with admin rights and delete the default admin profile. As of version 3 of WordPress this is something that you can do at installation, but can also be done after the fact. Once you have created your new admin user, you must sign out as “admin” and sign back in before you will be able to delete the default “admin” account. In the deleting process you will be given the option to assign all posts and pages created by “admin” to another user.
Use strong password – No matter how tempting it may be to use something that you can remember as your password, don’t do it. Brute force attacks will eventually prevail if you use your pets name or your wife’s maiden name as a password.
Make use of a service that generates strong password to generate your password for you, like Strong Password Generator or Secure Password Generator.
WordPress will inform you if the password you chose is Strong or Weak.
Install WP Security Scan – Install the WP Security Scan plugin and run it every time you upgrade your site or install a new plugin. Provide you with security vulnerabilities and suggests corrective actions such as:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Remove WP Generator META tag from core code
Some of the items that it scans for have already been covered here, but there is no harm in scanning for them again once you have addressed them.
Protect your main configuration file – All the main information for your blog or site is kept in wp-config.php and this file needs to be protected at all costs. One way of protecting this file is to deny access to it through your .htaccess file. Place the following code in your .htaccess file:
order allow,deny deny from all
Protect your .htaccess file – Now that you are using the .htaccess file to protect your wp-config.php file it is also a good idea to protect your .htaccess file. You will use the following code in your .htaccess file to protect it:
order allow,deny deny from all
Limit the number of failed login attempts – This is useful if somebody is trying to guess your password using brute force. You can use a plugin called Login LockDown to set a limit on the number of failed login attempts, to prevent this.
We have just touched on a couple of steps that you can take to secure your WordPress web site. Remember, protect your web site like you would any other asset that you value. You wouldn’t leave your car keys in the ignition while you go shopping, would you? Taking a few preventative steps now will save you a lot of heart-ache and aggravation further down the line. The most important step you can take to securing your site, is to keep it current with all updates and patches.
If you want more information on protecting your site there is always and WordPress have provided a very comprehensive guide in their Codex.