This is a guest contribution from John Philips.
10 Vital WordPress Security Tips
Security should be of paramount concern to any blogger or website owner. It may seem like a tedious task, but it could protect your website from becoming a hacker’s playground. If your site has a revenue stream, then some time invested into security could also protect your livelihood. This article overviews a few key security tips for WordPress blogs. There’s an ever growing collection of useful plugins, but it’s dangerous to think that there is a single solution to website security. It’s important to maintain an ongoing interest in security to provide a reliable defence against hackers.
1. Secure Hosting
If you unknowingly opt for a provider which is infamous for its hosting vulnerabilities, you’ll be cursing your decision at a later date. Research is the key, so allocate some time to find a reputable company with a strong security strategy. Price is likely to be the main comparison point between providers, but sometimes paying slightly more can prove to be a sensible long-term decision.
2. Work on a Secure Network with a Clean PC
One of the joys of web-based software is ease of access. It might be seriously tempting to amend a blog post when you’re enjoying a coffee in your local café, but accessing WordPress on an unsecure network could seriously compromise your security. At home, where you probably have a more robust network, you should also be sure that your machine is free of malware, spyware and viruses. A sneaky key logger could undo all of your other security measures.
3. Keep Updated
Ensure that your themes, plugins and WordPress itself are all updated regularly. There are developers out there working to protect your site, so don’t miss out on crucial updates that patch the latest security vulnerabilities.
4. Strong Passwords
Passwords consisting of mainly names and correctly spelt words are extremely susceptible to brute-force attacks. Use characters, randomly mix up your capitalisation and avoid names and words. If ‘petname1’ is memorable for you, why not use ‘P@naMe01!’ – it might seem silly, but having some kind of association in your mind will enable you to remember it. Alternatively there are software solutions that store and encrypt your passwords; Roboform and LastPass are both great options.
5. Enable Secure SSL Login Pages
Logging into WordPress through an encrypted channel will provide another layer of protection. Be sure to check with your hosting provider to see if you have an SSL certificate, or are utilising Shared SSL. Then add this line of code to your wp-config.php file:
define(’FORCE_SSL_ADMIN’, true);
If you want an easier option, then there is a plugin that allows SSL control of your site: WordPress HTTPS (SSL)
6. Don’t Use ‘Admin’ as a Username
From version 3.0 onwards you have been able to update your WordPress username, so you’re no longer limited to using the default of ‘admin’. There have been widespread attacks in the past, which have exploited the fact that millions of users still have ‘admin’ as their username. The easiest way to do this is to create a new user account in WordPress and give it admin access, you can then simply delete the old account.
7. Hide Your Login from the Author Archive
It’s possible to find out a WordPress user’s login, simply by viewing the author archive page’s permalink – i.e. http://www.example.com/author/username/
However, it’s fairly straightforward to remove this. The simple solution is to use the WP Author Slug plugin.
8. Limit Login Attempts
Limiting the number of login attempts from a single IP address can thwart some hackers, especially if your site has been targeted by a brute-force attack. Thankfully there’s a handy plugin – Limit Login Attempts.
9. Disable File Editing
It can be really useful to edit your theme’s files within the dashboard. However, once you’re happy that you no longer need to edit these files, then it’s sensible to remove this functionality. This will prevent hackers from changing these files. All you need to do is access your wp-config.php file and add the following line of code:
define( ‘DISALLOW_FILE_EDIT’, true );
10. Create Regular Backups
It’s a mundane task, and one that is often neglected. Backing up could potentially save your site from the website graveyard, it’s a vital step even if you’ve taken all the appropriate security measures. Thankfully, there’s a fantastic plugin that automates the task and removes the mundaneness – BackUpWordPress. It’s a very popular plugin that’s famed amongst the WordPress community for its simplicity and ease of use.
Summary & Other Security Plugins
No single plugin will completely protect your site, therefore the above steps shouldn’t be ignored. It’s also important not to have plugins installed that you don’t use. Feel free to try out some of the plugins below, but if you’re not using them it’s best to uninstall them. Some of the multi-purpose plugins are fantastic, but they might aim to correct certain things you may have already fixed, so assess their features to decide if it’s worth installing.
Login Lockdown – blocks IP addresses for a given time after repeated failed login attempts.
Lockdown WP Admin – hides WordPress Admin (/wp-admin/) when a user isn’t logged in.
Sucuri Security – checks your site for malware, spam, blacklisting and other security issues.
Acunetix WP Security – checks your WordPress website/blog for security vulnerabilities and suggests corrective actions.
iThemes Security – Formerly Better WP Security, this plugin offers over 30 ways to secure and protect your WordPress site.
Still want to know more about WordPress security? If so then check out: http://codex.wordpress.org/Hardening_WordPress
John Philips is from SSLs.com. SLLs.com resells SSL certificates from the likes of Comodo, GeoTrust, and VeriSign.
